Windows.Sigma.BaseEvents Model #

Sigma Model for live monitoring of Windows systems based on local event logs.

This is a real time monitoring profile which allows live monitoring of Windows systems using Sigma rules. This profile only covers event logs by following the EVTX files.

For more dynamic event monitoring see the Windows.Sigma.ETWBase artifact which uses ETW as the monitoring mechanism.

This model is mostly compatible with the standard ruleset available from SigmaHQ, Hayabusa etc.

Log Sources #

Following is a list of recognized log sources.

Log Source	Desc
*/windows/application
*/windows/applocker
*/windows/appmodel-runtime
*/windows/appxdeployment-server
*/windows/appxpackaging-om
*/windows/bits-client
*/windows/capi2
*/windows/certificateservicesclient-lifecycle-system
*/windows/codeintegrity-operational
*/windows/diagnosis-scripted
*/windows/dns-client
*/windows/dns-server
*/windows/dns-server-analytic
*/windows/driver-framework
*/windows/firewall-as
*/windows/ldap_debug
*/windows/lsa-server
*/windows/microsoft-servicebus-client
*/windows/msexchange-management
*/windows/ntlm
*/windows/openssh
*/windows/powershell
*/windows/powershell-classic
*/windows/security
*/windows/security-mitigations
*/windows/shell-core
*/windows/smbclient-security
*/windows/sysmon
*/windows/system
*/windows/taskscheduler
*/windows/terminalservices-localsessionmanager
*/windows/vhdmp
*/windows/windefend
*/windows/wmi
process_creation/windows/*
ps_classic_provider_start/windows/*
ps_classic_start/windows/*
ps_module/windows/*
ps_script/windows/*
registry_add/windows/*
registry_event/windows/*
registry_set/windows/*
antivirus/windows/windefend

Field Mappings #

The following field mappings can be used to access fields within the event. Note that it is also possible to access the fields directly (e.g. EventData.AccessMask)

View all Field Mappings

Name	Mapping
	x=>serialize(item=x.EventData)
AccessList	x=>x.EventData.AccessList
AccessMask	x=>x.EventData.AccessMask
AccessReason	x=>x.EventData.AccessReason
Accesses	x=>x.EventData.Accesses
AccountDomain	x=>x.EventData.AccountDomain
AccountExpires	x=>x.EventData.AccountExpires
AccountName	x=>x.EventData.AccountName
Account_Name	x=>x.EventData.Account_Name
Action	x=>x.EventData.Action
ActionName	x=>x.EventData.ActionName
AdditionalInfo	x=>x.EventData.AdditionalInfo
Address	x=>x.EventData.Address
AllowedToDelegateTo	x=>x.EventData.AllowedToDelegateTo
AppID	x=>x.EventData.AppID
AppName	x=>x.EventData.Data[0]
AppVersion	x=>x.EventData.AppVersion
Application	x=>x.EventData.Application
ApplicationPath	x=>x.EventData.ApplicationPath
AttributeLDAPDisplayName	x=>x.EventData.AttributeLDAPDisplayName
AttributeValue	x=>x.EventData.AttributeValue
AuditPolicyChanges	x=>x.EventData.AuditPolicyChanges
AuditSourceName	x=>x.EventData.AuditSourceName
AuthenticationPackageName	x=>x.EventData.AuthenticationPackageName
Binary	x=>x.EventData.Binary
BootMode	x=>x.EventData.BootMode
CallTrace	x=>x.EventData.CallTrace
CallerProcessName	x=>x.EventData.CallerProcessName
Caller_Process_Name	x=>x.EventData.Caller_Process_Name
CallingProcessName	x=>x.EventData.CallingProcessName
Caption	x=>x.EventData.Caption
CategoryId	x=>x.EventData.CategoryId
CategoryName	x=>x.EventData.`Category Name`
CertThumbprint	x=>x.EventData.CertThumbprint
Channel	x=>x.System.Channel
ClassName	x=>x.EventData.ClassName
ClientAddress	x=>x.EventData.ClientAddress
ClientInfo	x=>x.EventData.ClientInfo
ClientName	x=>x.EventData.ClientName
ClientProcessId	x=>x.EventData.ClientProcessId
Client_Address	x=>x.EventData.Client_Address
CommandLine	x=>x.EventData.CommandLine \|\| x.CommandLine
Company	x=>x.EventData.Company
CompatibleIds	x=>x.EventData.CompatibleIds
Computer	x=>x.System.Computer
ComputerName	x=>x.System.Computer
Configuration	x=>x.EventData.Configuration
Consumer	x=>x.EventData.Consumer
Contents	x=>x.EventData.Contents
ContextInfo	x=>x.EventData.ContextInfo
CountOfCredentialsReturned	x=>x.EventData.CountOfCredentialsReturned
CreationUtcTime	x=>x.EventData.CreationUtcTime
CurrentDirectory	x=>x.EventData.CurrentDirectory
Data	x=>serialize(item=x.EventData)
Description	x=>x.EventData.Description
DestAddress	x=>x.EventData.DestAddress
DestPort	x=>x.EventData.DestPort
Destination	x=>x.EventData.Destination
DestinationAddress	x=>x.EventData.DestinationAddress
DestinationHostname	x=>x.EventData.DestinationHostname
DestinationIp	x=>x.EventData.DestinationIp
DestinationIsIpv6	x=>x.EventData.DestinationIsIpv6
DestinationPort	x=>x.EventData.DestinationPort
Details	x=>x.EventData.Details
DetectionSource	x=>x.EventData.DetectionSource
DetectionUser	x=>x.EventData.`Detection User`
Device	x=>x.EventData.Device
DeviceClassName	x=>x.EventData.DeviceClassName
DeviceDescription	x=>x.EventData.DeviceDescription
DeviceId	x=>x.EventData.DeviceId
DeviceInstanceID	x=>x.UserData.InstallDeviceID.DeviceInstanceID
DeviceName	x=>x.EventData.DeviceName
Direction	x=>x.EventData.Direction
DisplayName	x=>x.EventData.DisplayName
DomainName	x=>x.EventData.SubjectDomainName
DriveName	x=>x.EventData.DriveName
DriverDescription	x=>x.UserData.InstallDeviceID.DriverDescription
DriverProvider	x=>x.UserData.InstallDeviceID.DriverProvider
DvrFmwk2003InstanceId	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
DvrFmwkInstanceId	x=>x.UserData.UMDFHostDeviceRequest.InstanceId
ETWFileName	x=>x.EventData.FileName
EngineVersion	x=>x.EventData.EngineVersion
ErrorCode	x=>x.EventData.ErrorCode
EventID	x=>x.System.EventID.Value
EventNamespace	x=>x.EventData.EventNamespace
EventSourceId	x=>x.EventData.EventSourceId
EventType	x=>x.System.EventType
ExceptionCode	x=>x.EventData.ExceptionCode
ExecutionProcessID	x=>x.System.Execution.ProcessID
FailureCode	x=>x.EventData.FailureCode
FailureReason	x=>x.EventData.FailureReason
Feature_Name	x=>x.EventData.`Feature Name`
FileMagicBytes	x=>x.EventData.FileMagicBytes
FileName	x=>x.EventData.FileName
FileNameBuffer	x=>x.EventData.FileNameBuffer
FilePath	x=>x.EventData.FilePath
FileVersion	x=>x.EventData.FileVersion
Filename	x=>x.EventData.Filename
Filter	x=>x.EventData.Filter
FilterName	x=>x.EventData.FilterName
FilterOrigin	x=>x.EventData.FilterOrigin
GrandParentImage	x=>x.EventData.GrandParentImage
GrantedAccess	x=>x.EventData.GrantedAccess
GroupName	x=>x.EventData.GroupName
GroupSid	x=>x.EventData.GroupSid
HandleId	x=>x.EventData.HandleId
Hash	x=>x.EventData.Hash
Hashes	x=>x.EventData.Hashes
HiveName	x=>x.EventData.HiveName
HomeDirectory	x=>x.EventData.HomeDirectory
HomePath	x=>x.EventData.HomePath
HostApplication	x=>x.EventData.HostApplication
HostName	x=>x.EventData.HostName
HostVersion	x=>x.EventData.HostVersion
ID	x=>x.EventData.ID
Image	x=>x.EventData.Image
ImageLoaded	x=>x.EventData.ImageLoaded
ImageName	x=>x.EventData.ImageName
ImagePath	x=>x.EventData.ImagePath
ImpersonationLevel	x=>x.EventData.ImpersonationLevel
Imphash	x=>x.EventData.Hashes
Initiated	x=>x.EventData.Initiated
InstallStatus	x=>x.UserData.InstallDeviceID.InstallStatus
InstanceID	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
InstanceId	x=>x.EventData.InstanceId
IntegrityLevel	x=>x.EventData.IntegrityLevel
IpAddress	x=>x.EventData.IpAddress
IpPort	x=>x.EventData.IpPort
JobTitle	x=>x.EventData.name
KeyLength	x=>x.EventData.KeyLength
Keywords	x=>x.System.Keywords
LDAPDisplayName	x=>x.EventData.LDAPDisplayName
LayerRTID	x=>x.EventData.LayerRTID
Level	x=>x.System.Level
LocalAddresses	x=>x.EventData.LocalAddresses
LocalName	x=>x.EventData.LocalName
LocalPorts	x=>x.EventData.LocalPorts
LocationInformation	x=>x.EventData.LocationInformation
LogFileClearedChannel	x=>x.UserData.LogFileCleared.Channel
LogFileClearedSubjectUserName	x=>x.UserData.LogFileCleared.SubjectUserName
LogonGuid	x=>x.EventData.LogonGuid
LogonHours	x=>x.EventData.LogonHours
LogonID	x=>x.EventData.LogonId
LogonId	x=>x.EventData.LogonId
LogonProcessName	x=>x.EventData.LogonProcessName
LogonType	x=>x.EventData.LogonType
Logon_Account	x=>x.EventData.Logon_Account
Logon_Type	x=>x.EventData.LogonType
MachineName	x=>x.EventData.MachineName
MandatoryLabel	x=>get(item=MandatoryLabelLookup, member=x.EventData.MandatoryLabel \|\| "-")
MasterKeyId	x=>x.EventData.MasterKeyId
MemberName	x=>x.EventData.MemberName
MemberSid	x=>x.EventData.MemberSid
Message	x=>x.EventData
ModifyingApplication	x=>x.EventData.ModifyingApplication
ModifyingUser	x=>x.EventData.ModifyingUser
Module	x=>x.EventData.Module
Name	x=>x.EventData.Name
NewDefaultPrinter	x=>x.EventData.NewDefaultPrinter
NewName	x=>x.EventData.NewName
NewProcessId	x=>x.EventData.NewProcessId
NewProcessName	x=>x.EventData.NewProcessName
NewTargetUserName	x=>x.EventData.NewTargetUserName
NewTemplateContent	x=> x.EventData.NewTemplateContent
NewTime	x=>x.EventData.NewTime
NewUacValue	x=>x.EventData.NewUacValue
NewValue	x=>x.EventData.NewValue
New_Value	x=>x.EventData.`New Value`
ObjectClass	x=>x.EventData.ObjectClass
ObjectDN	x=>x.EventData.ObjectDN
ObjectName	x=>x.EventData.ObjectName
ObjectServer	x=>x.EventData.ObjectServer
ObjectType	x=>x.EventData.ObjectType
ObjectValueName	x=>x.EventData.ObjectValueName
OldDefaultPrinter	x=>x.EventData.OldDefaultPrinter
OldTargetUserName	x=>x.EventData.OldTargetUserName
OldUacValue	x=>x.EventData.OldUacValue
OldValue	x=>x.EventData.OldValue
Operation	x=>x.EventData.Operation
OperationEssStartedNamespaceName	x=>x.UserData.Operation_EssStarted.NamespaceName
OperationEssStartedPossibleCause	x=>x.UserData.Operation_EssStarted.PossibleCause
OperationEssStartedProcessid	x=>x.UserData.Operation_EssStarted.Processid
OperationEssStartedProvider	x=>x.UserData.Operation_EssStarted.Provider
OperationEssStartedQuery	x=>x.UserData.Operation_EssStarted.Query
OperationEssStartedUser	x=>x.UserData.Operation_EssStarted.User
OperationType	x=>x.EventData.OperationType
Origin	x=>x.EventData.Origin
OriginalFileName	x=>x.EventData.OriginalFileName
OriginalFilename	x=>x.EventData.OriginalFileName
PID	x=>x.EventData.PID
PackageFullName	x=>x.UserData.PackageFullName
PackagePath	x=>x.EventData.PackagePath
Param1	x=>x.EventData.Param1
Param2	x=>x.EventData.Param2
Param3	x=>x.EventData.Param3
ParentCommandLine	x=>x.EventData.ParentCommandLine
ParentImage	x=>x.EventData.ParentImage
ParentIntegrityLevel	x=>x.EventData.ParentIntegrityLevel
ParentOfParentImage	x=>x.EventData.ParentOfParentImage
ParentProcessGuid	x=>x.EventData.ParentProcessGuid
ParentProcessId	x=>x.EventData.ParentProcessId
ParentProcessName	x=>x.EventData.ParentProcessName
ParentUser	x=>x.EventData.ParentUser
PasswordLastSet	x=>x.EventData.PasswordLastSet
Path	x=>x.EventData.Path
Payload	x=>x.EventData.Payload
PipeName	x=>x.EventData.PipeName
PossibleCause	x=>x.UserData.PossibleCause
PreAuthType	x=>x.EventData.PreAuthType
PreviousCreationUtcTime	x=>x.EventData.PreviousCreationUtcTime
PreviousTime	x=>x.EventData.PreviousTime
PrimaryGroupId	x=>x.EventData.PrimaryGroupId
PrinterCreated	x=>x.EventData.PrinterCreated
PrinterDeletionPending	x=>x.EventData.PrinterDeletionPending
PrinterName	x=>x.EventData.PrinterName
PrivilegeList	x=>x.EventData.PrivilegeList
ProcessCommandLine	x=>x.EventData.ProcessCommandLine \|\| x.EventData.ProcInfo.CommandLine
ProcessExe	x=>x.EventData.ProcInfo.Exe
ProcessGuid	x=>x.EventData.ProcessGuid
ProcessID	x=>x.EventData.ProcessID
ProcessId	x=>x.EventData.ProcessId
ProcessName	x=>x.EventData.ProcessName \|\| x.EventData.ProcInfo.Name
ProcessNameBuffer	x=>x.EventData.ProcessNameBuffer
ProcessPath	x=>x.EventData.ProcessPath
Product	x=>x.EventData.Product
ProfilePath	x=>x.EventData.ProfilePath
Profiles	x=>x.EventData.Profiles
Properties	x=>x.EventData.Properties
Protocol	x=>x.EventData.Protocol
Provider	x=>x.UserData.Provider
ProviderContextName	x=>x.EventData.ProviderContextName
ProviderName	x=>x.System.Provider.Name
Provider_Name	x=>x.System.Provider.Name
QNAME	x=>x.EventData.QNAME
Query	x=>x.UserData.Query
QueryName	x=>x.EventData.QueryName
QueryResults	x=>x.EventData.QueryResults
QueryStatus	x=>x.EventData.QueryStatus
ReadOnly	x=>x.EventData.ReadOnly
ReadOperation	x=>x.EventData.ReadOperation
Reason	x=>x.EventData.Reason
RecoveryKeyId	x=>x.EventData.RecoveryKeyId
RecoveryServer	x=>x.EventData.RecoveryServer
RelativeTargetName	x=>x.EventData.RelativeTargetName
RemoteAddresses	x=>x.EventData.RemoteAddresses
RemoteMachineID	x=>x.EventData.RemoteMachineID
RemoteName	x=>x.EventData.RemoteName
RemotePorts	x=>x.EventData.RemotePorts
RemoteUserID	x=>x.EventData.RemoteUserID
RequestedPolicy	x=>x.EventData.RequestedPolicy
ReturnCode	x=>x.EventData.ReturnCode
RuleName	x=>x.EventData.RuleName
SAMAccountName	x=>x.EventData.SamAccountName
SamAccountName	x=>x.EventData.SamAccountName
SchemaVersion	x=>x.EventData.SchemaVersion
ScriptBlockText	x=>x.EventData.ScriptBlockText
ScriptPath	x=>x.EventData.ScriptPath
SearchFilter	x=>x.System.SearchFilter
SecurityUserID	x=>x.System.Security.UserID
ServerAddress	x=>x.EventData.ServerAddress
ServerName	x=>x.System.ServerName
Service	x=>x.EventData.Service
ServiceAccount	x=>x.EventData.ServiceAccount
ServiceFileName	x=>x.EventData.ServiceFileName
ServiceName	x=>x.EventData.ServiceName
ServicePrincipalNames	x=>x.EventData.ServicePrincipalNames
ServiceStartType	x=>x.EventData.ServiceStartType
ServiceType	x=>x.EventData.ServiceType
SettingType	x=>x.EventData.SettingType
SettingValueString	x=>x.EventData.SettingValueString
SeverityID	x=>x.EventData.`Severity ID`
SeverityName	x=>x.EventData.`Severity Name`
ShareLocalPath	x=>x.EventData.ShareLocalPath
ShareName	x=>x.EventData.ShareName
SidHistory	x=>x.EventData.SidHistory
SidList	x=>x.EventData.SidList
Signature	x=>x.EventData.Signature
SignatureStatus	x=>x.EventData.SignatureStatus
Signed	x=>x.EventData.Signed
Source	x=>x.System.Provider_Name
SourceAddress	x=>x.EventData.SourceAddress
SourceCommandLine	x=>x.EventData.SourceCommandLine
SourceHostname	x=>x.EventData.SourceHostname
SourceImage	x=>x.EventData.SourceImage
SourceIp	x=>x.EventData.SourceIp
SourceIsIpv6	x=>x.EventData.SourceIsIpv6
SourceName	x=>x.EventData.SourceName
SourceNetworkAddress	x=>x.EventData.SourceNetworkAddress
SourceParentImage	x=>x.EventData.SourceParentImage
SourcePort	x=>x.EventData.SourcePort
SourceProcessGUID	x=>x.EventData.SourceProcessGUID
SourceProcessGuid	x=>x.EventData.SourceProcessGuid
SourceProcessId	x=>x.EventData.SourceProcessId
SourceSid	x=>x.EventData.SourceSid
SourceUser	x=>x.EventData.SourceUser
SourceUserName	x=>x.EventData.SourceUserName
Source_Name	x=>x.EventData.`Source Name`
Source_Network_Address	x=>x.EventData.Source_Network_Address
Source_WorkStation	x=>x.EventData.Source_WorkStation
StartAddress	x=>x.EventData.StartAddress
StartFunction	x=>x.EventData.StartFunction
StartModule	x=>x.EventData.StartModule
StartType	x=>x.EventData.StartType
State	x=>x.EventData.State
Status	x=>x.EventData.Status
SubStatus	x=>x.EventData.SubStatus
SubcategoryGuid	x=>x.EventData.SubcategoryGuid
SubcategoryId	x=>x.EventData.SubcategoryId
SubjectDomainName	x=>x.EventData.SubjectDomainName
SubjectLogonId	x=>x.EventData.SubjectLogonId
SubjectUserName	x=>x.EventData.SubjectUserName
SubjectUserSid	x=>x.EventData.SubjectUserSid
SysmonVersion	x=>x.EventData.SysmonVersion
TargetDomainName	x=>x.EventData.TargetDomainName
TargetFilename	x=>x.EventData.TargetFilename
TargetImage	x=>x.EventData.TargetImage
TargetInfo	x=>x.EventData.TargetInfo
TargetLogonId	x=>x.EventData.TargetLogonId
TargetName	x=>x.EventData.TargetName
TargetObject	x=>x.EventData.TargetObject
TargetOutboundUserName	x=>x.EventData.TargetOutboundUserName
TargetParentProcessId	x=>x.EventData.TargetParentProcessId
TargetProcessAddress	x=>x.EventData.TargetProcessAddress
TargetProcessGUID	x=>x.EventData.TargetProcessGUID
TargetProcessGuid	x=>x.EventData.TargetProcessGUID
TargetProcessId	x=>x.EventData.TargetProcessId
TargetServerName	x=>x.EventData.TargetServerName
TargetSid	x=>x.EventData.TargetSid
TargetUser	x=>x.EventData.TargetUser
TargetUserName	x=>x.EventData.TargetUserName
TargetUserSid	x=>x.EventData.TargetUserSid
TaskContent	x=>x.EventData.TaskContent
TaskContentNew	x=>x.EventData.TaskContentNew
TaskDate	x=>x.EventData.TaskContent
TaskName	x=>x.EventData.TaskName
TemplateContent	x=>x.EventData.TemplateContent
ThreatName	x=>x.EventData.`Threat Name`
TicketEncryptionType	x=>x.EventData.TicketEncryptionType
TicketOptions	x=>x.EventData.TicketOptions
Timestamp	x=>x.System.TimeCreated.SystemTime
TokenElevationType	x=>get(item=TokenElevationTypeLookup, member=x.EventData.TokenElevationType \|\| "-")
Type	x=>x.EventData.Type
Url	x=>x.EventData.url
User	x=>x.EventData.User
UserAccountControl	x=>x.EventData.UserAccountControl
UserContext	x=>x.EventData.UserContext
UserDataAddress	x=>x.UserData.EventXML.Address
UserDataCode	x=>x.UserData.Operation_StartedOperational.Code
UserDataConsumer	x=>x.UserData.Operation_ESStoConsumerBinding.CONSUMER
UserDataESS	x=>x.UserData.Operation_ESStoConsumerBinding.ESS
UserDataHostProcess	x=>x.UserData.Operation_StartedOperational.HostProcess
UserDataNamespace	x=>x.UserData.Operation_ESStoConsumerBinding.Namespace
UserDataNamespaceName	x=>x.UserData.Operation_TemporaryEssStarted.NamespaceName
UserDataParam1	x=>x.UserData.EventXML.Param1
UserDataParam2	x=>x.UserData.EventXML.Param2
UserDataParam3	x=>x.UserData.EventXML.Param3
UserDataPossibleCause	x=>x.UserData.Operation_ESStoConsumerBinding.PossibleCause
UserDataProcessID	x=>x.UserData.Operation_StartedOperational.ProcessID
UserDataProcessid	x=>x.UserData.Operation_TemporaryEssStarted.Processid
UserDataProviderName	x=>x.UserData.Operation_StartedOperational.ProviderName
UserDataProviderPath	x=>x.UserData.Operation_StartedOperational.ProviderPath
UserDataQuery	x=>x.UserData.Operation_TemporaryEssStarted.Query
UserDataSessionID	x=>x.UserData.EventXML.SessionID
UserDataUser	x=>x.UserData.EventXML.User
UserName	x=>x.EventData.UserName
UserParameters	x=>x.EventData.UserParameters
UserPrincipalName	x=>x.EventData.UserPrincipalName
UserWorkstations	x=>x.EventData.UserWorkstations
Value	x=>x.EventData.Value
Version	x=>x.System.Version
VhdFile	x=>x.EventData.VhdFile
VhdType	x=>x.EventData.VhdType
WindowsDefenderProcessName	x=>x.EventData.`Process Name`
Workstation	x=>x.EventData.Workstation
WorkstationName	x=>x.EventData.WorkstationName
image	x=>x.EventData.Image
jobId	x=>x.EventData.jobId
jobOwner	x=>x.EventData.jobOwner
jobTitle	x=>x.EventData.jobTitle
md5	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='MD5=([^,]+)').g1
param1	x=>x.EventData.param1
param2	x=>x.EventData.param2
param3	x=>x.EventData.param3
param4	x=>x.EventData.param4
param5	x=>x.EventData.param5
payload	x=>x.EventData.payload
process	x=>x.EventData.Process
processPath	x=>x.EventData.processPath
query	x=>x.EventData.Query
service	x=>x.EventData.Service
sha1	x=>x.EventData.Hashes
sha256	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='SHA256=([^,]+)').g1
subjectName	x=>x.EventData.SubjectName

`*/windows/application` #

Details

`*/windows/applocker` #

Details

`*/windows/appmodel-runtime` #

Details

`*/windows/appxdeployment-server` #

Details

`*/windows/appxpackaging-om` #

Details

`*/windows/bits-client` #

Details

`*/windows/capi2` #

Details

`*/windows/certificateservicesclient-lifecycle-system` #

Details

`*/windows/codeintegrity-operational` #

Details

`*/windows/diagnosis-scripted` #

Details

`*/windows/dns-client` #

Details

`*/windows/dns-server` #

Details

`*/windows/dns-server-analytic` #

Details

`*/windows/driver-framework` #

Details

`*/windows/firewall-as` #

Details

`*/windows/ldap_debug` #

Details

`*/windows/lsa-server` #

Details

`*/windows/microsoft-servicebus-client` #

Details

`*/windows/msexchange-management` #

Details

`*/windows/ntlm` #

Details

`*/windows/openssh` #

Details

`*/windows/powershell` #

Details

`*/windows/powershell-classic` #

Details

`*/windows/security` #

Details

`*/windows/security-mitigations` #

Details

`*/windows/shell-core` #

Details

`*/windows/smbclient-security` #

Details

`*/windows/sysmon` #

Details

`*/windows/system` #

Details

`*/windows/taskscheduler` #

Details

`*/windows/terminalservices-localsessionmanager` #

Details

`*/windows/vhdmp` #

Details

`*/windows/windefend` #

Details

`*/windows/wmi` #

Details

`process_creation/windows/*` #

Details

`ps_classic_provider_start/windows/*` #

Details

`ps_classic_start/windows/*` #

Details

`ps_module/windows/*` #

Details

`ps_script/windows/*` #

Details

`registry_add/windows/*` #

Details

`registry_event/windows/*` #

Details

`registry_set/windows/*` #

Details

`antivirus/windows/windefend` #

Details

Windows.Sigma.BaseEvents Model #

Log Sources #

Field Mappings #

*/windows/application #

VQL Query #

Sample use in a sigma rule: #

*/windows/applocker #

VQL Query #

Sample use in a sigma rule: #

*/windows/appmodel-runtime #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxdeployment-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxpackaging-om #

VQL Query #

Sample use in a sigma rule: #

*/windows/bits-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/capi2 #

VQL Query #

Sample use in a sigma rule: #

*/windows/certificateservicesclient-lifecycle-system #

VQL Query #

Sample use in a sigma rule: #

*/windows/codeintegrity-operational #

VQL Query #

Sample use in a sigma rule: #

*/windows/diagnosis-scripted #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server-analytic #

VQL Query #

Sample use in a sigma rule: #

*/windows/driver-framework #

VQL Query #

Sample use in a sigma rule: #

*/windows/firewall-as #

VQL Query #

Sample use in a sigma rule: #

*/windows/ldap_debug #

VQL Query #

Sample use in a sigma rule: #

*/windows/lsa-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/microsoft-servicebus-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/msexchange-management #

VQL Query #

Sample use in a sigma rule: #

*/windows/ntlm #

VQL Query #

Sample use in a sigma rule: #

*/windows/openssh #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell-classic #

VQL Query #

Sample use in a sigma rule: #

*/windows/security #

VQL Query #

Sample use in a sigma rule: #

*/windows/security-mitigations #

VQL Query #

Sample use in a sigma rule: #

*/windows/shell-core #

VQL Query #

`*/windows/application` #

`*/windows/applocker` #

`*/windows/appmodel-runtime` #

`*/windows/appxdeployment-server` #

`*/windows/appxpackaging-om` #

`*/windows/bits-client` #

`*/windows/capi2` #

`*/windows/certificateservicesclient-lifecycle-system` #

`*/windows/codeintegrity-operational` #

`*/windows/diagnosis-scripted` #

`*/windows/dns-client` #

`*/windows/dns-server` #

`*/windows/dns-server-analytic` #

`*/windows/driver-framework` #

`*/windows/firewall-as` #

`*/windows/ldap_debug` #

`*/windows/lsa-server` #

`*/windows/microsoft-servicebus-client` #

`*/windows/msexchange-management` #

`*/windows/ntlm` #

`*/windows/openssh` #

`*/windows/powershell` #

`*/windows/powershell-classic` #

`*/windows/security` #

`*/windows/security-mitigations` #

`*/windows/shell-core` #

`*/windows/smbclient-security` #

`*/windows/sysmon` #

`*/windows/system` #

`*/windows/taskscheduler` #

`*/windows/terminalservices-localsessionmanager` #

`*/windows/vhdmp` #

`*/windows/windefend` #

`*/windows/wmi` #

`process_creation/windows/*` #

`ps_classic_provider_start/windows/*` #

`ps_classic_start/windows/*` #

`ps_module/windows/*` #

`ps_script/windows/*` #

`registry_add/windows/*` #

`registry_event/windows/*` #

`registry_set/windows/*` #

`antivirus/windows/windefend` #