{ "$schema" : "https://json-schema.org/draft/2020-12/schema", "$defs" : { "ClipboardEventData" : { "type" : "object", "properties" : { "Archived" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the file was stored in the configured archive folder", "pattern" : "true|false" }, "ClientInfo" : { "type" : "string", "x-isAttributed" : false, "description" : "Username and hostname of the originating RDP host, if available" }, "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "Hashes of the clipboard data, based on configured types. This also determines the stored filename" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that added data to the clipboard" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that added data to the clipboard" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that added data to the clipboard", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "Session" : { "type" : "string", "x-isAttributed" : false, "description" : "Terminal Session ID" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that added data to the clipboard" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #24. Clipboard event" }, "DnsEventData" : { "type" : "object", "properties" : { "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that made the DNS query" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "GUID of the process that made the DNS query" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that made the DNS query", "pattern" : "\\d+" }, "QueryName" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "DNS name that was queried" }, "QueryResults" : { "type" : "string", "x-isAttributed" : false, "description" : "Results of the query" }, "QueryStatus" : { "type" : "string", "x-isAttributed" : false, "description" : "Query result status code" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that made the DNS query" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #22. DNS" }, "FileCreateEventData" : { "type" : "object", "properties" : { "CreationUtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "File creation time" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that created the file" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that created the file" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that created the file (child)", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetFilename" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the file that was created" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the file" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #11. File create" }, "FileCreateStreamHashEventData" : { "type" : "object", "properties" : { "CreationUtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "File download time" }, "Hash" : { "type" : "string", "x-isAttributed" : false, "description" : "Full hash of the file with the algorithms in the HashType field" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that created the named file stream" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that created the named file stream" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that created the named file stream", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetFilename" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the file" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the file" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #15. File create stream hash" }, "FileCreationTimeChangeEventData" : { "type" : "object", "properties" : { "CreationUtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "New creation time of the file" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that changed the file creation time" }, "PreviousCreationUtcTime" : { "type" : "string", "x-isAttributed" : false, "description" : "Previous creation time of the file" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that changed the file creation time" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process changing the file creation time", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetFilename" : { "type" : "string", "x-isAttributed" : false, "description" : "Full path name of the file" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the file. It usually contains domain name and username" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #2. File creation time changed" }, "FileDeleteDetectedEventData" : { "type" : "object", "properties" : { "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "The hashes of the file, based on configured types. This also determines the stored filename" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that deleted the file" }, "IsExecutable" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the file is a PE file", "pattern" : "true|false" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that deleted the file" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that deleted the file", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetFilename" : { "type" : "string", "x-isAttributed" : false, "description" : "The path of the deleted file" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that deleted the file" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #26. File Delete Detected" }, "FileDeleteEventData" : { "type" : "object", "properties" : { "Archived" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the file was stored in the configured archive folder", "pattern" : "true|false" }, "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "The hashes of the file, based on configured types. This also determines the stored filename" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that deleted the file" }, "IsExecutable" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the file is a PE file", "pattern" : "true|false" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that deleted the file" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that deleted the file", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetFilename" : { "type" : "string", "x-isAttributed" : false, "description" : "The path of the deleted file" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that deleted the file" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #23. File delete" }, "ImageLoadedEventData" : { "type" : "object", "properties" : { "Company" : { "type" : "string", "x-isAttributed" : false, "description" : "Company name associated with the loaded image" }, "Description" : { "type" : "string", "x-isAttributed" : false, "description" : "Description of the image loaded" }, "FileVersion" : { "type" : "string", "x-isAttributed" : false, "description" : "Version of the image loaded" }, "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "Full hash of the file with the algorithms in the HashType field" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that loaded the image" }, "ImageLoaded" : { "type" : "string", "x-isAttributed" : false, "description" : "Path of the image loaded" }, "OriginalFileName" : { "type" : "string", "x-isAttributed" : false, "description" : "From the PE header, added on compilation" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that loaded the image" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that loaded the image", "pattern" : "\\d+" }, "Product" : { "type" : "string", "x-isAttributed" : false, "description" : "Product name the image loaded belongs to" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "Signature" : { "type" : "string", "x-isAttributed" : false, "description" : "The signer name" }, "SignatureStatus" : { "type" : "string", "x-isAttributed" : false, "description" : "Status of the signature" }, "Signed" : { "type" : "string", "x-isAttributed" : false, "description" : "State whether the image loaded is signed", "pattern" : "true|false" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that loaded the image" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #7. Image loaded" }, "KernelDriverLoadedEventData" : { "type" : "object", "properties" : { "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "Hashes captured by Sysmon driver" }, "ImageLoaded" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the driver loaded" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "Signature" : { "type" : "string", "x-isAttributed" : false, "description" : "Signer name of the driver" }, "SignatureStatus" : { "type" : "string", "x-isAttributed" : false, "description" : "Status of the signature" }, "Signed" : { "type" : "string", "x-isAttributed" : false, "description" : "Is the driver loaded signed", "pattern" : "true|false" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #6. Kernel driver loaded" }, "NetworkConnectionEventData" : { "type" : "object", "properties" : { "DestinationHostname" : { "type" : "string", "x-isAttributed" : true, "format" : "hostname", "description" : "DNS name of the host that is contacted" }, "DestinationIp" : { "type" : "string", "x-isAttributed" : false, "description" : "IP address destination" }, "DestinationIsIpv6" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the destination IP is an Ipv6 address", "pattern" : "true|false" }, "DestinationPort" : { "type" : "string", "x-isAttributed" : false, "description" : "Destination port number", "pattern" : "\\d+" }, "DestinationPortName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the destination port" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that made the network connection" }, "Initiated" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the process initiated the TCP connection", "pattern" : "true|false" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that made the network connection" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that made the network connection", "pattern" : "\\d+" }, "Protocol" : { "type" : "string", "x-isAttributed" : false, "description" : "Protocol being used for the network connection" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "SourceHostname" : { "type" : "string", "x-isAttributed" : true, "format" : "hostname", "description" : "DNS name of the host that made the network connection" }, "SourceIp" : { "type" : "string", "x-isAttributed" : false, "description" : "Source IP address that made the network connection" }, "SourceIsIpv6" : { "type" : "string", "x-isAttributed" : false, "description" : "Indicates whether the source IP is an IPv6 address", "pattern" : "true|false" }, "SourcePort" : { "type" : "string", "x-isAttributed" : false, "description" : "Source port number", "pattern" : "\\d+" }, "SourcePortName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the source port being used" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account who made the network connection" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #3. Network connection" }, "PipeConnectedEventData" : { "type" : "object", "properties" : { "EventType" : { "type" : "string", "enum" : [ "CreatePipe", "ConnectPipe" ], "x-isAttributed" : false, "description" : "ConnectPipe" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that created the pipe" }, "PipeName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the pipe created" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "GUID of the process that created the named file stream" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that created the named file stream", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that connected to the pipe" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #18. Pipe connected" }, "PipeCreatedEventData" : { "type" : "object", "properties" : { "EventType" : { "type" : "string", "enum" : [ "CreatePipe", "ConnectPipe" ], "x-isAttributed" : false, "description" : "CreatePipe" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that created the pipe" }, "PipeName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the pipe created" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "GUID of the process that created the named file stream" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that created the named file stream", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the pipe" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #17. Pipe created" }, "ProcessAccessEventData" : { "type" : "object", "properties" : { "CallTrace" : { "type" : "string", "x-isAttributed" : false, "description" : "Stack trace of where open process is called. Included is the DLL and the relative virtual address of the\nfunctions in the call stack right before the open process call" }, "GrantedAccess" : { "type" : "string", "x-isAttributed" : false, "description" : "The access flags (bitmask) associated with the process rights requested for the target process" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "SourceImage" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the source process that created a thread in another process" }, "SourceProcessGUID" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the source process that opened another process. It is derived from a truncated part of\nthe machine GUID, the process start-time and the process token ID" }, "SourceProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the source process that opened another process. Derived partially\nfrom the EPROCESS kernel structure", "pattern" : "\\d+" }, "SourceThreadId" : { "type" : "string", "x-isAttributed" : false, "description" : "ID of the specific thread inside of the source process that opened another process", "pattern" : "\\d+" }, "SourceUser" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that runs the source process" }, "TargetImage" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the executable of the target process" }, "TargetProcessGUID" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the target process" }, "TargetProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the target process", "pattern" : "\\d+" }, "TargetUser" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that runs the targeted process which is accessed" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #10. Process access" }, "ProcessCreateEventData" : { "type" : "object", "properties" : { "CommandLine" : { "type" : "string", "x-isAttributed" : false, "description" : "Arguments which were passed to the executable associated with the main process" }, "Company" : { "type" : "string", "x-isAttributed" : false, "description" : "Company name the image associated with the main process (child) belongs to" }, "CurrentDirectory" : { "type" : "string", "x-isAttributed" : false, "description" : "The path without the name of the image associated with the process" }, "Description" : { "type" : "string", "x-isAttributed" : false, "description" : "Description of the image associated with the main process (child)" }, "FileVersion" : { "type" : "string", "x-isAttributed" : false, "description" : "Version of the image associated with the main process (child)" }, "Hashes" : { "type" : "string", "x-isAttributed" : false, "description" : "Full hash of the file with the algorithms in the HashType field" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process being created. Considered also the child or source process" }, "IntegrityLevel" : { "type" : "string", "x-isAttributed" : false, "description" : "Integrity label assigned to a process" }, "LogonGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Logon GUID of the user who created the new process. Value that can help you correlate this event with\nothers that contain the same Logon GUID" }, "LogonId" : { "type" : "string", "x-isAttributed" : false, "description" : "Login ID of the user who created the new process. Value that can help you correlate this event with\nothers that contain the same Logon ID" }, "OriginalFileName" : { "type" : "string", "x-isAttributed" : false, "description" : "OriginalFileName from the PE header, added on compilation" }, "ParentCommandLine" : { "type" : "string", "x-isAttributed" : false, "description" : "Arguments which were passed to the executable associated with the parent process" }, "ParentImage" : { "type" : "string", "x-isAttributed" : false, "description" : "File path that spawned or created the main process" }, "ParentProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that spawned or created the main process (child)" }, "ParentProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID of the process that spawned or created the main process (child)", "pattern" : "\\d+" }, "ParentUser" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the parent process. It usually contains domain name and username" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that got spawned or created (child)" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the created process (child)", "pattern" : "\\d+" }, "Product" : { "type" : "string", "x-isAttributed" : false, "description" : "Product name the image associated with the main process (child) belongs to" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TerminalSessionId" : { "type" : "string", "x-isAttributed" : false, "description" : "ID of the session the user belongs to" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the process (child)" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #1. The process create event" }, "ProcessTamperingEventData" : { "type" : "object", "properties" : { "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that was tampered with" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that was tampered with" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that was tampered with", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "Type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of tampering detected" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account in whose user context the process tampered with runs" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #25. Process tampering" }, "ProcessTerminatedEventData" : { "type" : "object", "properties" : { "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the executable of the process that terminated" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that terminated" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that terminated", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the process" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #5. Process terminated" }, "RawAccessReadEventData" : { "type" : "object", "properties" : { "Device" : { "type" : "string", "x-isAttributed" : false, "description" : "Target device" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that conducted reading operations from the drive" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that conducted reading operations from the drive" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that conducted reading operations from the drive", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that created the process" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #9. Raw access read" }, "RegistryCreateDeleteEventData" : { "type" : "object", "properties" : { "EventType" : { "type" : "string", "enum" : [ "CreateKey", "DeleteKey", "RenameKey", "SetValue" ], "x-isAttributed" : false, "description" : "CreateKey or DeleteKey" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that created or deleted a registry key" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "GUID of the process that created or deleted a registry key" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that created or deleted a registry key", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetObject" : { "type" : "string", "x-isAttributed" : false, "description" : "Complete path of the registry key" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that accessed the registry" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #12. Registry event (object create and delete)" }, "RegistryRenameKeyEventData" : { "type" : "object", "properties" : { "EventType" : { "type" : "string", "enum" : [ "CreateKey", "DeleteKey", "RenameKey", "SetValue" ], "x-isAttributed" : false, "description" : "RenameKey" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that renamed a registry value and key" }, "NewName" : { "type" : "string", "x-isAttributed" : false, "description" : "New name of the registry key" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that renamed a registry value and key" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that renamed a registry value and key", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetObject" : { "type" : "string", "x-isAttributed" : false, "description" : "Complete path of the renamed registry key" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account that accessed the registry" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #14. Registry event (rename key)" }, "RegistrySetValueEventData" : { "type" : "object", "properties" : { "Details" : { "type" : "string", "x-isAttributed" : false, "description" : "Details added to the registry key" }, "EventType" : { "type" : "string", "enum" : [ "CreateKey", "DeleteKey", "RenameKey", "SetValue" ], "x-isAttributed" : false, "description" : "SetValue" }, "Image" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the process that that modified a registry value" }, "ProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the process that modified a registry value" }, "ProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the process that that modified a registry value", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "TargetObject" : { "type" : "string", "x-isAttributed" : false, "description" : "Complete path of the modified registry key" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "Username of the account that accessed the registry" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #13. Registry event (set value)" }, "RemoteThreadEventData" : { "type" : "object", "properties" : { "NewThreadId" : { "type" : "string", "x-isAttributed" : false, "description" : "ID of the new thread created in the target process", "pattern" : "\\d+" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "SourceImage" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the source process that created a thread in another process" }, "SourceProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the source process that created a thread in another process" }, "SourceProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the source process that created a thread in another process", "pattern" : "\\d+" }, "SourceUser" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account for which process that started the remote thread" }, "StartAddress" : { "type" : "string", "x-isAttributed" : false, "description" : "New thread start address" }, "StartFunction" : { "type" : "string", "x-isAttributed" : false, "description" : "Start function is reported if exact match to function in image export tables" }, "StartModule" : { "type" : "string", "x-isAttributed" : false, "description" : "Start module determined from thread start address mapping to PEB loaded module list" }, "TargetImage" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the target process" }, "TargetProcessGuid" : { "type" : "string", "x-isAttributed" : false, "description" : "Process GUID of the target process" }, "TargetProcessId" : { "type" : "string", "x-isAttributed" : false, "description" : "Process ID used by the OS to identify the target process", "pattern" : "\\d+" }, "TargetUser" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the account for which process the thread was started in" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #8. Remote thread" }, "SysmonConfigStateChangeEventData" : { "type" : "object", "properties" : { "Configuration" : { "type" : "string", "x-isAttributed" : false, "description" : "File path of the Sysmon config file being updated" }, "ConfigurationFileHash" : { "type" : "string", "x-isAttributed" : false, "description" : "Hash (SHA1) of the Sysmon config file being updated" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #16. Sysmon config state change" }, "SysmonErrorEventData" : { "type" : "object", "properties" : { "Description" : { "type" : "string", "x-isAttributed" : false, "description" : "Error description" }, "ID" : { "type" : "string", "x-isAttributed" : false, "description" : "Error code" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #255. Sysmon error" }, "SysmonServiceStateChangedEventData" : { "type" : "object", "properties" : { "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "SchemaVersion" : { "type" : "string", "x-isAttributed" : false, "description" : "Sysmon config schema version" }, "State" : { "type" : "string", "x-isAttributed" : false, "description" : "Sysmon service state" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" }, "Version" : { "type" : "string", "x-isAttributed" : false, "description" : "Sysmon binary version" } }, "description" : "Event #4. Sysmon service state changed" }, "WmiEventConsumerEventData" : { "type" : "object", "properties" : { "Destination" : { "type" : "string", "x-isAttributed" : false, "description" : "Process executed by the consumer" }, "EventType" : { "type" : "string", "enum" : [ "WmiFilterEvent", "WmiConsumerEvent", "WmiBindingEvent" ], "x-isAttributed" : false, "description" : "WmiFilterEvent" }, "Name" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the event consumer created" }, "Operation" : { "type" : "string", "x-isAttributed" : false, "description" : "WMI event consumer operation" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "Type" : { "type" : "string", "x-isAttributed" : false, "description" : "Type of event consumer" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "User that created the WMI event consumer" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #20. WMI event (WmiEventConsumer activity detected)" }, "WmiEventConsumerToFilterEventData" : { "type" : "object", "properties" : { "Consumer" : { "type" : "string", "x-isAttributed" : false, "description" : "Consumer to bind" }, "EventType" : { "type" : "string", "enum" : [ "WmiFilterEvent", "WmiConsumerEvent", "WmiBindingEvent" ], "x-isAttributed" : false, "description" : "WmiFilterEvent" }, "Filter" : { "type" : "string", "x-isAttributed" : false, "description" : "Filter to bind to the consumer" }, "Operation" : { "type" : "string", "x-isAttributed" : false, "description" : "WMI filter to event consumer binding operation" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "User that created the WMI event consumer" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #21. WMI event (WmiEventConsumerToFilter activity detected)" }, "WmiEventFilterEventData" : { "type" : "object", "properties" : { "EventNamespace" : { "type" : "string", "x-isAttributed" : false, "description" : "Event Namespace of the WMI class" }, "EventType" : { "type" : "string", "enum" : [ "WmiFilterEvent", "WmiConsumerEvent", "WmiBindingEvent" ], "x-isAttributed" : false, "description" : "WmiFilterEvent" }, "Name" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the created filter" }, "Operation" : { "type" : "string", "x-isAttributed" : false, "description" : "WMI Event filter operation" }, "Query" : { "type" : "string", "x-isAttributed" : false, "description" : "WMI query tied to the filter" }, "RuleName" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of the configured rule" }, "User" : { "type" : "string", "x-isAttributed" : false, "description" : "User that created the WMI filter" }, "UtcTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "UTC timestamp when the event occurred" } }, "description" : "Event #19. WMI event (WmiEventFilter activity detected)" } }, "type" : "object", "properties" : { "hostname" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The hostname as reported by the agent" }, "dns_domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "The DNS domain as reported by the agent" }, "r7_hostid" : { "type" : "string", "x-isAttributed" : false, "description" : "The host ID of the system the event happened on" }, "os_type" : { "type" : "string", "x-isAttributed" : false, "description" : "The OS the event happened on" }, "event_id" : { "type" : "string", "x-isAttributed" : false, "description" : "The ID of the event", "pattern" : "\\d+" }, "event_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the type of event associated with sysmon event ID" }, "event_provider" : { "type" : "string", "x-isAttributed" : false, "description" : "The source application of the event" }, "event" : { "type" : "object", "properties" : { "System" : { "type" : "object", "properties" : { "Provider" : { "type" : "object", "properties" : { "Name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the provider" }, "Guid" : { "type" : "string", "x-isAttributed" : false, "description" : "The GUID of the provider" } }, "description" : "Event provider information", "x-isAttributed" : false }, "EventID" : { "type" : "string", "x-isAttributed" : false, "description" : "The event ID", "pattern" : "\\d+" }, "Version" : { "type" : "string", "x-isAttributed" : false, "description" : "Version of the event" }, "Level" : { "type" : "string", "x-isAttributed" : false, "description" : "The level of the event" }, "Task" : { "type" : "string", "x-isAttributed" : false, "description" : "The task of the event" }, "Opcode" : { "type" : "string", "x-isAttributed" : false, "description" : "The opcode of the event" }, "Keywords" : { "type" : "string", "x-isAttributed" : false, "description" : "The keywords of the event" }, "TimeCreated" : { "type" : "object", "properties" : { "SystemTime" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The timestamp when the event originally occurred" } }, "required" : [ "SystemTime" ], "description" : "The event creation time", "x-isAttributed" : false }, "EventRecordID" : { "type" : "string", "x-isAttributed" : false, "description" : "The ID of the event's record" }, "Correlation" : { "type" : "string", "x-isAttributed" : false, "description" : "The correlation of the event" }, "Execution" : { "type" : "object", "properties" : { "ProcessID" : { "type" : "string", "x-isAttributed" : false, "description" : "The ID of the process that created an event", "pattern" : "\\d+" }, "ThreadID" : { "type" : "string", "x-isAttributed" : false, "description" : "The ID of the thread that created an event", "pattern" : "\\d+" } }, "description" : "The execution details", "x-isAttributed" : false }, "Channel" : { "type" : "string", "x-isAttributed" : false, "description" : "The channel of the event" }, "Computer" : { "type" : "string", "x-isAttributed" : false, "description" : "The computer of the event" }, "Security" : { "type" : "object", "properties" : { "UserID" : { "type" : "string", "x-isAttributed" : false, "description" : "User ID" } }, "description" : "The security information", "x-isAttributed" : false } }, "description" : "System-specific data", "x-isAttributed" : false }, "EventData" : { "type" : "object", "properties" : { "Data" : { "anyOf" : [ { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ProcessCreateEventData", "type" : "object", "properties" : { "class" : { "const" : "ProcessCreateEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/FileCreationTimeChangeEventData", "type" : "object", "properties" : { "class" : { "const" : "FileCreationTimeChangeEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/NetworkConnectionEventData", "type" : "object", "properties" : { "class" : { "const" : "NetworkConnectionEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/SysmonServiceStateChangedEventData", "type" : "object", "properties" : { "class" : { "const" : "SysmonServiceStateChangedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ProcessTerminatedEventData", "type" : "object", "properties" : { "class" : { "const" : "ProcessTerminatedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/KernelDriverLoadedEventData", "type" : "object", "properties" : { "class" : { "const" : "KernelDriverLoadedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ImageLoadedEventData", "type" : "object", "properties" : { "class" : { "const" : "ImageLoadedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/RemoteThreadEventData", "type" : "object", "properties" : { "class" : { "const" : "RemoteThreadEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/RawAccessReadEventData", "type" : "object", "properties" : { "class" : { "const" : "RawAccessReadEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ProcessAccessEventData", "type" : "object", "properties" : { "class" : { "const" : "ProcessAccessEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/FileCreateEventData", "type" : "object", "properties" : { "class" : { "const" : "FileCreateEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/RegistryCreateDeleteEventData", "type" : "object", "properties" : { "class" : { "const" : "RegistryCreateDeleteEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/RegistrySetValueEventData", "type" : "object", "properties" : { "class" : { "const" : "RegistrySetValueEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/RegistryRenameKeyEventData", "type" : "object", "properties" : { "class" : { "const" : "RegistryRenameKeyEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/FileCreateStreamHashEventData", "type" : "object", "properties" : { "class" : { "const" : "FileCreateStreamHashEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/SysmonConfigStateChangeEventData", "type" : "object", "properties" : { "class" : { "const" : "SysmonConfigStateChangeEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/PipeCreatedEventData", "type" : "object", "properties" : { "class" : { "const" : "PipeCreatedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/PipeConnectedEventData", "type" : "object", "properties" : { "class" : { "const" : "PipeConnectedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/WmiEventFilterEventData", "type" : "object", "properties" : { "class" : { "const" : "WmiEventFilterEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/WmiEventConsumerEventData", "type" : "object", "properties" : { "class" : { "const" : "WmiEventConsumerEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/WmiEventConsumerToFilterEventData", "type" : "object", "properties" : { "class" : { "const" : "WmiEventConsumerToFilterEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/DnsEventData", "type" : "object", "properties" : { "class" : { "const" : "DnsEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/FileDeleteEventData", "type" : "object", "properties" : { "class" : { "const" : "FileDeleteEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ClipboardEventData", "type" : "object", "properties" : { "class" : { "const" : "ClipboardEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/ProcessTamperingEventData", "type" : "object", "properties" : { "class" : { "const" : "ProcessTamperingEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/FileDeleteDetectedEventData", "type" : "object", "properties" : { "class" : { "const" : "FileDeleteDetectedEventData" } }, "required" : [ "class" ] }, { "x-isAttributed" : false, "description" : "The data contains event-specific information", "$ref" : "#/$defs/SysmonErrorEventData", "type" : "object", "properties" : { "class" : { "const" : "SysmonErrorEventData" } }, "required" : [ "class" ] } ] } }, "description" : "Event-specific data", "x-isAttributed" : false } }, "description" : "The event data", "x-isAttributed" : false }, "geoip_city" : { "type" : "string", "x-isAttributed" : false, "description" : "The city name of the source IP address" }, "geoip_country_code" : { "type" : "string", "x-isAttributed" : false, "pattern" : "[A-Z]{2}", "description" : "Two-character ISO 3166-1 country code for the source IP address" }, "geoip_country_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The country name of the source IP address" }, "geoip_organization" : { "type" : "string", "x-isAttributed" : false, "description" : "The organization name attributed from source IP address" }, "geoip_region" : { "type" : "string", "x-isAttributed" : false, "description" : "The region name of the source IP address" }, "r7_context" : { "type" : "object", "properties" : { "asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true } }, "x-isAttributed" : true, "description" : "R7_context includes attributed information related to the entry, with references to Rapid7-specific RRNs" }, "entry_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Unique Entry ID assigned to each document or log entry" }, "custom_data" : { "type" : "object", "x-isAttributed" : false, "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data" }, "source_data" : { "type" : "string", "x-isAttributed" : false, "description" : "The unparsed, original log line as received from the collector" }, "source_json" : { "type" : "object", "x-isAttributed" : false, "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON" } }, "required" : [ "hostname", "dns_domain", "event_name", "event_provider", "event" ], "description" : "System monitor" }