Investigate conversion of `file` events

[fukusuket]

There are several rules in the Sigma repository that fall under the file_xxx category.

• https://github.com/SigmaHQ/sigma/tree/78a78c79ffd2998cd864618c538395a4e8c23902/rules/windows/file

By looking at the fields referenced in these rules, it appears that some of them can be mapped to Security event logs?🤔
I will look into.

• https://learn.microsoft.com/ja-jp/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011
• https://learn.microsoft.com/ja-jp/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4656

@YamatoSecurity
What do you think?

[YamatoSecurity]

@fukusuket I think this is a good area of research to look into eventually but we should probably prioritize suzaku and WELA development first, then registry event detection and then file events last.

[fukusuket]

@YamatoSecurity
Thank you for comment! I see, It seems like we should prioritize development! Once the development is done, if I still have some capacity笑, I’ll give it a try :)