Parses syslog for Sysmon events on Linux using a unix domain socket.
NOTE: This is an experimental patch for sysmon that gets it to write events to a unix domain socket.
Until it merges upstream you can get it from here:
Reference: https://github.com/Velocidex/SysmonForLinux
name: Linux.Sysinternals.SysmonEvent
description: |
Parses syslog for Sysmon events on Linux using a unix domain socket.
NOTE: This is an experimental patch for sysmon that gets it to write events
to a unix domain socket.
Until it merges upstream you can get it from here:
**Reference**: https://github.com/Velocidex/SysmonForLinux
type: CLIENT_EVENT
precondition: SELECT OS From info() where OS = 'linux'
parameters:
- name: SysmonUnixDomainSocket
default: /var/run/sysmon.sock
sources:
- query: |
LET ParsedEvents =
SELECT parse_json(data=Data).Event AS Event
FROM netcat(type='unix', address=SysmonUnixDomainSocket, retry=10)
WHERE Data
SELECT timestamp(string=Event.System.TimeCreated.SystemTime) AS TimeCreated,
Event.System.EventID AS EventID,
Event.System.Channel AS _Channel,
Event.System.EventRecordID AS EventRecordID,
Event.System.EventID AS EventID,
Event.System.Computer AS Computer,
Event.System AS System,
Event.EventData AS EventData
FROM ParsedEvents