Files
soldr-modules/config.json
T
2023-05-24 16:57:04 +03:00

662 lines
18 KiB
JSON

[
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"windows": [
"386",
"amd64"
]
},
"name": "sysmon",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"sysmon_already_installed",
"sysmon_already_started",
"sysmon_config_updated_error",
"sysmon_config_updated_success",
"sysmon_installed_error",
"sysmon_installed_success",
"sysmon_started_error",
"sysmon_started_success",
"sysmon_unexpected_stopped",
"sysmon_unexpected_uninstalled",
"sysmon_uninstalled_error",
"sysmon_uninstalled_success",
"sysmon_updated_error",
"sysmon_updated_success"
],
"fields": [
"reason",
"version"
],
"last_module_update": "2022-12-20 00:00:00",
"last_update": "2022-12-20 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"windows": [
"386",
"amd64"
]
},
"name": "wineventlog",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"wel_module_internal_error",
"wel_module_started",
"wel_module_stopped"
],
"fields": [
"reason"
],
"last_module_update": "2022-12-22 00:00:00",
"last_update": "2022-12-22 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "custom",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "lua_interpreter",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [],
"fields": [],
"last_module_update": "2022-12-08 00:00:00",
"last_update": "2022-12-08 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "syslog",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"send_to_syslog"
],
"events": [
"syslog_module_started",
"syslog_module_stopped"
],
"fields": [],
"last_module_update": "2022-12-08 00:00:00",
"last_update": "2022-12-08 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "file_remover",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"fr_remove_object_file",
"fr_remove_object_proc_image",
"fr_remove_subject_proc_image"
],
"events": [
"fr_module_started",
"fr_module_stopped",
"fr_object_file_removed_failed",
"fr_object_file_removed_successful",
"fr_object_proc_image_removed_failed",
"fr_object_proc_image_removed_successful",
"fr_remove_internal_error",
"fr_subject_proc_image_removed_failed",
"fr_subject_proc_image_removed_successful"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"reason",
"subject.fullpath",
"subject.process.fullpath"
],
"last_module_update": "2022-12-23 00:00:00",
"last_update": "2022-12-23 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "proc_terminator",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"pt_kill_object_process_by_file_path",
"pt_kill_object_process_by_image",
"pt_kill_object_process_by_name",
"pt_kill_object_process_by_name_and_id",
"pt_kill_object_process_by_image_and_id",
"pt_kill_object_process_tree_by_file_path",
"pt_kill_object_process_tree_by_image",
"pt_kill_object_process_tree_by_name",
"pt_kill_object_process_tree_by_name_and_id",
"pt_kill_object_process_tree_by_image_and_id",
"pt_kill_subject_process_by_image",
"pt_kill_subject_process_by_name",
"pt_kill_subject_process_by_name_and_id",
"pt_kill_subject_process_by_image_and_id",
"pt_kill_subject_process_tree_by_image",
"pt_kill_subject_process_tree_by_name",
"pt_kill_subject_process_tree_by_name_and_id",
"pt_kill_subject_process_tree_by_image_and_id"
],
"events": [
"pt_module_started",
"pt_module_stopped",
"pt_object_process_killed_failed",
"pt_object_process_killed_successful",
"pt_object_process_skipped",
"pt_process_not_found",
"pt_subject_process_killed_failed",
"pt_subject_process_killed_successful",
"pt_subject_process_skipped"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"object.process.id",
"object.process.name",
"reason",
"subject.process.fullpath",
"subject.process.id",
"subject.process.name"
],
"last_module_update": "2022-12-20 00:00:00",
"last_update": "2022-12-20 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "yara_scanner",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"yr_object_scan_proc",
"yr_object_task_scan_proc",
"yr_scan_fs",
"yr_subject_scan_proc",
"yr_subject_task_scan_proc",
"yr_task_fastscan_fs",
"yr_task_fastscan_proc",
"yr_task_fullscan_fs",
"yr_task_fullscan_proc",
"yr_task_scan_fs"
],
"events": [
"yr_file_matched_custom",
"yr_file_matched_high",
"yr_file_matched_low",
"yr_file_matched_medium",
"yr_module_started",
"yr_module_stopped",
"yr_object_process_matched_high",
"yr_object_process_matched_low",
"yr_object_process_matched_medium",
"yr_process_matched_custom",
"yr_subject_process_matched_high",
"yr_subject_process_matched_low",
"yr_subject_process_matched_medium"
],
"fields": [
"malware_class",
"object.fullpath",
"object.process.fullpath",
"object.process.id",
"object.sha256_hash",
"reason",
"rule_name",
"rule_precision",
"rule_type",
"rules",
"subject.process.fullpath",
"subject.process.id"
],
"last_module_update": "2023-01-26 00:00:00",
"last_update": "2023-01-26 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "file_uploader",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"fu_upload_object_file",
"fu_upload_object_proc_image",
"fu_upload_subject_proc_image"
],
"events": [
"fu_module_started",
"fu_module_stopped",
"fu_object_file_upload_failed",
"fu_object_file_upload_successful",
"fu_object_proc_image_upload_failed",
"fu_object_proc_image_upload_successful",
"fu_subject_proc_image_upload_failed",
"fu_subject_proc_image_upload_successful",
"fu_upload_internal_error"
],
"fields": [
"object.fullpath",
"object.process.fullpath",
"reason",
"subject.fullpath",
"subject.process.fullpath"
],
"last_module_update": "2022-12-20 00:00:00",
"last_update": "2022-12-20 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"linux": [
"amd64"
]
},
"name": "correlator_linux",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"Malware_Exploit_Elf_CVE_2021_4034_a",
"Suspicious_Create_File_Boot_Modification",
"Suspicious_Create_File_Boot_RCScripts",
"Suspicious_Create_File_Scheduler_Cron",
"Suspicious_Create_File_Ssh_AuthorizedKeys",
"Suspicious_Create_Process_Iptables_ModifyFirewall",
"Suspicious_Read_File_Passwd_CredentialsEnumeration",
"Suspicious_Read_File_Shadow_CredentialsDumping",
"Suspicious_Write_File_PAM_Persistence",
"Suspicious_Write_Process_Inject_Ptrace"
],
"fields": [
"category.generic",
"category.high",
"correlation_name",
"numfield1",
"object.fullpath",
"object.name",
"object.path",
"object.process.cmdline",
"object.process.fullpath",
"object.process.id",
"object.process.name",
"object.process.parent.id",
"object.process.path",
"object.state",
"object.value",
"subject.process.fullpath",
"subject.process.id",
"subject.process.meta",
"subject.process.name",
"subject.process.parent.id",
"subject.process.path"
],
"last_module_update": "2022-12-20 00:00:00",
"last_update": "2022-12-20 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "responder",
"os": {
"windows": [
"amd64"
]
},
"name": "correlator",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"Suspicious_Create_Process_BitsAdmin_RestrictionBypass",
"Suspicious_Create_Process_NetSh_NetShell",
"Suspicious_Create_Process_Ping_SelfDelete",
"Suspicious_Create_Process_Schtasks_Persistence",
"Suspicious_Write_File_USB_AirSpread",
"Suspicious_Write_Process_Inject_CreateRemoteThread",
"Suspicious_Write_Process_Inject_ProcessTampering",
"Suspicious_Write_Registry_Key_LsaComponents",
"Suspicious_Write_Registry_Key_SafeBoot",
"Suspicious_Write_Registry_Key_ScreenSaver"
],
"fields": [
"category.generic",
"category.high",
"correlation_name",
"numfield1",
"object.fullpath",
"object.name",
"object.new_value",
"object.path",
"object.process.cmdline",
"object.process.fullpath",
"object.process.guid",
"object.process.id",
"object.process.name",
"object.process.parent.fullpath",
"object.process.parent.id",
"object.process.parent.name",
"object.process.path",
"object.property",
"object.type",
"object.value",
"reason",
"subject.process.cmdline",
"subject.process.fullpath",
"subject.process.guid",
"subject.process.id",
"subject.process.name",
"subject.process.path"
],
"last_module_update": "2023-05-24 00:00:00",
"last_update": "2023-05-24 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"linux": [
"amd64"
],
"windows": [
"amd64"
]
},
"name": "file_reader",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"frd_module_internal_error",
"frd_module_started",
"frd_module_stopped"
],
"fields": [
"reason"
],
"last_module_update": "2022-12-22 00:00:00",
"last_update": "2022-12-22 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "generic",
"os": {
"darwin": [
"amd64"
],
"linux": [
"386",
"amd64"
],
"windows": [
"386",
"amd64"
]
},
"name": "shell",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [
"shell_start",
"shell_stop"
],
"events": [
"shell_action_exec_failed",
"shell_action_exec_success"
],
"fields": [
],
"last_module_update": "2022-02-12 00:00:00",
"last_update": "2022-02-12 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"linux": [
"386",
"amd64"
]
},
"name": "auditd",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"auditd_error"
],
"fields": [
"message"
],
"tags": [],
"last_module_update": "2023-05-24 00:00:00",
"last_update": "2023-05-24 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"windows": [
"386",
"amd64"
]
},
"name": "osquery",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"osquery_already_installed",
"osquery_already_started",
"osquery_config_updated_error",
"osquery_config_updated_success",
"osquery_flagfile_updated_error",
"osquery_flagfile_updated_success",
"osquery_installed_error",
"osquery_installed_success",
"osquery_started_error",
"osquery_started_success",
"osquery_unexpected_stopped",
"osquery_unexpected_uninstalled",
"osquery_uninstalled_error",
"osquery_uninstalled_success"
],
"fields": [
"reason",
"version"
],
"last_module_update": "2022-12-27 00:00:00",
"last_update": "2022-12-27 00:00:00"
},
{
"group_id": "",
"policy_id": "",
"state": "release",
"template": "empty",
"os": {
"linux": [
"386",
"amd64"
]
},
"name": "osquery_linux",
"version": {
"major": 1,
"minor": 0,
"patch": 0
},
"actions": [],
"events": [
"osquery_linux_already_installed",
"osquery_linux_already_started",
"osquery_linux_config_updated_error",
"osquery_linux_config_updated_success",
"osquery_linux_installed_error",
"osquery_linux_installed_success",
"osquery_linux_started_error",
"osquery_linux_started_success",
"osquery_linux_unexpected_stopped",
"osquery_linux_unexpected_uninstalled",
"osquery_linux_uninstalled_error",
"osquery_linux_uninstalled_success"
],
"fields": [
"reason",
"version"
],
"last_module_update": "2022-12-27 00:00:00",
"last_update": "2022-12-27 00:00:00"
}
]