This is the Sysmon processing pipeline for pySigma. It provides the package sigma.pipeline.sysmon
with the sysmon_pipeline
function that returns a ProcessingPipeline object.
Currently the pipeline adds support for the following event types (Sigma logsource category to EventID mapping):
- process_creation: 1
- file_change: 2
- network_connection: 3
- process_termination: 5
- sysmon_status: 4,16
- driver_load: 6
- image_load: 7
- create_remote_thread: 8
- raw_access_thread: 9
- process_access: 10
- file_event: 11
- registry_add: 12
- registry_delete: 12
- registry_set: 13
- registry_rename: 14
- registry_event: 12,13,14
- create_stream_hash: 15
- pipe_created: 17,18
- wmi_event: 19,20,21
- dns_query: 22
- file_delete: 23
- clipboard_capture: 24
- process_tampering: 25
- file_delete_detected: 26
- file_block_executable: 27
- file_block_shredding: 28
- file_executable_detected: 29
- sysmon_error: 255
This backend is currently maintained by: