Skip to content

Linux

auditd

Field	Data Type	Example
a0	string	/bin/sh
a1	string	/usr/bin/which
a2	string	0
a3	string	7fe53409a548
arch	string	c000003e
comm	string	506970656C696E6520457865637574
dev	string	08:05
exe	string	/snap/powershell/211/opt/powershell/pwsh
key	string	power_abuse
name	string	/home/ubuntu/capattack/config.ini
ses	integer	3
type	string	PATH
SigmaEventCode	string	N/A
argc	integer	3
auid	integer	1000
cap_fe	integer	0
cap_fi	integer	0
cap_fp	integer	0
cap_frootid	integer	0
cap_fver	integer	0
egid	integer	0
euid	integer	0
exit	integer	0
fsgid	integer	0
fsuid	integer	0
gid	integer	0
inode	integer	684595
item	integer	0
items	integer	1
mode	integer	0100644
msg	string	audit(1656429107.394:132664):
nametype	string	NORMAL
ogid	integer	0
ouid	integer	0
pid	integer	67884
ppid	integer	5830
proctitle	string	/snap/powershell/211/opt/powershell/pwsh
rdev	string	00:00
sgid	integer	0
sigma_product	string	linux
sigma_service	string	auditd
subj	string	snap.powershell.powershell
success	string	yes
suid	integer	0
syscall	integer	4
timeendpos	integer	34
timestartpos	integer	20
tty	string	pts0
uid	integer	0

clipboard_capture

Field	Data Type	Event IDs
Image	string	2, 4
ProcessName	string	2, 3
User	string	2, 4
Archived	boolean	2, 4
ClientInfo	string	2, 4
Hashes	string	2, 4
ProcessGuid	string	2, 4
ProcessId	integer	2, 4
ProcessPath	string	2, 3
RuleName	string	2, 4
Session	integer	2, 4
UtcTime	date	2, 4

dns_query

Field	Data Type	Event IDs
Image	string	2, 2
ProcessName	string	2, 2
ProcessGuid	string	2, 2
ProcessId	string	2, 2
ProcessPath	string	2, 2
QueryName	string	2, 2
QueryResults	string	2, 2
QueryStatus	string	2, 2
RuleName	string	2, 2
UtcTime	date	2, 2

file_change

Field	Data Type	Event IDs
Image	string	2
ProcessName	string	2
TargetFilename	string	2
CreationUtcTime	date	2
PreviousCreationUtcTime	date	2
ProcessGuid	string	2
ProcessId	integer	2
ProcessPath	string	2
UtcTime	date	2

file_delete

Field	Data Type	Event IDs
Image	string	2, 3
ProcessName	string	2, 3
TargetFilename	string	2, 3
User	string	2, 3
Archived	boolean	2, 3
Hashes	string	2, 3
IMPHASH	string	2, 3
IsExecutable	boolean	2, 3
MD5	string	2, 3
ProcessGuid	string	2, 3
ProcessId	integer	2, 3
ProcessPath	string	2, 3
RuleName	string	2, 3
SHA1	string	2, 3
SHA256	string	2, 3
UtcTime	date	2, 3

file_delete_logged

Field	Data Type	Event IDs
Image	string	2, 6
ProcessName	string	2, 6
TargetFilename	string	2, 6
Hashes	string	2, 6
IMPHASH	string	2, 6
MD5	string	2, 6
ProcessGuid	string	2, 6
ProcessId	integer	2, 6
ProcessPath	string	2, 6
RuleName	string	2, 6
SHA1	string	2, 6
SHA256	string	2, 6
UtcTime	date	2, 6

file_event

Field	Data Type	Event IDs
Image	string	1, 1
ProcessName	string	1, 1
TargetFilename	string	1, 1
CreationUtcTime	date	1, 1
ProcessGuid	string	1, 1
ProcessId	integer	1, 1
ProcessPath	string	1, 1
RuleName	string	1, 1
UtcTime	date	1, 1

network_connection

Field	Data Type	Event IDs
Image	string	3
ProcessName	string	3
User	string	3
DestinationHostname	string	3
DestinationIp	string	3
DestinationIsIpv6	boolean	3
DestinationPort	integer	3
DestinationPortName	string	3
Initiated	boolean	3
ProcessGuid	string	3
ProcessId	integer	3
ProcessPath	string	3
Protocol	string	3
RuleName	string	3
SourceHostname	string	3
SourceIp	string	3
SourceIsIpv6	boolean	3
SourcePort	integer	3
SourcePortName	string	3
UtcTime	date	3

pipe_connected

Field	Data Type	Event IDs
Image	string	1, 8
ProcessName	string	1, 8
EventType	string	1, 8
PipeName	string	1, 8
ProcessGuid	string	1, 8
ProcessId	integer	1, 8
ProcessPath	string	1, 8
RuleName	string	1, 8
UtcTime	date	1, 8

pipe_created

Field	Data Type	Event IDs
Image	string	17, 18
ProcessName	string	17, 18
EventType	string	17, 18
PipeName	string	17, 18
ProcessGuid	string	17, 18
ProcessId	integer	17, 18
ProcessPath	string	17, 18
RuleName	string	17, 18
UtcTime	date	17, 18

process_creation

Field	Data Type	Event IDs
CommandLine	string	1
Image	string	1
OriginalFileName	string	1
ParentCommandLine	string	1
ParentImage	string	1
ParentProcessName	string	1
ProcessName	string	1
User	string	1
Company	string	1
CurrentDirectory	string	1
Description	string	1
FileVersion	string	1
Hashes	string	1
IMPHASH	string	1
IntegrityLevel	string	1
LogonGuid	string	1
LogonId	integer	1
MD5	string	1
ParentProcessGuid	string	1
ParentProcessId	integer	1
ParentProcessPath	string	1
ProcessGuid	string	1
ProcessId	integer	1
ProcessPath	string	1
Product	string	1
RuleName	string	1
SHA1	string	1
SHA256	string	1
TerminalSessionId	integer	1
UtcTime	date	1

process_tampering

Field	Data Type	Event IDs
Image	string	2, 5
ProcessName	string	2, 5
Type	string	2, 5
ProcessGuid	string	2, 5
ProcessId	integer	2, 5
ProcessPath	string	2, 5
RuleName	string	2, 5
UtcTime	date	2, 5

process_termination

Field	Data Type	Event IDs
Image	string	5
ProcessName	string	5
ProcessGuid	string	5
ProcessId	integer	5
ProcessPath	string	5
RuleName	string	5
UtcTime	date	5

raw_access_read

Field	Data Type	Event IDs
Image	string	9
ProcessName	string	9
Device	string	9
ProcessGuid	string	9
ProcessId	integer	9
ProcessPath	string	9
RuleName	string	9
UtcTime	date	9

raw_access_thread

Field	Data Type	Event IDs
Image	string	9
ProcessName	string	9
Device	string	9
ProcessGuid	string	9
ProcessId	integer	9
ProcessPath	string	9
RuleName	string	9
UtcTime	date	9

sysmon_error

Field	Data Type	Event IDs
ID	string	2, 5, 5
Description	string	2, 5, 5
UtcTime	date	2, 5, 5

sysmon_status

Field	Data Type	Event IDs
Configuration	string	4, 16
ConfigurationFileHash	string	4, 16
SchemaVersion	string	4, 16
State	string	4, 16
UtcTime	date	4, 16
Version	string	4, 16