Create Windows.EventLogs.SysmonProcessEnriched.yaml (Velocidex#866)

Artifact that enriches Sysmon process creation logs with the
authenticode signature and the call chain.

content/exchange/artifacts/Windows.EventLogs.SysmonProcessEnriched.yaml

@@ -0,0 +1,29 @@
+name: Windows.EventLogs.SysmonProcessEnriched.yaml
+author: "Zane Gittins"
+description: |
+   Gather sysmon process creation events from the sysmon operational event log. Enrich with authenticode signature of image and call chain.
+   Caches authenticode signature by the hash of the image for ClearCacheSeconds (default, 1hr).
+   Prerequisites: Sysmon, and the process tracker.
+
+type: CLIENT_EVENT
+parameters:
+  - name: ClearCacheSeconds
+    default: 3600
+    description: Clear cache at this interval of seconds.
+    type: int64
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+        LET get_auth_cache(Image) = SELECT authenticode(filename=Image) as Authenticode from info()
+
+        SELECT *,
+        cache(period=ClearCacheSeconds,func=get_auth_cache(Image=EventData.Image),key=str(str=EventData.Hashes))[0].Authenticode as Authenticode,
+        join(array=process_tracker_callchain(id=EventData.ProcessId).Data.Name, sep="->") AS CallChain
+        FROM watch_evtx(filename="C:\\Windows\\system32\\winevt\\Logs\\Microsoft-Windows-Sysmon%4Operational.evtx")
+        WHERE System.EventID.Value = 1
+ 
+resources:
+  max_rows: 1000