Mappings: Linux-Sysmon/Operational - 18
| Input | Value |
|---|---|
| Vendor | Linux |
| Product | Sysmon |
| Log Format | Windows |
| Event ID Regex Pattern | Linux-Sysmon/Operational-18 |
| Output | Value |
|---|---|
| Vendor | Linux |
| Product | Sysmon for Linux |
| Record Type | EndpointProcess |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | None | The static text PipeConnected is populated in this schema field. |
| baseImage | Image | |
| description | None | The static text Sysmon observed a pipe connection is populated in this schema field. |
| device_hostname | System.Computer | |
| pid | ProcessId | |
| resource | PipeName | |
| sourceUid | System.EventRecordID | |
| timestamp | UtcTime | We expect the orginal record value of UtcTime is in the format yyyy-MM-dd HH:mm:ss.SSS |
| user_userId | System.Security.UserId |