Windows.Sigma.BaseEvents Model #

Sigma Model for live monitoring of Windows systems based on local event logs.

This is a real time monitoring profile which allows live monitoring of Windows systems using Sigma rules. This profile only covers event logs by following the EVTX files.

For more dynamic event monitoring see the Windows.Sigma.ETWBase artifact which uses ETW as the monitoring mechanism.

This model is mostly compatible with the standard ruleset available from SigmaHQ, Hayabusa etc.

Log Sources #

Following is a list of recognized log sources.

Log Source	Desc
*/windows/application
*/windows/applocker
*/windows/appmodel-runtime
*/windows/appxdeployment-server
*/windows/appxpackaging-om
*/windows/bits-client
*/windows/capi2
*/windows/certificateservicesclient-lifecycle-system
*/windows/codeintegrity-operational
*/windows/diagnosis-scripted
*/windows/dns-client
*/windows/dns-server
*/windows/dns-server-analytic
*/windows/driver-framework
*/windows/firewall-as
*/windows/ldap_debug
*/windows/lsa-server
*/windows/microsoft-servicebus-client
*/windows/msexchange-management
*/windows/ntlm
*/windows/openssh
*/windows/powershell
*/windows/powershell-classic
*/windows/security
*/windows/security-mitigations
*/windows/shell-core
*/windows/smbclient-security
*/windows/sysmon
*/windows/system
*/windows/taskscheduler
*/windows/terminalservices-localsessionmanager
*/windows/vhdmp
*/windows/windefend
*/windows/wmi
process_creation/windows/*
ps_classic_provider_start/windows/*
ps_classic_start/windows/*
ps_module/windows/*
ps_script/windows/*
registry_add/windows/*
registry_event/windows/*
registry_set/windows/*
antivirus/windows/windefend

Field Mappings #

The following field mappings can be used to access fields within the event. Note that it is also possible to access the fields directly (e.g. EventData.AccessMask)

View all Field Mappings

Name	Mapping
	x=>serialize(item=x.EventData)
AccessList	x=>x.EventData.AccessList
AccessMask	x=>x.EventData.AccessMask
Accesses	x=>x.EventData.Accesses
AccountDomain	x=>x.EventData.AccountDomain
AccountName	x=>x.EventData.AccountName
Account_Name	x=>x.EventData.Account_Name
Action	x=>x.EventData.Action
Address	x=>x.EventData.Address
AllowedToDelegateTo	x=>x.EventData.AllowedToDelegateTo
AppName	x=>x.EventData.Data[0]
ApplicationPath	x=>x.EventData.ApplicationPath
AttributeLDAPDisplayName	x=>x.EventData.AttributeLDAPDisplayName
AttributeValue	x=>x.EventData.AttributeValue
AuditPolicyChanges	x=>x.EventData.AuditPolicyChanges
AuditSourceName	x=>x.EventData.AuditSourceName
AuthenticationPackageName	x=>x.EventData.AuthenticationPackageName
CallTrace	x=>x.EventData.CallTrace
CallerProcessName	x=>x.EventData.CallerProcessName
Caller_Process_Name	x=>x.EventData.Caller_Process_Name
CallingProcessName	x=>x.EventData.CallingProcessName
Caption	x=>x.EventData.Caption
CategoryName	x=>x.EventData.`Category Name`
CertThumbprint	x=>x.EventData.CertThumbprint
Channel	x=>x.System.Channel
ClassName	x=>x.EventData.ClassName
ClientAddress	x=>x.EventData.ClientAddress
ClientName	x=>x.EventData.ClientName
Client_Address	x=>x.EventData.Client_Address
CommandLine	x=>x.EventData.CommandLine
Company	x=>x.EventData.Company
Computer	x=>x.System.Computer
ComputerName	x=>x.System.Computer
Contents	x=>x.EventData.Contents
ContextInfo	x=>x.EventData.ContextInfo
CurrentDirectory	x=>x.EventData.CurrentDirectory
Data	x=>serialize(item=x.EventData)
Description	x=>x.EventData.Description
DestAddress	x=>x.EventData.DestAddress
DestPort	x=>x.EventData.DestPort
Destination	x=>x.EventData.Destination
DestinationAddress	x=>x.EventData.DestinationAddress
DestinationHostname	x=>x.EventData.DestinationHostname
DestinationIp	x=>x.EventData.DestinationIp
DestinationIsIpv6	x=>x.EventData.DestinationIsIpv6
DestinationPort	x=>x.EventData.DestinationPort
Details	x=>x.EventData.Details
DetectionSource	x=>x.EventData.DetectionSource
DetectionUser	x=>x.EventData.`Detection User`
Device	x=>x.EventData.Device
DeviceClassName	x=>x.EventData.DeviceClassName
DeviceDescription	x=>x.EventData.DeviceDescription
DeviceInstanceID	x=>x.UserData.InstallDeviceID.DeviceInstanceID
DeviceName	x=>x.EventData.DeviceName
DomainName	x=>x.EventData.SubjectDomainName
DriverDescription	x=>x.UserData.InstallDeviceID.DriverDescription
DriverProvider	x=>x.UserData.InstallDeviceID.DriverProvider
DvrFmwk2003InstanceId	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
DvrFmwkInstanceId	x=>x.UserData.UMDFHostDeviceRequest.InstanceId
ETWFileName	x=>x.EventData.FileName
EngineVersion	x=>x.EventData.EngineVersion
ErrorCode	x=>x.EventData.ErrorCode
EventID	x=>x.System.EventID.Value
EventType	x=>x.System.EventType
ExecutionProcessID	x=>x.System.Execution.ProcessID
FailureCode	x=>x.EventData.FailureCode
Feature_Name	x=>x.EventData.`Feature Name`
FilePath	x=>x.EventData.FilePath
FileVersion	x=>x.EventData.FileVersion
Filename	x=>x.EventData.Filename
GrantedAccess	x=>x.EventData.GrantedAccess
GroupName	x=>x.EventData.GroupName
GroupSid	x=>x.EventData.GroupSid
Hash	x=>x.EventData.Hash
Hashes	x=>x.EventData.Hashes
HiveName	x=>x.EventData.HiveName
HostApplication	x=>x.EventData.HostApplication
HostName	x=>x.EventData.HostName
HostVersion	x=>x.EventData.HostVersion
Image	x=>x.EventData.Image
ImageLoaded	x=>x.EventData.ImageLoaded
ImagePath	x=>x.EventData.ImagePath
Imphash	x=>x.EventData.Hashes
Initiated	x=>x.EventData.Initiated
InstallStatus	x=>x.UserData.InstallDeviceID.InstallStatus
InstanceID	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
IntegrityLevel	x=>x.EventData.IntegrityLevel
IpAddress	x=>x.EventData.IpAddress
IpPort	x=>x.EventData.IpPort
JobTitle	x=>x.EventData.name
KeyLength	x=>x.EventData.KeyLength
Keywords	x=>x.System.Keywords
LDAPDisplayName	x=>x.EventData.LDAPDisplayName
LayerRTID	x=>x.EventData.LayerRTID
Level	x=>x.System.Level
LogFileClearedChannel	x=>x.UserData.LogFileCleared.Channel
LogFileClearedSubjectUserName	x=>x.UserData.LogFileCleared.SubjectUserName
LogonID	x=>x.EventData.LogonID
LogonId	x=>x.EventData.LogonId
LogonProcessName	x=>x.EventData.LogonProcessName
LogonType	x=>x.EventData.LogonType
Logon_Account	x=>x.EventData.Logon_Account
Logon_Type	x=>x.EventData.LogonType
MachineName	x=>x.EventData.MachineName
MandatoryLabel	x=>get(item=MandatoryLabelLookup, member=x.EventData.MandatoryLabel \|\| "-")
MemberName	x=>x.EventData.MemberName
MemberSid	x=>x.EventData.MemberSid
Message	x=>x.EventData
ModifyingApplication	x=>x.EventData.ModifyingApplication
NewName	x=>x.EventData.NewName
NewProcessId	x=>x.EventData.NewProcessId
NewProcessName	x=>x.EventData.NewProcessName
NewTemplateContent	x=> x.EventData.NewTemplateContent
NewUacValue	x=>x.EventData.NewUacValue
NewValue	x=>x.EventData.NewValue
New_Value	x=>x.EventData.`New Value`
ObjectClass	x=>x.EventData.ObjectClass
ObjectName	x=>x.EventData.ObjectName
ObjectServer	x=>x.EventData.ObjectServer
ObjectType	x=>x.EventData.ObjectType
ObjectValueName	x=>x.EventData.ObjectValueName
OldUacValue	x=>x.EventData.OldUacValue
OperationEssStartedNamespaceName	x=>x.UserData.Operation_EssStarted.NamespaceName
OperationEssStartedPossibleCause	x=>x.UserData.Operation_EssStarted.PossibleCause
OperationEssStartedProcessid	x=>x.UserData.Operation_EssStarted.Processid
OperationEssStartedProvider	x=>x.UserData.Operation_EssStarted.Provider
OperationEssStartedQuery	x=>x.UserData.Operation_EssStarted.Query
OperationEssStartedUser	x=>x.UserData.Operation_EssStarted.User
Origin	x=>x.EventData.Origin
OriginalFileName	x=>x.EventData.OriginalFileName
OriginalFilename	x=>x.EventData.OriginalFileName
PackageFullName	x=>x.UserData.PackageFullName
ParentCommandLine	x=>x.EventData.ParentCommandLine
ParentImage	x=>x.EventData.ParentImage
ParentProcessName	x=>x.EventData.ParentProcessName
ParentUser	x=>x.EventData.ParentUser
PasswordLastSet	x=>x.EventData.PasswordLastSet
Path	x=>x.EventData.Path
Payload	x=>x.EventData.Payload
PipeName	x=>x.EventData.PipeName
PossibleCause	x=>x.UserData.PossibleCause
PreAuthType	x=>x.EventData.PreAuthType
PreviousCreationUtcTime	x=>x.EventData.PreviousCreationUtcTime
PrivilegeList	x=>x.EventData.PrivilegeList
ProcessCommandLine	x=>x.EventData.ProcessCommandLine \|\| x.EventData.ProcInfo.CommandLine
ProcessExe	x=>x.EventData.ProcInfo.Exe
ProcessGuid	x=>x.EventData.ProcessGuid
ProcessId	x=>x.EventData.ProcessId
ProcessName	x=>x.EventData.ProcessName \|\| x.EventData.ProcInfo.Name
Product	x=>x.EventData.Product
Properties	x=>x.EventData.Properties
Protocol	x=>x.EventData.Protocol
Provider	x=>x.UserData.Provider
ProviderName	x=>x.System.Provider.Name
Provider_Name	x=>x.System.Provider.Name
QNAME	x=>x.EventData.QNAME
Query	x=>x.UserData.Query
QueryName	x=>x.EventData.QueryName
QueryResults	x=>x.EventData.QueryResults
QueryStatus	x=>x.EventData.QueryStatus
RelativeTargetName	x=>x.EventData.RelativeTargetName
RemoteName	x=>x.EventData.RemoteName
RuleName	x=>x.EventData.RuleName
SAMAccountName	x=>x.EventData.SamAccountName
SamAccountName	x=>x.EventData.SamAccountName
ScriptBlockText	x=>x.EventData.ScriptBlockText
SearchFilter	x=>x.System.SearchFilter
SecurityUserID	x=>x.System.Security.UserID
ServerName	x=>x.System.ServerName
Service	x=>x.EventData.Service
ServiceFileName	x=>x.EventData.ServiceFileName
ServiceName	x=>x.EventData.ServiceName
ServicePrincipalNames	x=>x.EventData.ServicePrincipalNames
ServiceStartType	x=>x.EventData.ServiceStartType
ServiceType	x=>x.EventData.ServiceType
SeverityID	x=>x.EventData.`Severity ID`
SeverityName	x=>x.EventData.`Severity Name`
ShareLocalPath	x=>x.EventData.ShareLocalPath
ShareName	x=>x.EventData.ShareName
SidHistory	x=>x.EventData.SidHistory
Signature	x=>x.EventData.Signature
SignatureStatus	x=>x.EventData.SignatureStatus
Signed	x=>x.EventData.Signed
Source	x=>x.System.Provider_Name
SourceAddress	x=>x.EventData.SourceAddress
SourceHostname	x=>x.EventData.SourceHostname
SourceImage	x=>x.EventData.SourceImage
SourceIp	x=>x.EventData.SourceIp
SourceIsIpv6	x=>x.EventData.SourceIsIpv6
SourceNetworkAddress	x=>x.EventData.SourceNetworkAddress
SourcePort	x=>x.EventData.SourcePort
Source_Name	x=>x.EventData.`Source Name`
Source_Network_Address	x=>x.EventData.Source_Network_Address
Source_WorkStation	x=>x.EventData.Source_WorkStation
StartAddress	x=>x.EventData.StartAddress
StartFunction	x=>x.EventData.StartFunction
StartModule	x=>x.EventData.StartModule
StartType	x=>x.EventData.StartType
State	x=>x.EventData.State
Status	x=>x.EventData.Status
SubStatus	x=>x.EventData.SubStatus
SubjectDomainName	x=>x.EventData.SubjectDomainName
SubjectLogonId	x=>x.EventData.SubjectLogonId
SubjectUserName	x=>x.EventData.SubjectUserName
SubjectUserSid	x=>x.EventData.SubjectUserSid
SysmonVersion	x=>x.EventData.SysmonVersion
TargetDomainName	x=>x.EventData.TargetDomainName
TargetFilename	x=>x.EventData.TargetFilename
TargetImage	x=>x.EventData.TargetImage
TargetInfo	x=>x.EventData.TargetInfo
TargetLogonId	x=>x.EventData.TargetLogonId
TargetObject	x=>x.EventData.TargetObject
TargetOutboundUserName	x=>x.EventData.TargetOutboundUserName
TargetProcessAddress	x=>x.EventData.TargetProcessAddress
TargetServerName	x=>x.EventData.TargetServerName
TargetSid	x=>x.EventData.TargetSid
TargetUserName	x=>x.EventData.TargetUserName
TaskDate	x=>x.EventData.TaskContent
TaskName	x=>x.EventData.TaskName
TemplateContent	x=>x.EventData.TemplateContent
ThreatName	x=>x.EventData.`Threat Name`
TicketEncryptionType	x=>x.EventData.TicketEncryptionType
TicketOptions	x=>x.EventData.TicketOptions
Timestamp	x=>x.System.TimeCreated.SystemTime
TokenElevationType	x=>get(item=TokenElevationTypeLookup, member=x.EventData.TokenElevationType \|\| "-")
Type	x=>x.EventData.Type
Url	x=>x.EventData.url
User	x=>x.EventData.User
UserDataAddress	x=>x.UserData.EventXML.Address
UserDataCode	x=>x.UserData.Operation_StartedOperational.Code
UserDataConsumer	x=>x.UserData.Operation_ESStoConsumerBinding.CONSUMER
UserDataESS	x=>x.UserData.Operation_ESStoConsumerBinding.ESS
UserDataHostProcess	x=>x.UserData.Operation_StartedOperational.HostProcess
UserDataNamespace	x=>x.UserData.Operation_ESStoConsumerBinding.Namespace
UserDataNamespaceName	x=>x.UserData.Operation_TemporaryEssStarted.NamespaceName
UserDataParam1	x=>x.UserData.EventXML.Param1
UserDataParam2	x=>x.UserData.EventXML.Param2
UserDataParam3	x=>x.UserData.EventXML.Param3
UserDataPossibleCause	x=>x.UserData.Operation_ESStoConsumerBinding.PossibleCause
UserDataProcessID	x=>x.UserData.Operation_StartedOperational.ProcessID
UserDataProcessid	x=>x.UserData.Operation_TemporaryEssStarted.Processid
UserDataProviderName	x=>x.UserData.Operation_StartedOperational.ProviderName
UserDataProviderPath	x=>x.UserData.Operation_StartedOperational.ProviderPath
UserDataQuery	x=>x.UserData.Operation_TemporaryEssStarted.Query
UserDataSessionID	x=>x.UserData.EventXML.SessionID
UserDataUser	x=>x.UserData.EventXML.User
UserName	x=>x.EventData.UserName
Value	x=>x.EventData.Value
Version	x=>x.System.Version
VhdType	x=>x.EventData.VhdType
WindowsDefenderProcessName	x=>x.EventData.`Process Name`
Workstation	x=>x.EventData.Workstation
WorkstationName	x=>x.EventData.WorkstationName
image	x=>x.EventData.Image
md5	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='MD5=([^,]+)').g1
param1	x=>x.EventData.param1
param2	x=>x.EventData.param2
param3	x=>x.EventData.param3
param4	x=>x.EventData.param4
param5	x=>x.EventData.param5
processPath	x=>x.EventData.processPath
query	x=>x.EventData.Query
service	x=>x.EventData.Service
sha1	x=>x.EventData.Hashes
sha256	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='SHA256=([^,]+)').g1

`*/windows/application` #

Details

`*/windows/applocker` #

Details

`*/windows/appmodel-runtime` #

Details

`*/windows/appxdeployment-server` #

Details

`*/windows/appxpackaging-om` #

Details

`*/windows/bits-client` #

Details

`*/windows/capi2` #

Details

`*/windows/certificateservicesclient-lifecycle-system` #

Details

`*/windows/codeintegrity-operational` #

Details

`*/windows/diagnosis-scripted` #

Details

`*/windows/dns-client` #

Details

`*/windows/dns-server` #

Details

`*/windows/dns-server-analytic` #

Details

`*/windows/driver-framework` #

Details

`*/windows/firewall-as` #

Details

`*/windows/ldap_debug` #

Details

`*/windows/lsa-server` #

Details

`*/windows/microsoft-servicebus-client` #

Details

`*/windows/msexchange-management` #

Details

`*/windows/ntlm` #

Details

`*/windows/openssh` #

Details

`*/windows/powershell` #

Details

`*/windows/powershell-classic` #

Details

`*/windows/security` #

Details

`*/windows/security-mitigations` #

Details

`*/windows/shell-core` #

Details

`*/windows/smbclient-security` #

Details

`*/windows/sysmon` #

Details

`*/windows/system` #

Details

`*/windows/taskscheduler` #

Details

`*/windows/terminalservices-localsessionmanager` #

Details

`*/windows/vhdmp` #

Details

`*/windows/windefend` #

Details

`*/windows/wmi` #

Details

`process_creation/windows/*` #

Details

`ps_classic_provider_start/windows/*` #

Details

`ps_classic_start/windows/*` #

Details

`ps_module/windows/*` #

Details

`ps_script/windows/*` #

Details

`registry_add/windows/*` #

Details

`registry_event/windows/*` #

Details

`registry_set/windows/*` #

Details

`antivirus/windows/windefend` #

Details

Windows.Sigma.BaseEvents Model #

Log Sources #

Field Mappings #

*/windows/application #

VQL Query #

Sample use in a sigma rule: #

*/windows/applocker #

VQL Query #

Sample use in a sigma rule: #

*/windows/appmodel-runtime #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxdeployment-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxpackaging-om #

VQL Query #

Sample use in a sigma rule: #

*/windows/bits-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/capi2 #

VQL Query #

Sample use in a sigma rule: #

*/windows/certificateservicesclient-lifecycle-system #

VQL Query #

Sample use in a sigma rule: #

*/windows/codeintegrity-operational #

VQL Query #

Sample use in a sigma rule: #

*/windows/diagnosis-scripted #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server-analytic #

VQL Query #

Sample use in a sigma rule: #

*/windows/driver-framework #

VQL Query #

Sample use in a sigma rule: #

*/windows/firewall-as #

VQL Query #

Sample use in a sigma rule: #

*/windows/ldap_debug #

VQL Query #

Sample use in a sigma rule: #

*/windows/lsa-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/microsoft-servicebus-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/msexchange-management #

VQL Query #

Sample use in a sigma rule: #

*/windows/ntlm #

VQL Query #

Sample use in a sigma rule: #

*/windows/openssh #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell-classic #

VQL Query #

Sample use in a sigma rule: #

*/windows/security #

VQL Query #

Sample use in a sigma rule: #

*/windows/security-mitigations #

VQL Query #

Sample use in a sigma rule: #

*/windows/shell-core #

VQL Query #

`*/windows/application` #

`*/windows/applocker` #

`*/windows/appmodel-runtime` #

`*/windows/appxdeployment-server` #

`*/windows/appxpackaging-om` #

`*/windows/bits-client` #

`*/windows/capi2` #

`*/windows/certificateservicesclient-lifecycle-system` #

`*/windows/codeintegrity-operational` #

`*/windows/diagnosis-scripted` #

`*/windows/dns-client` #

`*/windows/dns-server` #

`*/windows/dns-server-analytic` #

`*/windows/driver-framework` #

`*/windows/firewall-as` #

`*/windows/ldap_debug` #

`*/windows/lsa-server` #

`*/windows/microsoft-servicebus-client` #

`*/windows/msexchange-management` #

`*/windows/ntlm` #

`*/windows/openssh` #

`*/windows/powershell` #

`*/windows/powershell-classic` #

`*/windows/security` #

`*/windows/security-mitigations` #

`*/windows/shell-core` #

`*/windows/smbclient-security` #

`*/windows/sysmon` #

`*/windows/system` #

`*/windows/taskscheduler` #

`*/windows/terminalservices-localsessionmanager` #

`*/windows/vhdmp` #

`*/windows/windefend` #

`*/windows/wmi` #

`process_creation/windows/*` #

`ps_classic_provider_start/windows/*` #

`ps_classic_start/windows/*` #

`ps_module/windows/*` #

`ps_script/windows/*` #

`registry_add/windows/*` #

`registry_event/windows/*` #

`registry_set/windows/*` #

`antivirus/windows/windefend` #