update

config/data_mapping/Security_4674_ObjectAccessAttempt.yaml

@@ -24,6 +24,12 @@ RewriteFieldData:
         - '%%4435': 'ENUMERATE_SUBKEYS'
         - '%%4436': 'KEY_CHANGES_NOTIFICATION'
         - '%%4437': 'CREATE_LINK'
+        - '%%7168': 'CONNECT_TO_SERVICE_CONTROLLER'
+        - '%%7169': 'CREATE_NEW_SERVICE'
+        - '%%7170': 'ENUM_SERVICES'
+        - '%%7171': 'LOCK_SERVICE_DB_FOR_EXCLUSIVE_ACCESS'
+        - '%%7172': 'QUERY_SERVICE_DB_LOCK_STATE'
+        - '%%7173': 'SET_LAST_KNOWN_GOOD_STATE_OF_SERVICE_DB'
         - '%%7184': 'SeImpersonatePrivilege'
         - '%%7185': 'SeCreateGlobalPrivilege'
         - '%%7186': 'SeTrustedCredManAccessPrivilege'

config/data_mapping/Security_5145_NetShareFileAccess.yaml

@@ -18,7 +18,6 @@ RewriteFieldData:
         - '%%4422': 'DELETE_CHILD'
         - '%%4423': 'READ_ATTRIBUTES'
         - '%%4424': 'WRITE_ATTRIBUTES'
-
 sample-evtx:
 references:
     - 'https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145'

config/data_mapping/Security_5157_NetConnBlocked.yaml

@@ -0,0 +1,44 @@
+Title: 'Network Connection Blocked'
+Channel: Security
+EventID: 5157
+RewriteFieldData:
+    Direction:
+        - '%%14592': 'Inbound'
+        - '%%14593': 'Outbound'
+    LayerName:
+        - '%%14610': 'Receive/Accept'
+sample-message: |
+    The Windows Filtering Platform has blocked a connection.
+
+    Application Information:
+        Process ID:		784
+        Application Name:	\device\harddiskvolume1\windows\system32\svchost.exe
+
+    Network Information:
+        Direction:		Inbound
+        Source Address:		172.17.11.209
+        Source Port:		53594
+        Destination Address:	172.29.42.10
+        Destination Port:		53
+        Protocol:		0
+
+    Filter Information:
+        Filter Run-Time ID:	66037
+        Layer Name:		Receive/Accept
+        Layer Run-Time ID:	44
+sample-evtx:
+    <EventData>
+        <Data Name="ProcessID">784</Data> 
+        <Data Name="Application">\device\harddiskvolume1\windows\system32\svchost.exe</Data> 
+        <Data Name="Direction">%%14592</Data> 
+        <Data Name="SourceAddress">172.17.11.209</Data> 
+        <Data Name="SourcePort">53594</Data> 
+        <Data Name="DestAddress">172.29.42.10</Data> 
+        <Data Name="DestPort">53</Data> 
+        <Data Name="Protocol">0</Data> 
+        <Data Name="FilterRTID">66037</Data> 
+        <Data Name="LayerName">%%14610</Data> 
+        <Data Name="LayerRTID">44</Data> 
+        <Data Name="RemoteUserID">S-1-0-0</Data> 
+        <Data Name="RemoteMachineID">S-1-0-0</Data> 
+    </EventData>

config/data_mapping/System_7023_ServiceTerminated.yaml

@@ -0,0 +1,16 @@
+Title: 'Service Terminated'
+Channel: System
+Provider_Name: 'Service Control Manager'
+EventID: 7023
+RewriteFieldData:
+    param2:
+        - '%%1062': 'The service has not been started.'
+        - '%%1792': 'An attempt was made to logon, but the network logon service was not started.'
+sample-message: |
+    The Windows Time service terminated with the following error: 
+    An attempt was made to logon, but the network logon service was not started.
+sample-evtx:
+    <EventData>
+        <Data Name="param1">Windows Time</Data> 
+        <Data Name="param2">%%1792</Data> 
+    </EventData>

config/default_details.txt

@@ -77,6 +77,7 @@ Microsoft-Windows-Sysmon, 24, Proc: %Image% ¦ User: %User% ¦ CliInfo: %ClientI
 Microsoft-Windows-Sysmon, 25, Proc: %Image% ¦ Type: %Type% ¦ User: %User% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%
 Microsoft-Windows-Sysmon, 26, Path: %TargetFilename% ¦ Proc: %Image% ¦ User: %User% ¦ PID: %ProcessId% ¦ PGUID: %ProcessGuid%
 Microsoft-Windows-Sysmon, 255, ID: %ID% ¦ Description: %Description%
+Service Control Manager, 7023, Svc: %param1% ¦ ErrorMsg: %param2%
 Service Control Manager, 7031, Svc: %param1% ¦ CrashCount: %param2% ¦ Action: %param5%
 Service Control Manager, 7045, Svc: %ServiceName% ¦ Path: %ImagePath% ¦ Acct: %AccountName% ¦ StartType: %StartType%
 Microsoft-Windows-Windows Firewall With Advanced Security, 2003, Profile: %Profiles% ¦ Type: %SettingType% ¦ Value: %SettingValueString% ¦ User: %ModifyingUser% ¦ App: %ModifyingApplication%