Skip to content

SigmaHQ/pySigma-pipeline-sysmon

Repository files navigation

Tests Coverage Badge Status

pySigma Sysmon Processing Pipeline

This is the Sysmon processing pipeline for pySigma. It provides the package sigma.pipeline.sysmon with the sysmon_pipeline function that returns a ProcessingPipeline object.

Currently the pipeline adds support for the following event types (Sigma logsource category to EventID mapping):

  • process_creation: 1
  • file_change: 2
  • network_connection: 3
  • process_termination: 5
  • sysmon_status: 4,16
  • driver_load: 6
  • image_load: 7
  • create_remote_thread: 8
  • raw_access_thread: 9
  • process_access: 10
  • file_event: 11
  • registry_add: 12
  • registry_delete: 12
  • registry_set: 13
  • registry_rename: 14
  • registry_event: 12,13,14
  • create_stream_hash: 15
  • pipe_created: 17,18
  • wmi_event: 19,20,21
  • dns_query: 22
  • file_delete: 23
  • clipboard_capture: 24
  • process_tampering: 25
  • file_delete_detected: 26
  • file_block_executable: 27
  • file_block_shredding: 28
  • file_executable_detected: 29
  • sysmon_error: 255

This backend is currently maintained by: