Files
soldr-modules/config.json
T
2022-11-22 02:21:28 +03:00

919 lines
31 KiB
JSON

[
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"windows": [
"386",
"amd64"
]
},
"name": "sysmon",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"sysmon_already_installed",
"sysmon_already_started",
"sysmon_config_updated_error",
"sysmon_config_updated_success",
"sysmon_installed_error",
"sysmon_installed_success",
"sysmon_started_error",
"sysmon_started_success",
"sysmon_unexpected_stopped",
"sysmon_unexpected_uninstalled",
"sysmon_uninstalled_error",
"sysmon_uninstalled_success",
"sysmon_updated_error",
"sysmon_updated_success"
],
"fields": [
"reason",
"version"
],
"last_module_update": "2022-10-26 00:00:00",
"last_update": "2022-10-26 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"windows": [
"386",
"amd64"
]
},
"name": "wineventlog",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"wel_module_internal_error",
"wel_module_started",
"wel_module_stopped"
],
"fields": [
"reason"
],
"last_module_update": "2022-10-26 00:00:00",
"last_update": "2022-10-26 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "custom",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "lua_interpreter",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [],
"fields": [],
"last_module_update": "2022-04-29 00:00:00",
"last_update": "2022-04-29 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "syslog",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"send_to_syslog"
],
"events": [
"syslog_module_started",
"syslog_module_stopped"
],
"fields": [],
"last_module_update": "2022-04-29 00:00:00",
"last_update": "2022-04-29 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "file_remover",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"fr_remove_object_file",
"fr_remove_object_proc_image",
"fr_remove_subject_proc_image"
],
"events": [
"fr_module_started",
"fr_module_stopped",
"fr_object_file_removed_failed",
"fr_object_file_removed_successful",
"fr_object_proc_image_removed_failed",
"fr_object_proc_image_removed_successful",
"fr_remove_internal_error",
"fr_subject_proc_image_removed_failed",
"fr_subject_proc_image_removed_successful"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"reason",
"subject.fullpath",
"subject.process.fullpath"
],
"last_module_update": "2022-04-29 00:00:00",
"last_update": "2022-04-29 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "proc_terminator",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"pt_kill_object_process_by_file_path",
"pt_kill_object_process_by_image",
"pt_kill_object_process_by_name",
"pt_kill_object_process_by_name_and_id",
"pt_kill_object_process_by_image_and_id",
"pt_kill_object_process_tree_by_file_path",
"pt_kill_object_process_tree_by_image",
"pt_kill_object_process_tree_by_name",
"pt_kill_object_process_tree_by_name_and_id",
"pt_kill_object_process_tree_by_image_and_id",
"pt_kill_subject_process_by_image",
"pt_kill_subject_process_by_name",
"pt_kill_subject_process_by_name_and_id",
"pt_kill_subject_process_by_image_and_id",
"pt_kill_subject_process_tree_by_image",
"pt_kill_subject_process_tree_by_name",
"pt_kill_subject_process_tree_by_name_and_id",
"pt_kill_subject_process_tree_by_image_and_id"
],
"events": [
"pt_module_started",
"pt_module_stopped",
"pt_object_process_killed_failed",
"pt_object_process_killed_successful",
"pt_object_process_skipped",
"pt_process_not_found",
"pt_subject_process_killed_failed",
"pt_subject_process_killed_successful",
"pt_subject_process_skipped"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"object.process.id",
"object.process.name",
"reason",
"subject.process.fullpath",
"subject.process.id",
"subject.process.name"
],
"last_module_update": "2022-08-26 00:00:00",
"last_update": "2022-06-26 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "yara_scanner",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"yr_object_scan_proc",
"yr_object_task_scan_proc",
"yr_scan_fs",
"yr_subject_scan_proc",
"yr_subject_task_scan_proc",
"yr_task_fastscan_fs",
"yr_task_fastscan_proc",
"yr_task_fullscan_fs",
"yr_task_fullscan_proc",
"yr_task_scan_fs"
],
"events": [
"yr_file_matched_custom",
"yr_file_matched_high",
"yr_file_matched_low",
"yr_file_matched_medium",
"yr_module_started",
"yr_module_stopped",
"yr_object_process_matched_high",
"yr_object_process_matched_low",
"yr_object_process_matched_medium",
"yr_process_matched_custom",
"yr_subject_process_matched_high",
"yr_subject_process_matched_low",
"yr_subject_process_matched_medium"
],
"fields": [
"malware_class",
"object.fullpath",
"object.process.fullpath",
"object.process.id",
"object.sha256_hash",
"reason",
"rule_name",
"rule_precision",
"rule_type",
"rules",
"subject.process.fullpath",
"subject.process.id"
],
"last_module_update": "2022-11-07 09:11:39",
"last_update": "2022-11-07 09:11:39"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "file_uploader",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"fu_upload_object_file",
"fu_upload_object_proc_image",
"fu_upload_subject_proc_image"
],
"events": [
"fu_module_started",
"fu_module_stopped",
"fu_object_file_upload_failed",
"fu_object_file_upload_successful",
"fu_object_proc_image_upload_failed",
"fu_object_proc_image_upload_successful",
"fu_subject_proc_image_upload_failed",
"fu_subject_proc_image_upload_successful",
"fu_upload_internal_error"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"reason",
"subject.fullpath",
"subject.process.fullpath"
],
"last_module_update": "2022-09-30 00:00:00",
"last_update": "2022-09-30 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"linux": [
"amd64"
]
},
"name": "correlator_linux",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"Auxiliary_SuspiciousWeightsTrojan_Linux_subject_a",
"Local_Recon_by_Web_User",
"Malware_Exploit_Elf_CVE_2019_14287_a",
"Malware_Exploit_Elf_CVE_2021_4034_a",
"Malware_Trojan_Linux_Generic_a",
"Malware_Trojan_Spy_Linux_Generic_a",
"Raw_Socket",
"Reverse_Tunneling_via_SSH",
"Suspicious_Create_File_Attribute_Hidden",
"Suspicious_Create_File_Boot_Modification",
"Suspicious_Create_File_Boot_RCScripts",
"Suspicious_Create_File_Ldd_PreloadDynamicLibrary",
"Suspicious_Create_File_Scheduler_At",
"Suspicious_Create_File_Scheduler_Cron",
"Suspicious_Create_File_Scheduler_SystemdTimer",
"Suspicious_Create_File_Shell_Config",
"Suspicious_Create_File_Ssh_AuthorizedKeys",
"Suspicious_Create_File_Systemd_Service",
"Suspicious_Create_File_Xdg_Autostart",
"Suspicious_Create_Process_Chkconfig_DisableRCScripts",
"Suspicious_Create_Process_Iptables_ModifyFirewall",
"Suspicious_Create_Process_Service_Disable",
"Suspicious_Create_Process_Setenforce_ModifySELinux",
"Suspicious_Create_Process_Sudo_Bruteforce",
"Suspicious_Create_Process_WipeData_Destruction",
"Suspicious_Read_File_Email_Local",
"Suspicious_Read_File_Fstab_Configuration",
"Suspicious_Read_File_Passwd_CredentialsEnumeration",
"Suspicious_Read_File_Polkit_Policy",
"Suspicious_Read_File_Shadow_CredentialsDumping",
"Suspicious_Read_System_BIOS_Reconnaissance",
"Suspicious_Read_System_DMI_CheckVM",
"Suspicious_Read_System_Kernel_ASLR",
"Suspicious_Read_System_Kernel_PtraceScope",
"Suspicious_Read_System_KeyState_Keylogger",
"Suspicious_Read_System_PCI_GPU",
"Suspicious_Read_System_PCI_USB",
"Suspicious_Read_System_Proc_ARPSessions",
"Suspicious_Read_System_Proc_BootCmdline",
"Suspicious_Read_System_Proc_Modules",
"Suspicious_Read_System_Proc_Route",
"Suspicious_Read_System_Proc_SCSI",
"Suspicious_Read_System_Proc_TCPSessions",
"Suspicious_Write_Disk_Data_DirectAccess",
"Suspicious_Write_File_PAM_Persistence",
"Suspicious_Write_Process_Inject_Ptrace",
"Tunneling_via_SSH",
"Tunneling_via_SSHuttle_Client",
"Tunneling_via_SSHuttle_Server"
],
"fields": [
"action",
"alert.key",
"category.generic",
"category.high",
"category.low",
"correlation_name",
"correlation_type",
"event_src.asset",
"event_src.host",
"event_src.hostname",
"event_src.id",
"event_src.ip",
"event_src.subsys",
"event_src.title",
"event_src.vendor",
"importance",
"incident.aggregation.key",
"incident.aggregation.timeout",
"incident.category",
"incident.severity",
"labels",
"numfield1",
"numfield2",
"object",
"object.account.group",
"object.account.id",
"object.account.name",
"object.fullpath",
"object.name",
"object.path",
"object.process.cmdline",
"object.process.cwd",
"object.process.fullpath",
"object.process.id",
"object.process.meta",
"object.process.name",
"object.process.parent.id",
"object.process.path",
"object.state",
"object.value",
"status",
"subject",
"subject.account.id",
"subject.account.name",
"subject.account.privileges",
"subject.account.session_id",
"subject.process.fullpath",
"subject.process.id",
"subject.process.meta",
"subject.process.name",
"subject.process.parent.id",
"subject.process.path",
"subject.type"
],
"last_module_update": "2022-11-07 12:52:12",
"last_update": "2022-11-07 12:52:12"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"windows": [
"amd64"
]
},
"name": "correlator",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"Abnormal_Directory_for_Process",
"Abusing_CredSSP",
"Access_System_Credential_files_via_cmdline",
"Access_into_Sensitive_Files_via_Network_Share",
"Accessibility_Feature_Tool_Abuse",
"Account_Created_on_Local_System",
"Account_Discovery",
"Account_or_Group_discovery_via_SAM_R",
"Add_new_user_in_commandline",
"Alternate_Data_Stream",
"Audit_XP_params_change",
"Auxiliary_SuspiciousWeightsTrojan_Windows_subject_a",
"Auxiliary_SuspiciousWeightsTrojan_Windows_subject_b",
"BitsJob_Download_and_Run",
"COM_object_persistence",
"CVE_2021_41379_Subrule_Elevation_service_chain",
"CVE_2021_41379_Subrule_Start_elevation",
"CVE_2021_41379_exploitation",
"CVE_2022_26500_26501_exploitation",
"CVE_2022_26503_Subrule_1",
"CVE_2022_26503_Subrule_2",
"CVE_2022_26503_exploitation",
"Client_Side_Execution_via_DCOM",
"Clipboard_Access",
"Clipboard_Access_Powershell",
"Cmstp_AWL_Bypass",
"Cobalt_Strike_Assembly",
"Cobalt_Strike_Payload_Delivery_Check",
"Cobalt_Strike_Pipe_from_AdminShare",
"Cobalt_Strike_Process_Injection",
"Cobalt_Strike_Psexec_Jump",
"Cobalt_Strike_SMB_Beacon",
"Cobalt_Strike_Service_Move",
"Code_Execution_Via_JDK_Tools",
"Command_Processor_Autorun_Modify",
"Computer_object_ldap_request",
"ControlPanel_AWL_Bypass",
"Copy_Mimikatz_To_Share",
"Credential_Access_to_Passwords_Storage",
"Credential_Dump_in_Local_Registry",
"Csc_AWL_Bypass",
"DRSUAPI_User_Enumeration",
"DSInternals_Usage",
"Disable_Credential_Guard",
"Disable_LSA_Protection",
"Disable_Restricted_Admin_Mode",
"Dnscmd_AWL_Bypass",
"Domain_Controllers_Discovery",
"Domain_Trust_Discovery",
"Download_File_Through_Curl",
"Download_File_Through_Windows_Defender",
"Downloading_Remote_File_Via_Lolbas",
"Empire_Stager",
"Esentutil_Copy_File",
"Execute_Encoded_Powershell",
"Execute_Malicious_Command",
"Execute_Malicious_Powershell_Cmdlet",
"Execute_PSEXEC",
"Execute_Suspicious_Command_via_cmd",
"Failed_LSASS_Injection",
"Fast_Create_and_Delete_Account",
"Finger_AWL_Bypass",
"Groups_And_Users_Enumeration",
"Hidden_Scheduled_Task",
"Hidden_Service_Create",
"Hide_Account_from_Logon_Screen",
"IEExec_AWL_Bypass",
"Impacket_SMBEXEC",
"Impacket_Secretsdump",
"InstallUtil_AWL_Bypass",
"Intercept_Creds_from_MSTSC",
"Internal_Monologue_Attack",
"KeePass_Keys_Extraction",
"KeePass_Persistence",
"Koadic_MSHTA_Stager",
"Koadic_REGSVR32_Stager",
"Koadic_Rundll32_Stager",
"Koadic_WMIC_Stager",
"LAPS_Enumeration",
"LOLBin_Copying",
"LSA_SSP_Change",
"Lazagne_Usage",
"Local_Pass_the_Hash",
"Lsass_Dump_via_SilentProcessExit",
"Lsass_SilentProcessExit_Keys",
"MSBuild_AWL_Bypass",
"MSHTA_AWL_Bypass",
"MSXSL_AWL_Bypass",
"Malicious_CHM_File",
"Malicious_Office_Document",
"Malware_Backdoor_Win32_Evilnum_a",
"Malware_Backdoor_Win32_Havex_a",
"Malware_Backdoor_Win32_NetWire_b",
"Malware_Backdoor_Win32_Pteredo_a",
"Malware_Backdoor_Win64_Throwback_b",
"Malware_Exploit_Win32_CVE_2022_30190_a",
"Malware_Exploit_Win32_PrintSpooler_a",
"Malware_Hacktool_Win32_CrackMapExec_a",
"Malware_Trojan_Dropper_MSOffice_Launcher_a",
"Malware_Trojan_Dropper_Script_Generic_a",
"Malware_Trojan_Dropper_Win32_Generic_k",
"Malware_Trojan_Ransom_Win32_Generic_a",
"Malware_Trojan_Ransom_Win32_Generic_b",
"Malware_Trojan_Win32_Generic_a",
"Malware_Trojan_Win32_Generic_o",
"Malware_Trojan_Win32_Generic_s",
"Malware_Trojan_Win32_Generic_t",
"Mavinject_AWL_Bypass",
"Metasploit_Payload",
"Microsoft_Teams_AWL_Bypass",
"Mimikatz_Command",
"Msiexec_AWL_Bypass",
"NetCat_Usage",
"Network_Share_Discovery",
"Odbcconf_AWL_Bypass",
"Office_File_with_Macros",
"Office_Normal_dotm_modification",
"Office_XLL_modification",
"Password_Policy_Discovery",
"Pcalua_AWL_Bypass",
"Permission_Groups_Discovery",
"Persistence_Netsh_DLL",
"Port_Forwarding_or_Tunneling",
"Potential_Users_Or_Groups_Enumeration_Process",
"Potential_domain_groups_and_users_enumeration_handle",
"Potential_localgroups_and_administrators_enumeration_handle",
"Powershell_Remoting",
"Process_Discovery",
"Proxy_Tools_Usage",
"RDP_Session_Hijacking",
"Reading_Registry_Objects",
"RegAsm_or_RegSvcs_AWL_Bypass",
"Registry_Winlogon_Helper",
"Regsvr32_AWL_Bypass",
"Remote_Admin_Share_Access",
"Remote_Code_Execution_Via_AtSvc",
"Remote_Connection_through_SMBEXEC_WinXP",
"Remote_Copy_Credential_Dump_Artifact",
"Remote_Copying_Malicious_File",
"Remote_File_Download_Via_Certutil",
"Remote_Password_Dump",
"Remoting_Impacket_PsExec",
"Remoting_SysInternals_PsExec",
"Remoting_WMI",
"Remoting_WinExec",
"Remoting_Windows_Shell",
"Remove_Access_To_Sensitive_Account",
"Remove_Account_From_Sensitive_Group",
"Rubeus_Usage",
"RunAs_Subrule_Login",
"RunAs_System_or_External_tools",
"Run_Malicious_Msbuild_Project",
"Run_whoami_as_System",
"Rundll32_AWL_Bypass",
"SPN_LDAP_requests",
"Scheduled_Task_Was_Created_Or_Updated_Via_Schtasks",
"Search_Stored_Credentials",
"Service_Created_or_Modified",
"Shadow_Copies_Deletion_with_Builtin_Tools",
"Shadow_Key_Creation",
"Shadow_Screen_save",
"Shadow_Screen_saves_PowerShell",
"SharpSploit_Usage",
"SharpWMI_Usage",
"Sharphound_Client_Side",
"Sharphound_Server_Side",
"SilentTrinity_Stager",
"Sliver_Shell_Usage",
"Software_Discovery",
"Spoolsv_Priv_Escalation",
"Stop_Important_Service",
"Stop_Important_Service_registry",
"Subrule_Sharphound_Client_Side",
"Subrule_Sharphound_Server_Side",
"Suspicious_Access_To_Users_Folder",
"Suspicious_Child_from_Messenger_Process",
"Suspicious_Create_File_FromBrowser_SuspiciousExtension",
"Suspicious_Create_File_FromMessenger_SuspiciousExtension",
"Suspicious_Create_File_PartitionMaster_DirectAccess",
"Suspicious_Create_File_RawDisk_DirectAccess",
"Suspicious_Create_Object_Account_Persistence",
"Suspicious_Create_Process_At_Persistence",
"Suspicious_Create_Process_BitsAdmin_RestrictionBypass",
"Suspicious_Create_Process_Debugger_Inject",
"Suspicious_Create_Process_DirectoryMock_UACBypass",
"Suspicious_Create_Process_NetSh_NetShell",
"Suspicious_Create_Process_Ping_SelfDelete",
"Suspicious_Create_Process_RunScript_WScript",
"Suspicious_Create_Process_Schtasks_Persistence",
"Suspicious_Create_Process_TaskKill_TerminateProcess",
"Suspicious_Create_Process_VSTOInstaller_OfficeAddIns",
"Suspicious_Create_Process_VirtualInstance_Evasion",
"Suspicious_Create_Process_WinDef_AddExclusion",
"Suspicious_Create_Process_WinDef_ChangeSettings",
"Suspicious_Create_Process_WithDebugger_Execution_Predetect_2_1",
"Suspicious_Create_Process_WusaExtract_UACBypass",
"Suspicious_Create_Registry_Key_SafeBoot",
"Suspicious_Delete_Registry_Key_ETWProvider",
"Suspicious_Delete_Registry_Key_RunAsPPL",
"Suspicious_Delete_Registry_Key_SafeBoot",
"Suspicious_Delete_Registry_Key_Service",
"Suspicious_Delete_Registry_Key_TaskSD",
"Suspicious_File_Created_by_Legal_Process",
"Suspicious_Windows_Kernel_creating",
"Suspicious_Wmic_Command",
"Suspicious_Write_File_EfiSystemPartition_Persistence",
"Suspicious_Write_File_USB_AirSpread",
"Suspicious_Write_Process_Inject_CreateRemoteThread",
"Suspicious_Write_Registry_Key_CPL",
"Suspicious_Write_Registry_Key_ChangeDefaultFileAssociation",
"Suspicious_Write_Registry_Key_ChangeFirewallPolicy",
"Suspicious_Write_Registry_Key_ChangeRdpPort",
"Suspicious_Write_Registry_Key_CredentialsDelegation",
"Suspicious_Write_Registry_Key_DisableAppLaunch",
"Suspicious_Write_Registry_Key_DisableTaskManager",
"Suspicious_Write_Registry_Key_DisableUAC",
"Suspicious_Write_Registry_Key_FlashConfigEnrollee",
"Suspicious_Write_Registry_Key_ImagePath",
"Suspicious_Write_Registry_Key_InjectAppCertDlls",
"Suspicious_Write_Registry_Key_InjectAppInitDLLs",
"Suspicious_Write_Registry_Key_InjectImageFileExecutionOptions",
"Suspicious_Write_Registry_Key_InjectLoadAppInitDLLs",
"Suspicious_Write_Registry_Key_InjectSilentProcessExit",
"Suspicious_Write_Registry_Key_KillAntivirus",
"Suspicious_Write_Registry_Key_LsaComponents",
"Suspicious_Write_Registry_Key_ModifyRdpSettings",
"Suspicious_Write_Registry_Key_OfficeTemplate",
"Suspicious_Write_Registry_Key_ProxyHijack",
"Suspicious_Write_Registry_Key_SafeBoot",
"Suspicious_Write_Registry_Key_ScreenSaver",
"Suspicious_Write_Registry_Key_SvchostContextService",
"Suspicious_Write_Registry_Key_TerminalContextService",
"Suspicious_Write_Registry_Key_TimeProviders",
"Suspicious_process_execution_sequence",
"Sysmon_Driver_Unload",
"System_Information_Discovery",
"System_Network_Configuration_Discovery",
"System_Network_Connections_Discovery",
"System_Service_Discovery",
"TikiTorch_Process_Injection",
"Universal_Windows_Platform_Apps_Modify",
"User_object_ldap_request",
"Userinitmprlogonscript_Modify",
"WDAC_Bypass_via_Dbgsrv",
"WDigest_Enable",
"WMI_Subscriptions",
"WinAPI_Access_from_Powershell",
"Windows_Accessibility_StickyKey_modification",
"Windows_Autorun_Modification",
"Windows_Defender_Disable",
"Windows_Eventlog_cleaning",
"Windows_Hacktool_Usage",
"Windows_Malicious_service_registration",
"Windows_Registry_sensitive_keys_modification",
"Windows_Service_Installed",
"Windows_Shadow_copy_removal",
"Windows_WMI_event_consumer_registration",
"Windows_WMI_event_subscription_removal",
"Windows_firewall_enable_local_RDP",
"XSL_Script_WMIC_Execution"
],
"fields": [
"action",
"alert.context",
"alert.key",
"category.generic",
"category.high",
"category.low",
"chain_id",
"correlation_name",
"correlation_type",
"dst.asset",
"dst.fqdn",
"dst.host",
"dst.hostname",
"dst.ip",
"dst.mac",
"dst.port",
"event_src.asset",
"event_src.category",
"event_src.fqdn",
"event_src.host",
"event_src.hostname",
"event_src.ip",
"event_src.rule",
"event_src.subsys",
"event_src.title",
"event_src.vendor",
"importance",
"incident.aggregation.key",
"incident.aggregation.time_window",
"incident.aggregation.timeout",
"incident.attacking_addresses",
"incident.category",
"incident.severity",
"labels",
"numfield1",
"object",
"object.account.domain",
"object.account.fullname",
"object.account.id",
"object.account.name",
"object.account.privileges",
"object.account.session_id",
"object.domain",
"object.fullpath",
"object.hash",
"object.id",
"object.name",
"object.new_value",
"object.path",
"object.process.cmdline",
"object.process.cwd",
"object.process.fullpath",
"object.process.guid",
"object.process.hash",
"object.process.id",
"object.process.meta",
"object.process.name",
"object.process.original_name",
"object.process.parent.cmdline",
"object.process.parent.fullpath",
"object.process.parent.guid",
"object.process.parent.id",
"object.process.parent.name",
"object.process.parent.path",
"object.process.path",
"object.process.version",
"object.property",
"object.query",
"object.state",
"object.storage.fullpath",
"object.storage.id",
"object.storage.name",
"object.storage.path",
"object.type",
"object.value",
"object.vendor",
"object.version",
"reason",
"src.asset",
"src.fqdn",
"src.host",
"src.hostname",
"src.ip",
"src.mac",
"src.port",
"status",
"subject",
"subject.account.domain",
"subject.account.fullname",
"subject.account.id",
"subject.account.name",
"subject.account.privileges",
"subject.account.session_id",
"subject.name",
"subject.process.cmdline",
"subject.process.cwd",
"subject.process.fullpath",
"subject.process.guid",
"subject.process.hash",
"subject.process.id",
"subject.process.meta",
"subject.process.name",
"subject.process.original_name",
"subject.process.parent.id",
"subject.process.path",
"subject.process.version",
"subject.type",
"subject.version"
],
"last_module_update": "2022-10-26 00:00:00",
"last_update": "2022-10-26 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"linux": [
"amd64"
],
"windows": [
"amd64"
]
},
"name": "file_reader",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"frd_module_internal_error",
"frd_module_started",
"frd_module_stopped"
],
"fields": [
"reason"
],
"last_module_update": "2022-11-02 00:00:00",
"last_update": "2022-11-02 00:00:00"
}
]