From 0438e12642e8a3ec79464b8f7e4618debc580e68 Mon Sep 17 00:00:00 2001 From: admingit Date: Fri, 26 Jan 2024 15:06:10 +0100 Subject: [PATCH] add_TA --- .../TA-microsoft-windows/default/app.conf | 18 + .../default/eventgen.conf | 292 ++++++++++++++ .../default/eventtypes.conf | 195 ++++++++++ .../default/inputs.conf.example | 134 +++++++ .../TA-microsoft-windows/default/props.conf | 273 +++++++++++++ .../TA-microsoft-windows/default/tags.conf | 114 ++++++ .../default/transforms.conf | 86 ++++ .../lookups/windows_msdhcp_id.csv | 70 ++++ .../lookups/windows_object_category.csv | 3 + .../lookups/windows_service_startmode.csv | 4 + .../lookups/windows_service_status.csv | 7 + .../lookups/windows_status.csv | 2 + .../lookups/windows_timesync_action.csv | 16 + .../lookups/windows_vendor_action.csv | 5 + .../lookups/windowsupdatelog_status.csv | 6 + .../lookups/wineventlog_app.csv | 17 + .../wineventlog_security_signature_id.csv | 367 ++++++++++++++++++ .../wineventlog_security_signature_sub_id.csv | 24 ++ .../wineventlog_sourcetype_vendor_product.csv | 5 + .../wineventlog_vendor_severity_id.csv | 6 + .../metadata/default.meta | 4 + .../samples/AppPopup.26.windows | 11 + .../samples/CPUTime.perfmon | 27 ++ .../samples/FreeDiskSpace.perfmon | 27 ++ .../samples/LSASRV.40961.windows | 11 + .../samples/LocalNetwork.perfmon | 6 + .../samples/Memory.perfmon | 23 ++ .../samples/SCM.7036.windows | 11 + .../samples/Security.1102.windows | 17 + .../samples/Security.4672.windows | 27 ++ .../samples/Security.4673.windows | 29 ++ .../samples/Security.4688.windows | 32 ++ .../samples/Security.4689.windows | 23 ++ .../samples/Security.4717.windows | 24 ++ .../samples/Security.4718.windows | 24 ++ .../samples/Security.4726.windows | 26 ++ .../samples/Security.4743.windows | 26 ++ .../samples/W32Time.17.windows | 14 + .../samples/W32Time.29.windows | 14 + .../samples/W32Time.35.windows | 12 + .../samples/WinHostMon-OperatingSystem | 22 ++ .../samples/WinHostMon-Processor | 8 + .../samples/WindowsUpdateClient.19.windows | 150 +++++++ .../samples/XmlSecurity.4608.windows.xml | 1 + .../samples/XmlSecurity.4616.windows.xml | 1 + .../samples/XmlSecurity.4624.windows.xml | 1 + .../samples/XmlSecurity.4625.windows.xml | 1 + .../samples/XmlSecurity.4634.windows.xml | 1 + .../samples/XmlSecurity.4647.windows.xml | 1 + .../samples/XmlSecurity.4648.windows.xml | 1 + .../samples/XmlSecurity.4672.windows.xml | 11 + .../samples/XmlSecurity.4720.windows.xml | 4 + .../samples/XmlSecurity.4722.windows.xml | 1 + .../samples/XmlSecurity.4724.windows.xml | 1 + .../samples/XmlSecurity.4728.windows.xml | 1 + .../samples/XmlSecurity.4732.windows.xml | 1 + .../samples/XmlSecurity.4735.windows.xml | 1 + .../samples/XmlSecurity.4738.windows.xml | 1 + .../samples/XmlSecurity.4776.windows.xml | 1 + .../samples/XmlSecurity.4781.windows.xml | 1 + .../samples/XmlSecurity.4797.windows.xml | 1 + .../samples/XmlSecurity.4902.windows.xml | 1 + .../samples/XmlSecurity.4907.windows.xml | 1 + .../samples/XmlSystem.update_ready.xml | 25 ++ .../samples/XmlSystem.update_success.xml | 1 + .../samples/audit_types.list | 2 + .../samples/sample.DhcpSrvLog | 7 + .../samples/sample.win_installed_apps | 25 ++ .../samples/sample.win_listening_ports | 1 + .../samples/sample.winregistry | 40 ++ .../samples/server2k8.WindowsUpdateLog | 72 ++++ .../TA-microsoft-windows/splunkbase.manifest | 320 +++++++++++++++ 72 files changed, 2738 insertions(+) create mode 100644 deployment-apps/TA-microsoft-windows/default/app.conf create mode 100644 deployment-apps/TA-microsoft-windows/default/eventgen.conf create mode 100644 deployment-apps/TA-microsoft-windows/default/eventtypes.conf create mode 100644 deployment-apps/TA-microsoft-windows/default/inputs.conf.example create mode 100644 deployment-apps/TA-microsoft-windows/default/props.conf create mode 100644 deployment-apps/TA-microsoft-windows/default/tags.conf create mode 100644 deployment-apps/TA-microsoft-windows/default/transforms.conf create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_msdhcp_id.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_object_category.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_service_startmode.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_service_status.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_status.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_timesync_action.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windows_vendor_action.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/windowsupdatelog_status.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/wineventlog_app.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_id.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_sub_id.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/wineventlog_sourcetype_vendor_product.csv create mode 100644 deployment-apps/TA-microsoft-windows/lookups/wineventlog_vendor_severity_id.csv create mode 100644 deployment-apps/TA-microsoft-windows/metadata/default.meta create mode 100644 deployment-apps/TA-microsoft-windows/samples/AppPopup.26.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/CPUTime.perfmon create mode 100644 deployment-apps/TA-microsoft-windows/samples/FreeDiskSpace.perfmon create mode 100644 deployment-apps/TA-microsoft-windows/samples/LSASRV.40961.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/LocalNetwork.perfmon create mode 100644 deployment-apps/TA-microsoft-windows/samples/Memory.perfmon create mode 100644 deployment-apps/TA-microsoft-windows/samples/SCM.7036.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.1102.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4672.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4673.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4688.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4689.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4717.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4718.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4726.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/Security.4743.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/W32Time.17.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/W32Time.29.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/W32Time.35.windows create mode 100644 deployment-apps/TA-microsoft-windows/samples/WinHostMon-OperatingSystem create mode 100644 deployment-apps/TA-microsoft-windows/samples/WinHostMon-Processor create mode 100644 deployment-apps/TA-microsoft-windows/samples/WindowsUpdateClient.19.windows create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4608.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4616.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4624.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4625.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4634.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4647.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4648.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4672.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4720.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4722.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4724.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4728.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4732.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4735.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4738.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4776.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4781.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4797.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4902.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4907.windows.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_ready.xml create mode 100755 deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_success.xml create mode 100644 deployment-apps/TA-microsoft-windows/samples/audit_types.list create mode 100644 deployment-apps/TA-microsoft-windows/samples/sample.DhcpSrvLog create mode 100644 deployment-apps/TA-microsoft-windows/samples/sample.win_installed_apps create mode 100644 deployment-apps/TA-microsoft-windows/samples/sample.win_listening_ports create mode 100644 deployment-apps/TA-microsoft-windows/samples/sample.winregistry create mode 100644 deployment-apps/TA-microsoft-windows/samples/server2k8.WindowsUpdateLog create mode 100644 deployment-apps/TA-microsoft-windows/splunkbase.manifest diff --git a/deployment-apps/TA-microsoft-windows/default/app.conf b/deployment-apps/TA-microsoft-windows/default/app.conf new file mode 100644 index 00000000..41c36720 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/app.conf @@ -0,0 +1,18 @@ +# +# Splunk app configuration file +# + +[install] +is_configured = 0 + +[ui] +is_visible = 0 +label = Technology Add-On for Microsoft Windows + +[launcher] +author = my2ndhead +description = Technology Add-On for Microsoft Windows +version = 1.0 + +[package] +id = TA-microsoft-windows diff --git a/deployment-apps/TA-microsoft-windows/default/eventgen.conf b/deployment-apps/TA-microsoft-windows/default/eventgen.conf new file mode 100644 index 00000000..408780a9 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/eventgen.conf @@ -0,0 +1,292 @@ +#### Use TA-microsoft-windows/default/inputs.conf sequence + +#### Default replacement for all DhcpSrvLog logs +[sample.DhcpSrvLog] +index = windows +source=c:\windows\system32\dhcp\dhcpsrvlog.log +sourcetype = DhcpSrvLog +interval = 300 +## Generate all events in sample +count = 0 +earliest = -5m +latest = now + +## replace timestamp 10,07/21/06,19:42:47 +token.0.token = ^\d+\,(\d{2}\/\d{2}\/\d{2}\,\d{2}:\d{2}:\d{2}) +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%y,%H:%M:%S + +#### Default replacements for all WindowsUpdateLog logs +[.*\.WindowsUpdateLog] +index = windows +source = WindowsUpdateLog +sourcetype = WindowsUpdateLog +interval = 7200 + +## Generate all events in sample +count = 0 +earliest = -5m +latest = now + +## replace timestamp 2010-06-16 18:35:22:743 +token.0.token = ^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}):\d+ +token.0.replacementType = timestamp +token.0.replacement = %Y-%m-%d %H:%M:%S + +[WindowsUpdateClient.19.windows] +index = wineventlog +source = WinEventLog:System +sourcetype = WinEventLog:System +interval = 7200 +## Generate all events in sample +count = 10 + +## replace ComputerName: +token.0.token = ComputerName=(\S+) +token.0.replacementType = file +token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample + +#### Replacement for win_listening_ports +[sample.win_listening_ports] +index = windows +source = Script:ListeningPorts +sourcetype = Script:ListeningPorts +spoolFile = win_listening_ports.bat +interval = 300 +count = 10 +earliest = -5m +latest = now + +## replace timestamp 04/14/2011 19:42:27 +token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2} +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%Y %H:%M:%S + +## replace ip +token.1.token = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +token.1.replacementType = random +token.1.replacement = ipv4 + +## replace port +token.2.token = dest_port=(\d+) +token.2.replacementType = random +token.2.replacement = integer[0:1024] + +## replace pid +token.3.token = pid=(\d+) +token.3.replacementType = random +token.3.replacement = integer[1:65535] + +#### Replacement for win_installed_apps +[sample.win_installed_apps] +index = windows +source = Script:InstalledApps +sourcetype = Script:InstalledApps +breaker = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2} +spoolFile = win_installed_apps.bat +interval = 3600 +count = 3 +earliest = -60m +latest = now + +## replace timestamp 05/19/2011 10:48:34 +token.0.token = ^\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2} +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%Y %H:%M:%S + +#### Default replacement for all perfmon logs +[.*\.perfmon] +index = perfmon +interval = 3600 +count = 10 +earliest = -5m +latest = now + +## replace timestamp 04/14/2011 11:53:26.486 +token.0.token = (\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+ +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%Y %H:%M:%S + +#### Perfmon:CPU +[CPUTime.perfmon] +index = perfmon +source = Perfmon:CPU +sourcetype = Perfmon:CPU +breaker = counter="% Processor Time" + +token.0.token = @@proc_time +token.0.replacementType = random +token.0.replacement = integer[25:100] + +token.1.token = @@user_time +token.1.replacementType = random +token.1.replacement = integer[0:25] + +#### Perfmon:FreeDiskSpace +[FreeDiskSpace.perfmon] +index = perfmon +source = Perfmon:FreeDiskSpace +sourcetype = Perfmon:FreeDiskSpace +breaker = counter="Free Megabytes" + +token.0.token = @@mbytes_free +token.0.replacementType = random +token.0.replacement = integer[1000:10000] + +token.1.token = @@perc_free +token.1.replacementType = random +token.1.replacement = integer[0:100] + +#### Perfmon:Memory +[Memory.perfmon] +source = Perfmon:Memory +sourcetype = Perfmon:Memory +breaker = counter="Available MBytes" + +#### Perfmon:LocalNetwork +[LocalNetwork.perfmon] +source = Perfmon:LocalNetwork +sourcetype = Perfmon:LocalNetwork +breaker = counter="Current Bandwidth" + +#### Default replacement for all windows logs +[.*\.windows] +index = wineventlog +breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm] +interval = 3600 +count = 10 +earliest = -5m +latest = now + +## replace timestamp 03/11/10 01:12:01 PM +token.0.token = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\s+[AaPp][Mm] +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%Y %I:%M:%S %p + +## replace @@RecordNumber +token.1.token = RecordNumber=(\d+) +token.1.replacementType = random +token.1.replacement = integer[0:999999999] + +## replace Source Port: +token.2.token = Source Port:\s*(.*) +token.2.replacementType = random +token.2.replacement = integer[1025:65535] + +## Moving the stanza below to exclude renaming anomalous eventtypes +## replace ComputerName: +#token.3.token = ComputerName=(\S+) +#token.3.replacementType = file +#token.3.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample + +[SCM.7036.windows] +index = wineventlog +source = WinEventLog:System +sourcetype = WinEventLog:System + +[LSASRV.40961.windows] +index = wineventlog +source = WinEventLog:System +sourcetype = WinEventLog:System + +[AppPopup.26.windows] +index = wineventlog +source = WinEventLog:System +sourcetype = WinEventLog:System + +[W32Time\.[0-9]*\.windows] +index = wineventlog +source = WinEventLog:System +sourcetype = WinEventLog:System + +[Security\.[0-9]*\.windows] +index = wineventlog +source = WinEventLog:Security +sourcetype = WinEventLog:Security +## replace ComputerName: +token.0.token = ComputerName=(\S+) +token.0.replacementType = file +token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/hostname.sample + +#### Sample specific settings +## replace @@AuditType +#token.token = Type=(Success|Failure)\s+Audit +#token.replacementType = file +#token.replacement = $SPLUNK_HOME/etc/apps/TA-microsoft-windows/samples/audit_types.list + +################################################## +## Anomalous events +################################################## + +[Security.1102.windows] +index = wineventlog +source = WinEventLog:Security +sourcetype = WinEventLog:Security +interval = 3600 +## Generate all events in sample +count = 0 + +[Security.4726.windows] +index = wineventlog +source = WinEventLog:Security +sourcetype = WinEventLog:Security +interval = 900 +## Generate all events in sample +count = 0 + +[Security.4743.windows] +index = wineventlog +source = WinEventLog:Security +sourcetype = WinEventLog:Security +interval = 900 +## Generate all events in sample +count = 0 + +[Security.4672.windows] +index = wineventlog +source = WinEventLog:Security +sourcetype = WinEventLog:Security +## replace @@user +token.0.token = @@user +token.0.replacementType = file +token.0.replacement = $SPLUNK_HOME/etc/apps/SA-Eventgen/samples/dist.all.last + +#### Default replacements for all WinRegistry logs +[.*\.winregistry] +index = windows +source = WinRegistry +sourcetype = WinRegistry +breaker = ^\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+ +interval = 300 +count = 10 +earliest = -5m +latest = now + +## replace timestamp 09/09/2010 23:36:32.0128 +token.0.token = ^(\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2})\.\d+ +token.0.replacementType = timestamp +token.0.replacement = %m/%d/%Y %H:%M:%S + +[WinHostMon-OperatingSystem] +index = windows +sourcetype = WinHostMon +source = OperatingSystem +count = 0 + +[WinHostMon-Processor] +index = windows +sourcetype = Processor +source = Computer +count = 0 + +[XmlSecurity\.[0-9]*\.windows\.xml] +index = wineventlog +source = WinEventLog:Security +sourcetype = XmlWinEventLog:Security +breaker = ^<\/Events>$ + +[XmlSystem.update_.*\.xml] +index = wineventlog +source = WinEventLog:System +sourcetype = XmlWinEventLog:System +breaker = ^<\/Events>$ diff --git a/deployment-apps/TA-microsoft-windows/default/eventtypes.conf b/deployment-apps/TA-microsoft-windows/default/eventtypes.conf new file mode 100644 index 00000000..83b68e32 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/eventtypes.conf @@ -0,0 +1,195 @@ +### Security: Account Logon + +[microsoft_windows_security_authentication] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4624 OR event_id=4625 OR event_id=4648 OR event_id=4672 OR event_id=4768 OR event_id=4772 OR event_id=4769 OR event_id=4773 OR event_id=4770 OR event_id=4771 OR event_id=4776 OR event_id=4777 OR event_id=4778 OR event_id=4779) +#tags = authentication + +## A logon was attempted using explicit credentials +## EventCodes 4648 +[microsoft_windows_security_authentication_privileged] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4648 OR event_id=4672 +#tags = privileged + +### Security: Account Management +[microsoft_windows_account_management] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4720 OR event_id=4722 OR event_id=4723 OR event_id=4724 OR event_id=4725 OR event_id=4726 OR event_id=4738 OR event_id=4740 OR event_id=4741 OR event_id=4742 OR event_id=4765 OR event_id=4766 OR event_id=4767 OR event_id=4780 OR event_id=4781 OR event_id=4794 OR event_id=5376 OR event_id=5377) +#tags = account change + +### Security: Audit (Event Log) ### + +[microsoft_windows_audit] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=1100 OR event_id=1101 OR event_id=1102 OR event_id=1104 OR event_id=1105 OR event_id=1108) +#tags = audit change + +### Security: Object Access + +## Object Open +## EventCodes 4656 +[microsoft_windows_object_open] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4656 + +## Handle Closed +## EventCodes 4658 +[microsoft_windows_handle_closed] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4658 + +### Security: Policy Change + +## Audit Policy Change/The audit policy (SACL) on an object was changed +## EventCodes 4715, 4719 +[microsoft_windows_audit_policy_change_object] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4715 OR event_id=4719) +#tags = audit change + +## System security access was granted to an account +## EventCodes 4717 +[microsoft_windows_security_access_granted] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4717 + +## System security access was removed from an account +## EventCodes 4718 +[microsoft_windows_security_access_removed] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4718 + +## Per User Audit Policy was changed +## EventCodes 4912 +[microsoft_windows_audit_policy_change_user] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4912 +#tags = audit change + +## A change has been made to Windows Firewall +## EventCodes 4946, 4947, 4948 +[microsoft_windows_audit_policy_change_firewall] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security (event_id=4946 OR event_id=4947 OR event_id=4948) +#tags = audit change + +## The Windows Firewall has detected an application listening for incoming traffic +## EventCodes 4957 +[microsoft_windows_firewall_port_listening] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4957 + +### Security: Privilege Use + +## Privileged Service Called +## EventCodes 4673 +[microsoft_windows_privileged_service_call] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4673 + +## Privileged object operation +## EventCodes 4674 +[microsoft_windows_privileged_object_operation] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4674 + +### Security: Process Tracking + +## A new process has been created +## EventCodes 4688 +[microsoft_windows_process_new] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4688 + +## A process has exited +## EventCodes 4689 +[microsoft_windows_process_exit] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4689 + +## A process was assigned a primary token +## EventCodes 4696 +[microsoft_windows_process_token] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4696 + +### Security: System + +## An authentication package has been loaded by the Local Security Authority +## EventCodes 4610 +[microsoft_windows_auth_package] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4610 + +## A trusted logon process has registered with the Local Security Authority +## EventCodes 4611 +[microsoft_windows_logon_process] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4611 + +## A notification package has been loaded by the Security Account Manager +## EventCodes 4614 +[microsoft_windows_notification_package] +search = sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Security event_id=4614 + +### Perfmon + +[microsoft_windows_perfmon] +search = sourcetype=Perfmon:* +#tags = os + +[microsoft_windows_perfmon_cputime] +search = sourcetype=Perfmon:CPU OR sourcetype=Perfmon:CPUTime +#tags = performance cpu report + +[microsoft_windows_perfmon_logicaldisk] +search = sourcetype=Perfmon:LogicalDisk +#tags = performance storage + +[microsoft_windows_perfmon_memory] +search = sourcetype=Perfmon:Memory +#tags = performance memory report + +[microsoft_windows_perfmon_network] +search = sourcetype=Perfmon:Network +#tags = performance network + +[microsoft_windows_perfmon_network_throughput] +search = sourcetype=PERFMON:LocalNetwork counter="Bytes Total/sec" +#tags = performance network + +[microsoft_windows_perfmon_network_bandwidth] +search = sourcetype=PERFMON:LocalNetwork counter="Current Bandwidth" +#tags = performance network + +[microsoft_windows_perfmon_process] +search = sourcetype=Perfmon:Process +#tags = performance process + +### Hostmon + +[microsoft_windows_hostmon_disk] +search = sourcetype=WinHostMon source=disk +#tags = inventory performance storage + +[microsoft_windows_hostmon_os] +search = sourcetype=WinHostMon source=os +#tags = cpu inventory memory performance system version + +[microsoft_windows_hostmon_process] +search = sourcetype=WinHostMon source=process +#tages = process report + +[microsoft_windows_hostmon_service] +search = sourcetype=WinHostMon source=service +#tags = services report + +[microsoft_windows_hostmon_service_time] +search = sourcetype=WinHostMon source=service Name=W32Time +#tags = time synchronize + +### Windowsupdatelog +[microsoft_windows_windowsupdatelog] +search = sourcetype=WindowsUpdateLog +#tags = update + +[microsoft_windows_windowsupdatelog_status] +search = sourcetype="WindowsUpdateLog" "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update" +#tags = status + +### WinRegistry +[microsoft_windows_winregistry] +search = sourcetype=WinRegistry +#tags = endpoint change + +### Windows Timesync +[microsoft_windows_timesync] +search = ((sourcetype=WinEventLog:System OR sourcetype=XmlWinEventLog:System) ("W32Time" OR "Microsoft-Windows-Time-Service") (event_id=17 OR event_id=29 OR event_id=35 OR event_id=36 OR event_id=37 OR event_id=38)) OR (sourcetype=Script:TimesyncStatus action=success) +#tags = os performance time synchronize + +### Windows Listening Ports +[microsoft_windows_ports_listening] +search = sourcetype="Script:ListeningPorts" +#tags = listening port diff --git a/deployment-apps/TA-microsoft-windows/default/inputs.conf.example b/deployment-apps/TA-microsoft-windows/default/inputs.conf.example new file mode 100644 index 00000000..4308e269 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/inputs.conf.example @@ -0,0 +1,134 @@ +# Sample inputs.conf for sourcetypes supported by app + +[WinEventLog://Application] +disabled = 1 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +index = wineventlog +renderXml=true + +[WinEventLog://Security] +disabled = 1 +start_from = oldest +current_only = 0 +evt_resolve_ad_obj = 1 +checkpointInterval = 5 +index = wineventlog +renderXml=true + +[WinEventLog://System] +disabled = 1 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +index = wineventlog +renderXml=true + +[monitor://$WINDIR\System32\DHCP] +disabled = 0 +whitelist = DhcpSrvLog* +crcSalt = +sourcetype = DhcpSrvLog +index = windows + +[monitor://$WINDIR\WindowsUpdate.log] +disabled = 0 +sourcetype = WindowsUpdateLog +index = windows + +[script://.\bin\win_installed_apps.bat] +disabled = 0 +index = windows +sourcetype = Script:InstalledApps +interval = 600 + +[script://.\bin\win_listening_ports.bat] +disabled = 0 +index = windows +sourcetype = Script:ListeningPorts +interval = 3600 + +[script://.\bin\win_timesync_configuration.bat] +disabled = 0 +index = windows +sourcetype = Script:TimesyncConfiguration + +[script://.\bin\win_timesync_status.bat] +disabled = 0 +index = windows +sourcetype = Script:TimesyncStatus + +[perfmon://CPUTime] +disabled = 0 +index = perfmon +interval = 600 + +[perfmon://CPU] +disabled = 0 +index = perfmon +interval = 600 + +[perfmon://FreeDiskSpace] +disabled = 0 +index = perfmon +interval = 600 + +[perfmon://Memory] +disabled = 0 +index = perfmon +interval = 600 + +[perfmon://LocalNetwork] +disabled = 0 +index = perfmon +interval = 600 + +[perfmon://LogicalDisk] +counters = * +disabled = 0 +instances = * +interval = 10 +object = LogicalDisk +index = perfmon + +[perfmon://Process] +counters = * +disabled = 0 +instances = * +interval = 10 +object = Process +index = perfmon + +[perfmon://System] +counters = * +disabled = 0 +instances = * +interval = 10 +object = System +index = perfmon + +[WinHostMon://os] +type = operatingSystem +interval = 86400 +index = windows + +[WinHostMon://disk] +type = disk +interval = 86400 +index = windows + +[WinHostMon://network] +type = networkAdapter +interval = 86400 +index = windows + +[WinHostMon://service] +type = service +interval = 300 +index = windows + +[WinHostMon://process] +type = process +interval = 300 +index = windows diff --git a/deployment-apps/TA-microsoft-windows/default/props.conf b/deployment-apps/TA-microsoft-windows/default/props.conf new file mode 100644 index 00000000..24714947 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/props.conf @@ -0,0 +1,273 @@ +### XmlWinEventLog + +[XmlWinEventLog:Security] +KV_MODE = none +EXTRACT-dest = (?[^<]+)<\/Data> +EXTRACT-dest_01 = (?[^<]+)<\/Data> +# Set Computer as last dest +EXTRACT-dest_02 = (?[^<]+)<\/Computer> +EXTRACT-dest_nt_domain = (?[^<]+)<\/Data> +EXTRACT-dest_port = (?[^<]+)<\/Data> +EXTRACT-event_id,signature_id = (?(?\d+))<\/EventID> +EXTRACT-event_record_id = (?\d+)<\/EventRecordID> +EXTRACT-logon_id = (?[^<]+)<\/Data> +EXTRACT-logon_type = (?\d+)<\/Data> +EXTRACT-object_attrs = (?[^<]+)<\/Data> +EXTRACT-process = (?[^<]+)<\/Data> +EXTRACT-process_id = (?[^<]+) +EXTRACT-src_01 = (?[^<]+)<\/Data> +EXTRACT-src_nt_domain = (?[^<]+)<\/Data> +EXTRACT-src_port = (?[^<]+)<\/Data> +EXTRACT-src_user = (?[^<]+)<\/Data> +EXTRACT-signature_sub_id = (?[^<]+)<\/Data> +EXTRACT-thread_id = (?[^<]+)<\/Data> +FIELDALIAS-dvc = host as dvc, host as dvc_nt_host +LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status +LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub +LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product +LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app +LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app +LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app + +[XmlWinEventLog:System] +KV_MODE = none +EXTRACT-dest = (?[^<]+)<\/Computer> +EXTRACT-event_id = (?\d+)<\/EventID> +EXTRACT-event_record_id = (?\d+)<\/EventRecordID> +EXTRACT-event_source = EventSourceName='(?[^']+)' +EXTRACT-guid = Guid='(?[^']+)' +EXTRACT-provider = (?\d+)<\/Level> +REPORT-signature,signature_id = xmleventlog_updatelist,xmleventlog_signature_signature_id +FIELDALIAS-dvc = host as dvc, host as dvc_nt_host +LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product +LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity +LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider OUTPUTNEW action + +[XmlWinEventLog:Application] +KV_MODE = none +EXTRACT-event_id = (?\d+)<\/EventID> +EXTRACT-event_record_id = (?\d+)<\/EventRecordID> +EXTRACT-event_source = EventSourceName='(?[^']+)' +EXTRACT-guid = Guid='(?[^']+)' +EXTRACT-provider = \S+).*?(?:(?:\r*\n){2}) +# Set ComputerName as last dest +EXTRACT-dest_01 = ComputerName=(?\S+) +EXTRACT-dest_port = (?s)Network Information:.*?Destination Port:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-dest_nt_domain = (?s)Account Whose Credentials Were Used:.*?Account Domain:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-event_id,signature_id = EventCode=(?(?\d+)) +EXTRACT-event_record_id = RecordNumber=(?\d+) +EXTRACT-logon_id = Logon ID:\s+(?\S+) +EXTRACT-logon_type = Logon Type:\s+(?\d+) +EXTRACT-object_attrs = Rule Name:\s+(?[^$]+)$ +EXTRACT-process = (?s)Application Information:.*?Process Name:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-process_id = (?s)Application Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-process_id_01 = (?s)Process Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-signature_sub_id = (?s)Failure Information:.*?Sub Status:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-src = (?s)Network Information:.*?Source Address:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-src_nt_domain =(?s)Subject:.*?Account Domain:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-src_port = (?s)Network Information:.*?Source Port:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-src_user = (?s)Subject:.*?Account Name:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-user = (?s)Account Whose Credentials Were Used:.*?Account Name:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-vendor_direction = (?s)Network Information:.*?Direction:\s+(?\S+).*?(?:(?:\r*\n){2}) +FIELDALIAS-dvc = host as dvc, host as dvc_nt_host +LOOKUP-wineventlog_security_signature_id = wineventlog_security_signature_id signature_id OUTPUTNEW action, category, object, object_category, subcategory, signature, status +LOOKUP-wineventlog_security_signature_sub_id = wineventlog_security_signature_sub_id signature_id signature_sub_id OUTPUTNEW signature_sub +LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product +LOOKUP-wineventlog_app-event_id = wineventlog_app event_id OUTPUTNEW app +LOOKUP-wineventlog_app-src = wineventlog_app src OUTPUTNEW app +LOOKUP-wineventlog_app-logon_type = wineventlog_app logon_type OUTPUTNEW logon_type_description app + +[WinEventLog:System] +KV_MODE = none +EXTRACT-dest = ComputerName=(?\S+) +EXTRACT-event_id = EventCode=(?\d+) +EXTRACT-event_record_id = RecordNumber=(?\d+) +EXTRACT-event_source = SourceName=(?\S+) +FIELDALIAS-dvc = host as dvc, host as dvc_nt_host +LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product +LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity +LOOKUP-windows_timesync_action = windows_timesync_action event_id, provider as event_source OUTPUT action + +[WinEventLog:Application] +KV_MODE = none +EXTRACT-event_id = EventCode=(?\d+) +EXTRACT-event_record_id = RecordNumber=(?\d+) +EXTRACT-event_source = SourceName=(?\S+) +FIELDALIAS-dvc = host as dvc, host as dvc_nt_host +LOOKUP-wineventlog_sourcetype_vendor_product = wineventlog_sourcetype_vendor_product sourcetype OUTPUT vendor, product +LOOKUP-wineventlog_vendor_severity_id = wineventlog_vendor_severity_id vendor_severity_id OUTPUT vendor_severity + +### Perfmon + +[Perfmon:CPU] +EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?\S+) +EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?instance=_Total.*?Value=(?\S+) +EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?instance=_Total.*?Value=(?\S+) +EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?instance=_Total.*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src + +[Perfmon:CPUTime] +EXTRACT-cpu_load_mhz = (?s)counter="Processor Frequency".*?Value=(?\S+) +EXTRACT-cpu_load_percent = (?s)counter="% Processor Time".*?Value=(?\S+) +EXTRACT-cpu_user_percent = (?s)counter="% User Time".*?Value=(?\S+) +EXTRACT-cpu_interrupts = (?s)counter="Interrupts/sec".*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src + +[Perfmon:System] +EXTRACT-wait_threads_count = (?s)counter="Processor Queue Length".*?Value=(?\S+) +EXTRACT-system_threads_count = (?s)counter="Threads".*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src + +[Perfmon:FreeDiskSpace] +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src +FIELDALIAS-mount = instance as mount +EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null()) +EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) +EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null()) + +[Perfmon:LogicalDisk] +EXTRACT-read_latency = (?s)counter="Avg. Disk sec/Read".*?Value=(?\S+) +EXTRACT-write_latency = (?s)counter="Avg. Disk sec/Write".*?Value=(?\S+) +EXTRACT-storage_free_percent = (?s)counter="% Free Space".*?Value=(?\S+) +EXTRACT-read_ops = (?s)counter="Disk Reads/sec".*?Value=(?\S+) +EXTRACT-write_ops = (?s)counter="Disk Writes/sec".*?Value=(?\S+) +EXTRACT-total_ops = (?s)counter="Disk Transfers/sec".*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src +EVAL-mount = if(instance=="_Total", null(), instance) +# Keeping this field in ms +EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null()) + +[Perfmon:LocalNetwork] +EXTRACT-thruput = (?s)counter="Bytes Total/sec".*?Value=(?\S+) +EXTRACT-thruput_max = (?s)counter="Current Bandwidth".*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src + +[Perfmon:Process] +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src +EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null()) +EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null()) +EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) + +[Perfmon:Memory] +EXTRACT-mem_committed = (?s)counter="Committed Bytes".*?Value=(?\S+) +EXTRACT-mem_page_ops = (?s)counter="Pages/sec".*?Value=(?\S+) +EXTRACT-swap_free = (?s)counter="Pool Nonpaged Bytes".*?Value=(?\S+) +EXTRACT-swap_used = (?s)counter="Pool Paged Bytes".*?Value=(?\S+) +FIELDALIAS-dest = host as dest +FIELDALIAS-src = host as src +EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) + +### WinHostMon + +[WinHostMon] +EXTRACT-mount = Type=Disk.*?Name="(?[^"]+)" +EXTRACT-process = Type=Process.*?Name="(?[^"]+)" +EXTRACT-service = DisplayName="(?[^"]+)" +FIELDALIAS-cpu_mhz = ClockSpeedMHz as cpu_mhz +FIELDALIAS-cpu_cores = NumberOfCores AS cpu_cores +FIELDALIAS-cpu_count = NumberOfProcessors AS cpu_count +FIELDALIAS-dest = host as dest +FIELDALIAS-family = Architecture as family +FIELDALIAS-os = OS as os +FIELDALIAS-version = Version as version +EVAL-mem_free_percent = FreePhysicalMemoryKB/TotalPhysicalMemoryKB +EVAL-mem_used = (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024 +EVAL-mem = if(source=="os", TotalPhysicalMemoryKB/1024, null()) +EVAL-storage = if (source=="disk", TotalSpaceKB/1024, null()) +EVAL-storage_free = if (source=="disk", FreeSpaceKB/1024, null()) +EVAL-storage_used = if (source=="disk", (TotalSpaceKB-FreeSpaceKB)/1024, null()) +LOOKUP-windows_service_startmode = windows_service_startmode StartMode OUTPUT start_mode +LOOKUP-windows_service_status = windows_service_status Status State OUTPUT status + +### Script:InstalledApps + +[Script:InstalledApps] +SHOULD_LINEMERGE = true +LINE_BREAKER = + +### Script:ListeningPorts + +[Script:ListeningPorts] +SHOULD_LINEMERGE = false +KV_MODE = none +EXTRACT-dest_ip = dest_ip=\[(?(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\] +EXTRACT-dest_port = dest_port=(?\d+) +EXTRACT-process_id = pid=(?\d+) +EXTRACT-transport = transport=(?\S+) +FIELDALIAS-dest = host as dest + +### Script:TimesyncConfiguration + +[Script:TimesyncConfiguration] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: +KV_MODE = None + +### Script:TimesyncStatus + +[Script:TimesyncStatus] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: +KV_MODE = None +EXTRACT-last_sync_error = Last Sync Error: (?\d+) +LOOKUP-windows_timesync_action = windows_timesync_action last_sync_error OUTPUT action + +### WindowsUpdateLog + +[WindowsUpdateLog] +KV_MODE = none +FIELDALIAS-dest_for_windowsupdate = host as dest +EXTRACT-signature = Windows successfully installed the following update:\s+(?.*?(?KB\d+)[^$]+) +EXTRACT-component = ^\S+\s+\S+\s+\S+\s+\S+\s+(?\S+) +EXTRACT-process_id = ^\S+\s+\S+\s+(?\S+) +EXTRACT-thread_id = ^\S+\s+\S+\s+\d+\s+(?\S+) +EXTRACT-vendor_status = (?(?:Installation\s+successful\s+and\s+restart\s+required|Installation\s+(Successful|Failure)|Restart\s+Required|Installation\s+Ready)) +REPORT-signature,signature_id = windowsupdatelog_signature_message,windowsupdatelog_signature_signature_id +LOOKUP-windowsupdatelog_status = windowsupdatelog_status vendor_status OUTPUT status + +### DHCP + +[DhcpSrvLog] +SHOULD_LINEMERGE = false +KV_MODE = none +TRANSFORMS-dhcp_discard_headers = dhcpsrvlog_discard_headers +EXTRACT-msdhcp_id,description,dest_ip,dest_nt_host,dest_mac = (?[^,]+),[^,]+,[^,]+,(?[^,]?),(?[^,]+),(?[^,]+),(?[^$]+) +REPORT-dest = dchpsrvlog_dest_nt_host_as_dest,dchpsrvlog_dest_mac_as_dest,dchpsrvlog_dest_ip_as_dest +LOOKUP-windows_msdhcp_id = windows_msdhcp_id msdhcp_id OUTPUT signature + +### WinRegistry + +[WinRegistry] +KV_MODE = none +EXTRACT-object_path = key_path="(?[^"]+)" +EXTRACT-object = (?s)key_path="(\\[^\n]+)*\\(?[^"]+)".*?data_type +EXTRACT-user = (?s)process_image="(\\[^\n]+)*\\(?[^"]+)".*?registry_type +EXTRACT-vendor_action = registry_type="(?[^"]+)" +EXTRACT-vendor_status,msg = event_status="\((?[0-9-]+)\)(?[^\"]+)" +LOOKUP-windows_object_category = windows_object_category object as sourcetype OUTPUT object_category +LOOKUP-windows_status = windows_status vendor_status OUTPUT status +LOOKUP-windows_vendor_action = windows_vendor_action sourcetype, vendor_action OUTPUT action +FIELDALIAS-dest = host as dest diff --git a/deployment-apps/TA-microsoft-windows/default/tags.conf b/deployment-apps/TA-microsoft-windows/default/tags.conf new file mode 100644 index 00000000..8e91577d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/tags.conf @@ -0,0 +1,114 @@ +### WinEventLog + +[eventtype=microsoft_windows_security_authentication] +authentication = enabled + +[eventtype=microsoft_windows_security_authentication_privileged] +privileged = enabled + +[eventtype=microsoft_windows_account_management] +account = enabled +change = enabled + +[eventtype=microsoft_windows_audit] +audit = enabled +change = enabled + +[eventtype=microsoft_windows_audit_policy_change_object] +audit = enabled +change = enabled + +[eventtype=microsoft_windows_audit_policy_change_user] +audit = enabled +change = enabled + +[eventtype=microsoft_windows_audit_policy_change_firewall] +audit = enabled +change = enabled + +### Perfmon + +[eventtype=microsoft_windows_perfmon] +os = enabled + +[eventtype=microsoft_windows_perfmon_cputime] +cpu = enabled +performance = enabled +report = enabled + +[eventtype=microsoft_windows_perfmon_logicaldisk] +performance = enabled +storage = enabled + +[eventtype=microsoft_windows_perfmon_memory] +performance = enabled +memory = enabled +report = enabled + +[eventtype=microsoft_windows_perfmon_network] +performance = enabled +network enabled + +[eventtype=microsoft_windows_perfmon_network_throughput] +performance = enabled +network = enabled + +[eventtype=microsoft_windows_perfmon_network_bandwidth] +performance = enabled +network = enabled + +[eventtype=microsoft_windows_perfmon_process] +performance = enabled +process = enabled + +### Hostmon + +[eventtype=microsoft_windows_hostmon_os] +cpu = enabled +memory = enabled +performance = enabled +system = enabled +version = enabled +inventory = enabled + +[eventtype=microsoft_windows_hostmon_disk] +inventory = enabled +performance = enabled +storage = enabled + +[eventtype=microsoft_windows_hostmon_process] +process = enabled +report = enabled + +[eventtype=microsoft_windows_hostmon_service] +service = enabled +report = enabled + +[eventtype=microsoft_windows_hostmon_service_time] +time = enabled +synchronize = enabled + +### WindowsUpdateLog +[eventtype=microsoft_windows_windowsupdatelog] +update = enabled + +[eventtype=microsoft_windows_windowsupdatelog_status] +status = enabled + +### WinRegisty +[eventtype=microsoft_windows_winregistry] +endpoint = enabled +change = enabled + +### Timesync +[eventtype=microsoft_windows_timesync] +os = enabled +performance = enabled +time = enabled +synchronize = enabled + +### Ports Listening +[eventtype=microsoft_windows_ports_listening] +listening = enabled +port = enabled + diff --git a/deployment-apps/TA-microsoft-windows/default/transforms.conf b/deployment-apps/TA-microsoft-windows/default/transforms.conf new file mode 100644 index 00000000..ac3da8ca --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/default/transforms.conf @@ -0,0 +1,86 @@ +[wineventlog_security_signature_id] +filename = wineventlog_security_signature_id.csv + +[wineventlog_security_signature_sub_id] +filename = wineventlog_security_signature_sub_id.csv + +[wineventlog_sourcetype_vendor_product] +filename = wineventlog_sourcetype_vendor_product.csv + +[wineventlog_app] +filename = wineventlog_app.csv + +[wineventlog_vendor_severity_id] +filename = wineventlog_vendor_severity_id.csv + +[xmleventlog_updatelist] +REGEX = ([^<]+)<\/updatelist> +FORMAT = updatelist::"$1" + +[xmleventlog_signature_signature_id] +SOURCE_KEY = updatelist +REGEX = -\s(.*?\((KB\S+)\)) +FORMAT = signature::"$1" signature_id::"$2" +MV_ADD = true + +[windowsupdatelog_signature_message] +REGEX = (?:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on .*?|Restart Required: To complete the installation of the following updates, the computer must be restarted. Until this computer has been restarted, Windows cannot search for or download new updates: .*?|Restart Required: To complete the installation of the following updates, the computer will be restarted within \d+ minutes:.*?)(-.*) +FORMAT = signature_message::"$1" + +[windowsupdatelog_signature_signature_id] +SOURCE_KEY = signature_message +REGEX = -\s(.*?\((KB\S+)\)) +FORMAT = signature::"$1" signature_id::"$2" +MV_ADD = true + +[windowsupdatelog_status] +filename = windowsupdatelog_status.csv + +[windows_msdhcp_id] +filename = windows_msdhcp_id.csv + +[dhcpsrvlog_discard_headers] +REGEX = ^(ID|#) +DEST_KEY = queue +FORMAT = nullQueue + +[dchpsrvlog_dest_nt_host_as_dest] +SOURCE_KEY = dest_nt_host +REGEX = (.+) +FORMAT = dest::"$1" +MV_ADD = true + +[dchpsrvlog_dest_ip_as_dest] +SOURCE_KEY = dest_ip +REGEX = (.+) +FORMAT = dest::"$1" +MV_ADD = true + +[dchpsrvlog_dest_mac_as_dest] +SOURCE_KEY = dest_mac +REGEX = (.+) +FORMAT = dest::"$1" +MV_ADD = true + +[windows_object_category] +filename = windows_object_category.csv + +[windows_status] +filename = windows_status.csv +default_match = failure +min_matches = 1 +max_matches = 1 + +[windows_timesync_action] +filename = windows_timesync_action.csv +match_type = WILDCARD(last_sync_error) +max_matches = 1 + +[windows_vendor_action] +filename = windows_vendor_action.csv + +[windows_service_startmode] +filename = windows_service_startmode.csv + +[windows_service_status] +filename = windows_service_status.csv diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_msdhcp_id.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_msdhcp_id.csv new file mode 100644 index 00000000..02aa252d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_msdhcp_id.csv @@ -0,0 +1,70 @@ +msdhcp_id,signature +00,"The log was started" +01,"The log was stopped" +02,"The log was temporarily paused due to low disk space" +10,"A new IP address was leased to a client" +11,"A lease was renewed by a client" +12,"A lease was released by a client" +13,"An IP address was found to be in use on the network" +14,"A lease request could not be satisfied because the scope's address pool was exhausted" +15,"A lease was denied" +16,"A lease was deleted" +17,"A lease was expired" +20,"A BOOTP address was leased to a client" +21,"A dynamic BOOTP address was leased to a client" +22,"A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted" +23,"A BOOTP IP address was deleted after checking to see that it was not in use" +30,"DNS dynamic update request" +31,"DNS dynamic update failed" +32,"DNS dynamic update successful" +50,"Rogue Server Detection" +51,"Rogue Server Detection" +52,"Rogue Server Detection" +53,"Rogue Server Detection" +54,"Rogue Server Detection" +55,"Rogue Server Detection" +56,"Rogue Server Detection" +57,"Rogue Server Detection" +58,"Rogue Server Detection" +59,"Rogue Server Detection" +60,"Rogue Server Detection" +61,"Rogue Server Detection" +62,"Rogue Server Detection" +63,"Rogue Server Detection" +64,"Rogue Server Detection" +65,"Rogue Server Detection" +66,"Rogue Server Detection" +67,"Rogue Server Detection" +68,"Rogue Server Detection" +69,"Rogue Server Detection" +70,"Rogue Server Detection" +71,"Rogue Server Detection" +72,"Rogue Server Detection" +73,"Rogue Server Detection" +74,"Rogue Server Detection" +75,"Rogue Server Detection" +76,"Rogue Server Detection" +77,"Rogue Server Detection" +78,"Rogue Server Detection" +79,"Rogue Server Detection" +80,"Rogue Server Detection" +81,"Rogue Server Detection" +82,"Rogue Server Detection" +83,"Rogue Server Detection" +84,"Rogue Server Detection" +85,"Rogue Server Detection" +86,"Rogue Server Detection" +87,"Rogue Server Detection" +88,"Rogue Server Detection" +89,"Rogue Server Detection" +90,"Rogue Server Detection" +91,"Rogue Server Detection" +92,"Rogue Server Detection" +93,"Rogue Server Detection" +94,"Rogue Server Detection" +95,"Rogue Server Detection" +96,"Rogue Server Detection" +97,"Rogue Server Detection" +98,"Rogue Server Detection" +99,"Rogue Server Detection" +100,"Rogue Server Detection" diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_object_category.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_object_category.csv new file mode 100644 index 00000000..505a9f62 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_object_category.csv @@ -0,0 +1,3 @@ +object,object_category +WinRegistry,registry +fs_notification,filesystem diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_service_startmode.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_service_startmode.csv new file mode 100644 index 00000000..29c9108f --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_service_startmode.csv @@ -0,0 +1,4 @@ +StartMode, start_mode +Manual,disabled +Auto,auto +Disabled,disabled diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_service_status.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_service_status.csv new file mode 100644 index 00000000..87ba8332 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_service_status.csv @@ -0,0 +1,7 @@ +Status, State, status +OK, Running, started +OK, Stopped, stopped +OK, Paused, stopped +OK, Start Pending, started +Degraded, Stop Pending, stopped +Degraded, Running, warning diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_status.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_status.csv new file mode 100644 index 00000000..d0ce349f --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_status.csv @@ -0,0 +1,2 @@ +vendor_status,status +0,success diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_timesync_action.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_timesync_action.csv new file mode 100644 index 00000000..2996757b --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_timesync_action.csv @@ -0,0 +1,16 @@ +event_id,provider,last_sync_error,action +17,Microsoft-Windows-Time-Service,,failure +29,Microsoft-Windows-Time-Service,,failure +35,Microsoft-Windows-Time-Service,,success +36,Microsoft-Windows-Time-Service,,failure +37,Microsoft-Windows-Time-Service,,success +38,Microsoft-Windows-Time-Service,,failure +17,W32Time,,failure +29,W32Time,,failure +35,W32Time,,success +36,W32Time,,failure +37,W32Time,,success +38,W32Time,,failure +,,0*,success +.,*,failure + diff --git a/deployment-apps/TA-microsoft-windows/lookups/windows_vendor_action.csv b/deployment-apps/TA-microsoft-windows/lookups/windows_vendor_action.csv new file mode 100644 index 00000000..5538322d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windows_vendor_action.csv @@ -0,0 +1,5 @@ +sourcetype,vendor_action,action +WinRegistry,CreateKey,created +WinRegistry,SetValue,modified +WinRegistry,DeleteKey,deleted +WinRegistry,RenameKey,modified diff --git a/deployment-apps/TA-microsoft-windows/lookups/windowsupdatelog_status.csv b/deployment-apps/TA-microsoft-windows/lookups/windowsupdatelog_status.csv new file mode 100644 index 00000000..ed81c19e --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/windowsupdatelog_status.csv @@ -0,0 +1,6 @@ +vendor_status,status +"Installation Ready",available +"Installation Successful",installed +"Restart Required","restart required" +"Installation successful and restart required","restart required" +"Installation Failure",failure diff --git a/deployment-apps/TA-microsoft-windows/lookups/wineventlog_app.csv b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_app.csv new file mode 100644 index 00000000..a36815ba --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_app.csv @@ -0,0 +1,17 @@ +event_id,src,logon_type,logon_type_description,app +4648,,,,win:remote +4672,,,,win:local +4776,,,,win:remote +,127.0.0.1,,,win:local +,::1,,,win:local +,,0,"System",win:unknown +,,2,"Interactive",win:local +,,3,"Network",win:remote +,,4,"Batch",win:local +,,5,"Service",win:local +,,6,"Proxy",win:local +,,7,"Unlock",win:local +,,8,"NetworkCleartext",win:remote +,,9,"NewCredentials",win:local +,,10,"RemoteInteractive",win:remote +,,11,"CachedInteractive",win:local diff --git a/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_id.csv b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_id.csv new file mode 100644 index 00000000..476bf64b --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_id.csv @@ -0,0 +1,367 @@ +action,category,os,signature,"signature_id",subcategory,status,object,"object_category" +deleted,"Object Access","Windows 7, Windows Server 2008 R2","The audit log was cleared",1102,"Log clear",success,Microsoft-Windows-Eventlog,auditlog +success,System,"Windows Vista, Windows Server 2008","Windows is starting up.",4608,"Security State Change",,, +unknown,System,"Windows Vista, Windows Server 2008","Windows is shutting down.",4609,"Security State Change",,, +unknown,System,"Windows Vista, Windows Server 2008","An authentication package has been loaded by the Local Security Authority.",4610,"Security System Extension",,, +success,System,"Windows Vista, Windows Server 2008","A trusted logon process has been registered with the Local Security Authority.",4611,"Security System Extension",,, +unknown,System,"Windows Vista, Windows Server 2008","Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",4612,"System Integrity",,, +unknown,System,"Windows Vista, Windows Server 2008","A notification package has been loaded by the Security Account Manager.",4614,"Security System Extension",,, +unknown,System,"Windows Vista, Windows Server 2008","Invalid use of LPC port.",4615,"System Integrity",,, +success,System,"Windows Vista, Windows Server 2008","The system time was changed.",4616,"Security State Change",,, +unknown,System,"Windows Vista, Windows Server 2008","A monitored security event pattern has occurred.",4618,"System Integrity",,, +unknown,System,"Windows Vista, Windows Server 2008","Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.",4621,"Security State Change",,, +unknown,System,"Windows Vista, Windows Server 2008","A security package has been loaded by the Local Security Authority.",4622,"Security System Extension",,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","An account was successfully logged on.",4624,Logon,,, +failure,"Logon/Logoff","Windows Vista, Windows Server 2008","An account failed to log on.",4625,Logon,,, +unknown,"Logon/Logoff","Windows 8, Windows Server 2012","User/Device claims information.",4626,Logon,,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","An account was logged off.",4634,Logoff,,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IKE DoS-prevention mode started.",4646,"IPsec Main Mode",,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","User initiated logoff.",4647,Logoff,,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","A logon was attempted using explicit credentials.",4648,Logon,,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A replay attack was detected.",4649,"Other Logon/Logoff Events",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.",4650,"IPsec Main Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.",4651,"IPsec Main Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode negotiation failed.",4652,"IPsec Main Mode",,, +failure,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode negotiation failed.",4653,"IPsec Main Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode negotiation failed.",4654,"IPsec Quick Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Main Mode security association ended.",4655,"IPsec Main Mode",,, +failure,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested.",4656,"Handle Manipulation",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A registry value was modified.",4657,Registry,,, +success,"Object Access","Windows Vista, Windows Server 2008","The handle to an object was closed.",4658,"Handle Manipulation",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested with intent to delete.",4659,Special,,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An object was deleted.",4660,Special,,, +success,"Object Access","Windows Vista, Windows Server 2008","A handle to an object was requested.",4661,Special,,, +success,"DS Access","Windows Vista, Windows Server 2008","An operation was performed on an object.",4662,"Directory Service Access",,, +success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to access an object.",4663,Special,,, +success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to create a hard link.",4664,"File System",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to create an application client context.",4665,"Application Generated",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An application attempted an operation:",4666,"Application Generated",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An application client context was deleted.",4667,"Application Generated",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An application was initialized.",4668,"Application Generated",,, +success,"Policy Change","Windows Vista, Windows Server 2008","Permissions on an object were changed.",4670,"Subcategory (special)",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An application attempted to access a blocked ordinal through the TBS.",4671,"Other Object Access Events",,, +success,"Privilege Use","Windows Vista, Windows Server 2008","Special privileges assigned to new logon.",4672,"Sensitive Privilege Use / Non Sensitive Privilege Use",,, +failure,"Privilege Use","Windows Vista, Windows Server 2008","A privileged service was called.",4673,"Sensitive Privilege Use / Non Sensitive Privilege Use",,, +success,"Privilege Use","Windows Vista, Windows Server 2008","An operation was attempted on a privileged object.",4674,"Sensitive Privilege Use / Non Sensitive Privilege Use",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","SIDs were filtered.",4675,Logon,,, +success,"Detailed Tracking","Windows Vista, Windows Server 2008","A new process has been created.",4688,"Process Creation",,, +success,"Detailed Tracking","Windows Vista, Windows Server 2008","A process has exited.",4689,"Process Termination",,, +success,"Object Access","Windows Vista, Windows Server 2008","An attempt was made to duplicate a handle to an object.",4690,"Handle Manipulation",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Indirect access to an object was requested.",4691,"Other Object Access Events",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Backup of data protection master key was attempted.",4692,"DPAPI Activity",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Recovery of data protection master key was attempted.",4693,"DPAPI Activity",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Protection of auditable protected data was attempted.",4694,"DPAPI Activity",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","Unprotection of auditable protected data was attempted.",4695,"DPAPI Activity",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","A primary token was assigned to process.",4696,"Process Creation",,, +unknown,System,"Windows Vista, Windows Server 2008","A service was installed in the system.",4697,"Security System Extension",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was created.",4698,"Other Object Access Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was deleted.",4699,"Other Object Access Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was enabled.",4700,"Other Object Access Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was disabled.",4701,"Other Object Access Events",,, +success,"Object Access","Windows Vista, Windows Server 2008","A scheduled task was updated.",4702,"Other Object Access Events",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A user right was assigned.",4704,"Authorization Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A user right was removed.",4705,"Authorization Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A new trust was created to a domain.",4706,"Authorization Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A trust to a domain was removed.",4707,"Authorization Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services was started.",4709,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services was disabled.",4710,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine applied Active Directory storage IPsec policy on the computer.^MPAStore Engine applied local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply Active Directory storage IPsec policy on the computer.^MPAStore Engine failed to apply local registry storage IPsec policy on the computer.^MPAStore Engine failed to apply some rules of the active IPsec policy on the computer.^MPAStore Engine failed to load directory storage IPsec policy on the computer.^MPAStore Engine loaded directory storage IPsec policy on the computer.^MPAStore Engine failed to load local storage IPsec policy on the computer.^MPAStore Engine loaded local storage IPsec policy on the computer.^MPAStore Engine polled for changes to the active IPsec policy and detected no changes.",4711,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","IPsec Services encountered a potentially serious failure.",4712,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Kerberos policy was changed.",4713,"Authentication Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Encrypted data recovery policy was changed.",4714,"Authorization Policy Change",,, +acl_modified,"Policy Change","Windows Vista, Windows Server 2008","The audit policy (SACL) on an object was changed.",4715,"Audit Policy Change",success,"Audit Policy",policy +unknown,"Policy Change","Windows Vista, Windows Server 2008","Trusted domain information was modified.",4716,"Authentication Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","System security access was granted to an account.",4717,"Authentication Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","System security access was removed from an account.",4718,"Authentication Policy Change",,, +acl_modified,"Policy Change","Windows Vista, Windows Server 2008","System audit policy was changed.",4719,"Audit Policy Change",success,"Audit Policy",policy +created,"Account Management","Windows Vista, Windows Server 2008","A user account was created.",4720,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","A user account was enabled.",4722,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to change an account's password.",4723,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to reset an account's password.",4724,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","A user account was disabled.",4725,"User Account Management",success,"Account Management",user +deleted,"Account Management","Windows Vista, Windows Server 2008","A user account was deleted.",4726,"User Account Management",,"Account Management",user +success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was created.",4727,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled global group.",4728,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled global group.",4729,"Security Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was deleted.",4730,"Security Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was created.",4731,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled local group.",4732,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled local group.",4733,"Security Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was deleted.",4734,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled local group was changed.",4735,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled global group was changed.",4737,"Security Group Management",,, +modified,"Account Management","Windows Vista, Windows Server 2008","A user account was changed.",4738,"User Account Management",success,"Account Management",user +unknown,"Policy Change","Windows Vista, Windows Server 2008","Domain Policy was changed.",4739,"Authentication Policy Change",,, +modified,"Account Management","Windows Vista, Windows Server 2008","A user account was locked out.",4740,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","A computer account was changed.",4742,"Computer Account Management",success,"Account Management",computer +deleted,"Account Management","Windows Vista, Windows Server 2008","A computer account was deleted.",4743,"Computer Account Management",success,"Account Management",computer +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was created.",4744,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was changed.",4745,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled local group.",4746,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled local group.",4747,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled local group was deleted.",4748,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was created.",4749,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was changed.",4750,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled global group.",4751,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled global group.",4752,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled global group was deleted.",4753,"Distribution Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was created.",4754,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was changed.",4755,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-enabled universal group.",4756,"Security Group Management",,, +success,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-enabled universal group.",4757,"Security Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-enabled universal group was deleted.",4758,"Security Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled universal group was created.",4759,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A security-disabled universal group was changed.",4760,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a security-disabled universal group.",4761,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a security-disabled universal group.",4762,"Distribution Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A group�s type was changed.",4764,"Security Group Management",,, +created,"Account Management","Windows Vista, Windows Server 2008","SID History was added to an account.",4765,"User Account Management",success,"Account Management",sid +created,"Account Management","Windows Vista, Windows Server 2008","An attempt to add SID History to an account failed.",4766,"User Account Management",failure,"Account Management",sid +modified,"Account Management","Windows Vista, Windows Server 2008","A user account was unlocked.",4767,"User Account Management",success,"Account Management",user +failure,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos authentication ticket (TGT) was requested.",4768,"Kerberos Authentication Service",,, +failure,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos service ticket was requested.",4769,"Kerberos Service Ticket Operations",,, +success,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos service ticket was renewed.",4770,"Kerberos Service Ticket Operations",,, +failure,"Account Logon","Windows Vista, Windows Server 2008","Kerberos pre-authentication failed.",4771,"Kerberos Authentication Service",,, +unknown,"Account Logon","Windows Vista, Windows Server 2008","A Kerberos authentication ticket request failed.",4772,"Kerberos Authentication Service",,, +unknown,"Account Logon","Windows Vista, Windows Server 2008","An account was mapped for logon.",4774,"Credential Validation",,, +unknown,"Account Logon","Windows Vista, Windows Server 2008","An account could not be mapped for logon.",4775,"Credential Validation",,, +failure,"Account Logon","Windows Vista, Windows Server 2008","The domain controller attempted to validate the credentials for an account.",4776,"Credential Validation",,, +unknown,"Account Logon","Windows Vista, Windows Server 2008","The domain controller failed to validate the credentials for an account.",4777,"Credential Validation",,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","A session was reconnected to a Window Station.",4778,"Other Logon/Logoff Events",,, +success,"Logon/Logoff","Windows Vista, Windows Server 2008","A session was disconnected from a Window Station.",4779,"Other Logon/Logoff Events",,, +acl_modified,"Account Management","Windows Vista, Windows Server 2008","The ACL was set on accounts which are members of administrators groups.",4780,"User Account Management",success,"Account Management",group +modified,"Account Management","Windows Vista, Windows Server 2008","The name of an account was changed:",4781,"User Account Management",success,"Account Management",user +unknown,"Account Management","Windows Vista, Windows Server 2008","The password hash an account was accessed.",4782,"Other Account Management Events",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was created.",4783,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was changed.",4784,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was added to a basic application group.",4785,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A member was removed from a basic application group.",4786,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A non-member was added to a basic application group.",4787,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A non-member was removed from a basic application group.",4788,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","A basic application group was deleted.",4789,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","An LDAP query group was created.",4790,"Application Group Management",,, +unknown,"Account Management","Windows Vista, Windows Server 2008","The Password Policy Checking API was called.",4793,"Other Account Management Events",,, +modified,"Account Management","Windows Vista, Windows Server 2008","An attempt was made to set the Directory Services Restore Mode.",4794,"User Account Management",success,"Account Management",user +success,"Logon/Logoff","Windows Vista, Windows Server 2008","The workstation was locked.",4800,"Other Logon/Logoff Events",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The workstation was unlocked.",4801,"Other Logon/Logoff Events",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The screen saver was invoked.",4802,"Other Logon/Logoff Events",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The screen saver was dismissed.",4803,"Other Logon/Logoff Events",,, +unknown,System,"Windows Vista, Windows Server 2008","RPC detected an integrity violation while decrypting an incoming message.",4816,"System Integrity",,, +unknown,"Policy Change","Windows 7, Windows Server 2008 R2","Auditing settings on an object were changed.",4817,"Audit Policy Change",,, +unknown,"Object Access","Windows 8, Windows Server 2012","Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy",4818,"Central Policy Staging",,, +unknown,"Policy Change","Windows 8, Windows Server 2012","Central Access Policies on the machine have been changed.",4819,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A namespace collision was detected.",4864,"Authentication Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was added.",4865,"Authentication Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was removed.",4866,"Authentication Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A trusted forest information entry was modified.",4867,"Authentication Policy Change",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The certificate manager denied a pending certificate request.",4868,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a resubmitted certificate request.",4869,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services revoked a certificate.",4870,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a request to publish the certificate revocation list (CRL).",4871,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services published the certificate revocation list (CRL).",4872,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A certificate request extension changed.",4873,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","One or more certificate request attributes changed.",4874,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a request to shut down.",4875,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services backup started.",4876,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services backup completed.",4877,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services restore started.",4878,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services restore completed.",4879,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services started.",4880,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services stopped.",4881,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The security permissions for Certificate Services changed.",4882,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services retrieved an archived key.",4883,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services imported a certificate into its database.",4884,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The audit filter for Certificate Services changed.",4885,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services received a certificate request.",4886,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services approved a certificate request and issued a certificate.",4887,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services denied a certificate request.",4888,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services set the status of a certificate request to pending.",4889,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The certificate manager settings for Certificate Services changed.",4890,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A configuration entry changed in Certificate Services.",4891,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A property of Certificate Services changed.",4892,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services archived a key.",4893,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services imported and archived a key.",4894,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services published the CA certificate to Active Directory Domain Services.",4895,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","One or more rows have been deleted from the certificate database.",4896,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Role separation enabled:",4897,"Certification Services",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","Certificate Services loaded a template.",4898,"Certification Services",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The Per-user audit policy table was created.",4902,"Audit Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","An attempt was made to register a security event source.",4904,"Audit Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","An attempt was made to unregister a security event source.",4905,"Audit Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","The CrashOnAuditFail value has changed.",4906,"Audit Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","Auditing settings on object were changed.",4907,"Audit Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Special Groups Logon table modified.",4908,"Audit Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","The local policy settings for the TBS were changed.",4909,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","The group policy settings for the TBS were changed.",4910,"Other Policy Change Events",,, +unknown,"Policy Change","Windows 8, Windows Server 2012","Resource attributes of the object were changed.",4911,"Authorization Policy Change",,, +modified,"Policy Change","Windows Vista, Windows Server 2008","Per User Audit Policy was changed.",4912,"Audit Policy Change",success,"Policy Change",policy +unknown,"Policy Change","Windows 8, Windows Server 2012","Central Access Policy on the object was changed.",4913,"Authorization Policy Change",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was established.",4928,"Detailed Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was removed.",4929,"Detailed Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica source naming context was modified.",4930,"Detailed Directory Service Replication",,, +success,"DS Access","Windows Vista, Windows Server 2008","An Active Directory replica destination naming context was modified.",4931,"Detailed Directory Service Replication",,, +success,"DS Access","Windows Vista, Windows Server 2008","Synchronization of a replica of an Active Directory naming context has begun.",4932,"Directory Service Replication",,, +failure,"DS Access","Windows Vista, Windows Server 2008","Synchronization of a replica of an Active Directory naming context has ended.",4933,"Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","Attributes of an Active Directory object were replicated.",4934,"Detailed Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","Replication failure begins.",4935,"Detailed Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","Replication failure ends.",4936,"Detailed Directory Service Replication",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","A lingering object was removed from a replica.",4937,"Detailed Directory Service Replication",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The following policy was active when the Windows Firewall started.",4944,"MPSSVC Rule-Level Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A rule was listed when the Windows Firewall started.",4945,"MPSSVC Rule-Level Policy Change",,, +created,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was added.",4946,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy +modified,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was modified.",4947,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy +deleted,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to Windows Firewall exception list. A rule was deleted.",4948,"MPSSVC Rule-Level Policy Change",success,Windows Firewall,policy +unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall settings were restored to the default values.",4949,"MPSSVC Rule-Level Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A Windows Firewall setting has changed.",4950,"MPSSVC Rule-Level Policy Change",,, +failure,"Policy Change","Windows Vista, Windows Server 2008","A rule has been ignored because its major version number was not recognized by Windows Firewall.",4951,"MPSSVC Rule-Level Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.",4952,"MPSSVC Rule-Level Policy Change",,, +failure,"Policy Change","Windows Vista, Windows Server 2008","A rule has been ignored by Windows Firewall because it could not parse the rule.",4953,"MPSSVC Rule-Level Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall Group Policy settings have changed. The new settings have been applied.",4954,"MPSSVC Rule-Level Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall has changed the active profile.",4956,"MPSSVC Rule-Level Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall did not apply the following rule:",4957,"MPSSVC Rule-Level Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:",4958,"MPSSVC Rule-Level Policy Change",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",4960,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",4961,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.",4962,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.",4963,"IPsec Driver",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","Special groups have been assigned to a new logon.",4964,"Special Logon",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",4965,"IPsec Driver",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4976,"IPsec Main Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4977,"IPsec Quick Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",4978,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4979,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4980,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4981,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","IPsec Main Mode and Extended Mode security associations were established.",4982,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.",4983,"IPsec Extended Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.",4984,"IPsec Extended Mode",,, +success,"Object Access","Windows Vista, Windows Server 2008","The state of a transaction has changed.",4985,"File System",,, +success,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service has started successfully.",5024,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service has been stopped.",5025,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.",5027,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.",5028,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.",5029,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Service failed to start.",5030,"Other System Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Firewall Service blocked an application from accepting incoming connections on the network.",5031,"Filtering Platform Connection",,, +unknown,System,"Windows Vista, Windows Server 2008","Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.",5032,"Other System Events",,, +success,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver has started successfully.",5033,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver has been stopped.",5034,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver failed to start.",5035,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","The Windows Firewall Driver detected critical runtime error. Terminating.",5037,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.",5038,"System Integrity",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A registry key was virtualized.",5039,Registry,,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was added.",5040,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was modified.",5041,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. An Authentication Set was deleted.",5042,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was added.",5043,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was modified.",5044,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Connection Security Rule was deleted.",5045,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was added.",5046,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was modified.",5047,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A change has been made to IPsec settings. A Crypto Set was deleted.",5048,"Filtering Platform Policy Change",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Security Association was deleted.",5049,"IPsec Main Mode",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A file was virtualized.",5051,"File System",,, +success,System,"Windows Vista, Windows Server 2008","A cryptographic self test was performed.",5056,"System Integrity",,, +unknown,System,"Windows Vista, Windows Server 2008","A cryptographic primitive operation failed.",5057,"System Integrity",,, +success,System,"Windows Vista, Windows Server 2008","Key file operation.",5058,"Other System Events",,, +success,System,"Windows Vista, Windows Server 2008","Key migration operation.",5059,"Other System Events",,, +unknown,System,"Windows Vista, Windows Server 2008","Verification operation failed.",5060,"System Integrity",,, +failure,System,"Windows Vista, Windows Server 2008","Cryptographic operation.",5061,"System Integrity",,, +unknown,System,"Windows Vista, Windows Server 2008","A kernel-mode cryptographic self test was performed.",5062,"System Integrity",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic provider operation was attempted.",5063,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic context operation was attempted.",5064,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic context modification was attempted.",5065,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function operation was attempted.",5066,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function modification was attempted.",5067,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function provider operation was attempted.",5068,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function property operation was attempted.",5069,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","A cryptographic function property modification was attempted.",5070,"Other Policy Change Events",,, +success,"DS Access","Windows Vista, Windows Server 2008","A directory service object was modified.",5136,"Directory Service Changes",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was created.",5137,"Directory Service Changes",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was undeleted.",5138,"Directory Service Changes",,, +unknown,"DS Access","Windows Vista, Windows Server 2008","A directory service object was moved.",5139,"Directory Service Changes",,, +failure,"Object Access","Windows Vista, Windows Server 2008","A network share object was accessed.",5140,"File Share",,, +unknown,"DS Access","Windows Vista SP1, Windows Server 2008","A directory service object was deleted.",5141,"Directory Service Changes",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was added.",5142,"File Share",,, +success,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was modified.",5143,"File Share",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was deleted.",5144,"File Share",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","A network share object was checked to see whether the client can be granted desired access.",5145,"Detailed File Share",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.",5148,"Other Object Access Events",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","The DoS attack has subsided and normal processing is being resumed.",5149,"Other Object Access Events",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","The Windows Filtering Platform has blocked a packet.",5150,"Filtering Platform Connection",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","A more restrictive Windows Filtering Platform filter has blocked a packet.",5151,"Filtering Platform Connection",,, +failure,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform blocked a packet.",5152,"Filtering Platform Packet Drop",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","A more restrictive Windows Filtering Platform filter has blocked a packet.",5153,"Filtering Platform Packet Drop",,, +success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.",5154,"Filtering Platform Connection",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.",5155,"Filtering Platform Connection",,, +success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has allowed a connection.",5156,"Filtering Platform Connection",,, +failure,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked a connection.",5157,"Filtering Platform Connection",,, +success,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has permitted a bind to a local port.",5158,"Filtering Platform Connection",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","The Windows Filtering Platform has blocked a bind to a local port.",5159,"Filtering Platform Connection",,, +unknown,"Object Access","Windows 7, Windows Server 2008 R2","Spn check for SMB/SMB2 failed.",5168,"File Share",,, +read,"Account Management","Windows Vista, Windows Server 2008","Credential Manager credentials were backed up.",5376,"User Account Management",success,"Account Management",user +modified,"Account Management","Windows Vista, Windows Server 2008","Credential Manager credentials were restored from a backup.",5377,"User Account Management",success,"Account Management",user +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","The requested credentials delegation was disallowed by policy.",5378,"Other Logon/Logoff Events",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The following callout was present when the Windows Filtering Platform Base Filtering Engine started.",5440,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The following filter was present when the Windows Filtering Platform Base Filtering Engine started.",5441,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The following provider was present when the Windows Filtering Platform Base Filtering Engine started.",5442,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.",5443,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.",5444,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform callout has been changed.",5446,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform filter has been changed.",5447,"Other Policy Change Events",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform provider has been changed.",5448,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform provider context has been changed.",5449,"Filtering Platform Policy Change",,, +success,"Policy Change","Windows Vista, Windows Server 2008","A Windows Filtering Platform sub-layer has been changed.",5450,"Filtering Platform Policy Change",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode security association was established.",5451,"IPsec Quick Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec Quick Mode security association ended.",5452,"IPsec Quick Mode",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.",5453,"IPsec Main Mode",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied Active Directory storage IPsec policy on the computer.",5456,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.",5457,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.",5458,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.",5459,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine applied local registry storage IPsec policy on the computer.",5460,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply local registry storage IPsec policy on the computer.",5461,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.",5462,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the active IPsec policy and detected no changes.",5463,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",5464,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.",5465,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",5466,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",5467,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",5468,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine loaded local storage IPsec policy on the computer.",5471,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to load local storage IPsec policy on the computer.",5472,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine loaded directory storage IPsec policy on the computer.",5473,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to load directory storage IPsec policy on the computer.",5474,"Filtering Platform Policy Change",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","PAStore Engine failed to add quick mode filter.",5477,"Filtering Platform Policy Change",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has started successfully.",5478,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.",5479,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.",5480,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to initialize RPC server. IPsec Services could not be started.",5483,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.",5484,"IPsec Driver",,, +unknown,System,"Windows Vista, Windows Server 2008","IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.",5485,"IPsec Driver",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A request was made to authenticate to a wireless network.",5632,"Other Logon/Logoff Events",,, +unknown,"Logon/Logoff","Windows Vista, Windows Server 2008","A request was made to authenticate to a wired network.",5633,"Other Logon/Logoff Events",,, +unknown,"Detailed Tracking","Windows Vista, Windows Server 2008","A Remote Procedure Call (RPC) was attempted.",5712,"RPC Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An object in the COM+ Catalog was modified.",5888,"Other Object Access Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An object was deleted from the COM+ Catalog.",5889,"Other Object Access Events",,, +unknown,"Object Access","Windows Vista, Windows Server 2008","An object was added to the COM+ Catalog.",5890,"Other Object Access Events",,, +success,"Policy Change","Windows Vista, Windows Server 2008","Security policy in the group policy objects has been applied successfully.",6144,"Other Policy Change Events",,, +unknown,"Policy Change","Windows Vista, Windows Server 2008","One or more errors occurred while processing security policy in the group policy objects.",6145,"Other Policy Change Events",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted access to a user.",6272,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server denied access to a user.",6273,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server discarded the request for a user.",6274,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server discarded the accounting request for a user.",6275,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server quarantined a user.",6276,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.",6277,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server granted full access to a user because the host met the defined health policy.",6278,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server locked the user account due to repeated failed authentication attempts.",6279,"Network Policy Server",,, +unknown,"Logon/Logoff","Windows Vista SP1, Windows Server 2008","Network Policy Server unlocked the user account.",6280,"Network Policy Server",,, +unknown,System,"Windows 7, Windows Server 2008 R2","Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error",6281,"System Integrity",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Received an incorrectly formatted response while discovering availability of content.",6400,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Received invalid data from a peer. Data discarded.",6401,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: The message to the hosted cache offering it data is incorrectly formatted.",6402,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: The hosted cache sent an incorrectly formatted response to the client.",6403,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.",6404,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","BranchCache: %2 instance(s) of event id %1 occurred.",6405,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","%1 registered to Windows Firewall to control filtering for the following: %2",6406,"Other System Events",,, +unknown,System,"Windows 7, Windows Server 2008 R2","1%",6407,"Other System Events",,, diff --git a/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_sub_id.csv b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_sub_id.csv new file mode 100644 index 00000000..1e741251 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_security_signature_sub_id.csv @@ -0,0 +1,24 @@ +signature_id,signature_sub_id,signature_sub +4625,0xc000005e,"There are currently no logon servers available to service the logon request" +4625,0xc0000064,"User name does not exist" +4625,0xC0000064,"User name does not exist" +4625,0xc000006a,"User name is correct but the password is wrong" +4625,0xC000006A,"User name is correct but the password is wrong" +4625,0xc0000234,"User is currently locked out" +4625,0xC0000234,"User is currently locked out" +4625,0xc0000072,"Account is currently disabled" +4625,0xC0000072,"Account is currently disabled" +4625,0xc000006f,"User tried to logon outside his day of week or time of day restrictions" +4625,0xC000006F,"User tried to logon outside his day of week or time of day restrictions" +4625,0xc0000070,"Workstation restriction" +4625,0xC0000070,"Workstation restriction" +4625,0xc0000193,"Account expiration" +4625,0xC0000193,"Account expiration" +4625,0xc0000071,"Expired password" +4625,0xC0000071,"Expired password" +4625,0xc0000133,"Clocks between DC and other computer too far out of sync" +4625,0xC0000133,"Clocks between DC and other computer too far out of sync" +4625,0xc0000224,"User is required to change password at next logon" +4625,0xC0000224,"User is required to change password at next logon" +4625,0xc0000225,"Evidently a bug in Windows and not a risk" +4625,0xC0000225,"Evidently a bug in Windows and not a risk" diff --git a/deployment-apps/TA-microsoft-windows/lookups/wineventlog_sourcetype_vendor_product.csv b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_sourcetype_vendor_product.csv new file mode 100644 index 00000000..deeb8d4a --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_sourcetype_vendor_product.csv @@ -0,0 +1,5 @@ +sourcetype,vendor,product +WinEventLog:Security,Microsoft,Windows +WinEventLog:System,Microsoft,Windows +XmlWinEventLog:Security,Microsoft,Windows +XmlWinEventLog:System,Microsoft,Windows diff --git a/deployment-apps/TA-microsoft-windows/lookups/wineventlog_vendor_severity_id.csv b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_vendor_severity_id.csv new file mode 100644 index 00000000..f9872718 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/lookups/wineventlog_vendor_severity_id.csv @@ -0,0 +1,6 @@ +vendor_severity_id, vendor_severity +1, critical +2, error +3, warning +4, informational +5, verbose diff --git a/deployment-apps/TA-microsoft-windows/metadata/default.meta b/deployment-apps/TA-microsoft-windows/metadata/default.meta new file mode 100644 index 00000000..1dbeb670 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/metadata/default.meta @@ -0,0 +1,4 @@ +[] +access = read : [ * ], write : [ admin ] +export = system + diff --git a/deployment-apps/TA-microsoft-windows/samples/AppPopup.26.windows b/deployment-apps/TA-microsoft-windows/samples/AppPopup.26.windows new file mode 100644 index 00000000..f5094f86 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/AppPopup.26.windows @@ -0,0 +1,11 @@ +04/20/10 03:42:32 PM +LogName=System +SourceName=Application Popup +EventCode=26 +EventType=4 +Type=Information +ComputerName=HOST0167 +Category=0 +CategoryString=none +RecordNumber=4 +Message=Application popup: Windows - Virtual Memory Minimum Too Low : Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help. \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/CPUTime.perfmon b/deployment-apps/TA-microsoft-windows/samples/CPUTime.perfmon new file mode 100644 index 00000000..e8cf8f81 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/CPUTime.perfmon @@ -0,0 +1,27 @@ +04/14/2011 11:53:26.486 +collection="CPU Load" +object=Processor +counter="% Processor Time" +instance=_Total +Value=@@proc_time + +04/14/2011 11:53:26.486 +collection="CPU Load" +object=Processor +counter="% User Time" +instance=_Total +Value=@@user_time + +04/14/2011 11:53:26.486 +collection="CPU Load" +object=Processor +counter="% Processor Time" +instance=_Total +Value=100 + +04/14/2011 11:53:26.486 +collection="CPU Load" +object=Processor +counter="% User Time" +instance=_Total +Value=37 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/FreeDiskSpace.perfmon b/deployment-apps/TA-microsoft-windows/samples/FreeDiskSpace.perfmon new file mode 100644 index 00000000..09198fa4 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/FreeDiskSpace.perfmon @@ -0,0 +1,27 @@ +04/14/2011 13:45:37.170 +collection=FreeDiskSpace +object=LogicalDisk +counter="Free Megabytes" +instance=E: +Value=@@mbytes_free + +04/14/2011 13:45:37.170 +collection=FreeDiskSpace +object=LogicalDisk +counter="% Free Space" +instance=E: +Value=@@perc_free + +04/14/2011 13:45:37.170 +collection=FreeDiskSpace +object=LogicalDisk +counter="Free Megabytes" +instance=F: +Value=3080 + +04/14/2011 13:45:37.170 +collection=FreeDiskSpace +object=LogicalDisk +counter="% Free Space" +instance=F: +Value=0 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/LSASRV.40961.windows b/deployment-apps/TA-microsoft-windows/samples/LSASRV.40961.windows new file mode 100644 index 00000000..7b91f4b6 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/LSASRV.40961.windows @@ -0,0 +1,11 @@ +04/20/10 03:26:19 PM +LogName=System +SourceName=LSASRV +EventCode=40961 +EventType=2 +Type=Warning +ComputerName=HOST0201 +Category=3 +CategoryString=SPNEGO (Negotiator) +RecordNumber=2 +Message=The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available. \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/LocalNetwork.perfmon b/deployment-apps/TA-microsoft-windows/samples/LocalNetwork.perfmon new file mode 100644 index 00000000..e3ba22ca --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/LocalNetwork.perfmon @@ -0,0 +1,6 @@ +04/14/2011 16:00:14.071 +collection=LocalNetwork +object="Network Interface" +counter="Current Bandwidth" +instance="Intel[R] PRO_1000 MT Network Connection" +Value=1000000000 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Memory.perfmon b/deployment-apps/TA-microsoft-windows/samples/Memory.perfmon new file mode 100644 index 00000000..dcd429b6 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Memory.perfmon @@ -0,0 +1,23 @@ +04/14/2011 12:27:07.498 +collection="Available Memory" +object=Memory +counter="Available MBytes" +Value=432 + +04/14/2011 12:27:07.498 +collection="Available Memory" +object=Memory +counter="Committed Bytes" +Value=649986048 + +04/14/2011 12:27:07.498 +collection="Available Memory" +object=Memory +counter="Available MBytes" +Value=0 + +04/14/2011 12:27:07.498 +collection="Available Memory" +object=Memory +counter="Committed Bytes" +Value=1102970880 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/SCM.7036.windows b/deployment-apps/TA-microsoft-windows/samples/SCM.7036.windows new file mode 100644 index 00000000..e0fe48bd --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/SCM.7036.windows @@ -0,0 +1,11 @@ +04/22/10 11:15:40 AM +LogName=System +SourceName=Service Control Manager +EventCode=7036 +EventType=4 +Type=Information +ComputerName=HOST0167 +Category=0 +CategoryString=none +RecordNumber=299 +Message=The Windows Time service entered the running state. \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.1102.windows b/deployment-apps/TA-microsoft-windows/samples/Security.1102.windows new file mode 100644 index 00000000..2b35b3b6 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.1102.windows @@ -0,0 +1,17 @@ +07/25/2011 01:55:36 PM +LogName=Security +SourceName=Microsoft-Windows-Eventlog +EventCode=1102 +EventType=4 +Type=Information +ComputerName=SOLN-W2008R2-4 +TaskCategory=Log clear +OpCode=Info +RecordNumber=2450 +Keywords=Audit Success +Message=The audit log was cleared. +Subject: + Security ID: S-1-5-21-1850455071-2977647103-2894007570-1000 + Account Name: bamboo + Domain Name: SOLN-W2008R2-4 + Logon ID: 0x77220 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4672.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4672.windows new file mode 100644 index 00000000..312d4670 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4672.windows @@ -0,0 +1,27 @@ +09/11/09 03:08:08 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4672 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Special Logon +OpCode=Info +RecordNumber=105 +Keywords=Audit Success +Message=Special privileges assigned to new logon. + +Subject: + Security ID: S-1-5-21-4095465814-4193276578-644264660-500 + Account Name: @@user + Account Domain: WIN-L25DGSHI03K + Logon ID: 0x5ba26 + +Privileges: SeSecurityPrivilege + SeTakeOwnershipPrivilege + SeLoadDriverPrivilege + SeBackupPrivilege + SeRestorePrivilege + SeDebugPrivilege + SeSystemEnvironmentPrivilege + SeImpersonatePrivilege \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4673.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4673.windows new file mode 100644 index 00000000..d35263f1 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4673.windows @@ -0,0 +1,29 @@ +05/02/11 03:39:59 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4673 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Sensitive Privilege Use +OpCode=Info +RecordNumber=1307 +Keywords=Audit Success +Message=A privileged service was called. + +Subject: + Security ID: S-1-5-18 + Account Name: WIN-L25DGSHI03K$ + Account Domain: WORKGROUP + Logon ID: 0x3e7 + +Service: + Server: NT Local Security Authority / Authentication Service + Service Name: LsaRegisterLogonProcess() + +Process: + Process ID: 0x1dc + Process Name: C:\Windows\System32\lsass.exe + +Service Request Information: + Privileges: SeTcbPrivilege \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4688.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4688.windows new file mode 100644 index 00000000..d66e980e --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4688.windows @@ -0,0 +1,32 @@ +05/02/11 03:49:28 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4688 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Process Creation +OpCode=Info +RecordNumber=2184 +Keywords=Audit Success +Message=A new process has been created. + +Subject: + Security ID: S-1-5-18 + Account Name: WIN-L25DGSHI03K$ + Account Domain: WORKGROUP + Logon ID: 0x3e7 + +Process Information: + New Process ID: 0x7f4 + New Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe + Token Elevation Type: TokenElevationTypeDefault (1) + Creator Process ID: 0x74c + +Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. + +Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. + +Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. + +Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4689.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4689.windows new file mode 100644 index 00000000..9e2b7a45 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4689.windows @@ -0,0 +1,23 @@ +05/02/11 03:47:12 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4689 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Process Termination +OpCode=Info +RecordNumber=2021 +Keywords=Audit Success +Message=A process has exited. + +Subject: + Security ID: S-1-5-18 + Account Name: WIN-L25DGSHI03K$ + Account Domain: WORKGROUP + Logon ID: 0x3e7 + +Process Information: + Process ID: 0x72c + Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe + Exit Status: 0xffffffe1 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4717.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4717.windows new file mode 100644 index 00000000..795c0ff9 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4717.windows @@ -0,0 +1,24 @@ +09/11/09 03:08:08 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4717 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Authentication Policy Change +OpCode=Info +RecordNumber=162 +Keywords=Audit Success +Message=System security access was granted to an account. + +Subject: + Security ID: S-1-5-18 + Account Name: WIN-L25DGSHI03K$ + Account Domain: WORKGROUP + Logon ID: 0x3e7 + +Account Modified: + Account Name: S-1-5-21-4095465814-4193276578-644264660-1000 + +Access Granted: + Access Right: SeServiceLogonRight \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4718.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4718.windows new file mode 100644 index 00000000..776f4b08 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4718.windows @@ -0,0 +1,24 @@ +09/11/09 03:08:08 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4718 +EventType=0 +Type=Information +ComputerName=WIN-L25DGSHI03K +TaskCategory=Authentication Policy Change +OpCode=Info +RecordNumber=169 +Keywords=Audit Success +Message=System security access was removed from an account. + +Subject: + Security ID: S-1-5-18 + Account Name: WIN-L25DGSHI03K$ + Account Domain: WORKGROUP + Logon ID: 0x3e7 + +Account Modified: + Account Name: S-1-5-32-544 + +Access Removed: + Access Right: SeRemoteInteractiveLogonRight \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4726.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4726.windows new file mode 100644 index 00000000..9825ff31 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4726.windows @@ -0,0 +1,26 @@ +03/07/2012 07:13:16 PM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4726 +EventType=0 +Type=Information +ComputerName=SOLN-W2008R2-6 +TaskCategory=User Account Management +OpCode=Info +RecordNumber=17758522 +Keywords=Audit Success +Message=A user account was deleted. + +Subject: + Security ID: SPLUNK\splunker_admin + Account Name: splunker_admin + Account Domain: SPLUNK + Logon ID: 0x55e4059d + +Target Account: + Security ID: S-1-5-21-807344451-4160805990-1156053029-3440 + Account Name: splunkertest + Account Domain: SPLUNK + +Additional Information: + Privileges - \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/Security.4743.windows b/deployment-apps/TA-microsoft-windows/samples/Security.4743.windows new file mode 100644 index 00000000..4a370aaf --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/Security.4743.windows @@ -0,0 +1,26 @@ +03/07/2012 10:14:25 AM +LogName=Security +SourceName=Microsoft Windows security auditing. +EventCode=4743 +EventType=0 +Type=Information +ComputerName=devlan.local +TaskCategory=Computer Account Management +OpCode=Info +RecordNumber=5999972 +Keywords=Audit Success +Message=A computer account was deleted. + +Subject: + Security ID: SPLUNK\splunk_admin + Account Name: splunk_admin + Account Domain: SPLUNK + Logon ID: 0x7702f1fc + +Target Computer: + Security ID: S-1-5-21-807344451-4160805990-1156053029-2593 + Account Name: splunktest + Account Domain: SPLUNK + +Additional Information: + Privileges: - \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/W32Time.17.windows b/deployment-apps/TA-microsoft-windows/samples/W32Time.17.windows new file mode 100644 index 00000000..f415bbba --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/W32Time.17.windows @@ -0,0 +1,14 @@ +04/22/10 11:15:40 AM +LogName=System +SourceName=W32Time +EventCode=17 +EventType=1 +Type=Error +ComputerName=HOST0167 +Category=0 +CategoryString=none +RecordNumber=297 +Message=Time Provider NtpClient: An error occurred during DNS lookup of the manually +configured peer 'invalid.address.org'. NtpClient will try the DNS lookup again in 15 +minutes. +The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C) \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/W32Time.29.windows b/deployment-apps/TA-microsoft-windows/samples/W32Time.29.windows new file mode 100644 index 00000000..311e99c1 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/W32Time.29.windows @@ -0,0 +1,14 @@ +04/22/10 11:15:40 AM +LogName=System +SourceName=W32Time +EventCode=29 +EventType=1 +Type=Error +ComputerName=HOST0167 +Category=0 +CategoryString=none +RecordNumber=296 +Message=The time provider NtpClient is configured to acquire time from one or more +time sources, however none of the sources are currently accessible. +No attempt to contact a source will be made for 14 minutes. +NtpClient has no source of accurate time. \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/W32Time.35.windows b/deployment-apps/TA-microsoft-windows/samples/W32Time.35.windows new file mode 100644 index 00000000..ebefa53d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/W32Time.35.windows @@ -0,0 +1,12 @@ +04/22/10 09:49:37 AM +LogName=System +SourceName=W32Time +EventCode=35 +EventType=4 +Type=Information +ComputerName=HOST0201 +Category=0 +CategoryString=none +RecordNumber=271 +Message=The time service is now synchronizing the system time with the time +source time-a.nist.gov (ntp.m|0x1|192.168.165.148:123->129.6.15.28:123). \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/WinHostMon-OperatingSystem b/deployment-apps/TA-microsoft-windows/samples/WinHostMon-OperatingSystem new file mode 100644 index 00000000..43fd46d1 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/WinHostMon-OperatingSystem @@ -0,0 +1,22 @@ +Type=OperatingSystem +OS="Microsoft Windows 7 Enterprise " +Architecture="64-bit" +Version="6.1.7601" +BuildNumber="7601" +BuildType="Multiprocessor Free" +ServicePack="Service Pack 1" +SerialNumber="55041-011-3142585-86240" +ComputerName="ARAMANI-XC1" +InstallDate="20140409044852.000000-420" +LastBootUpTime="20150527114617.109999-420" +Locale="0409" +TotalPhysicalMemoryKB="8040020" +FreePhysicalMemoryKB="4276976" +TotalVirtualMemoryKB="16078184" +FreeVirtualMemoryKB="11603632" +Status="OK" +CodeSet="1252" +CountryCode="1" +SystemDevice="\Device\HarddiskVolume2" +SystemDrive="C:" +SystemDirectory="C:\Windows\system32" \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/WinHostMon-Processor b/deployment-apps/TA-microsoft-windows/samples/WinHostMon-Processor new file mode 100644 index 00000000..2b58c4a0 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/WinHostMon-Processor @@ -0,0 +1,8 @@ +Type=Processor +Name="Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz" +Manufacturer="GenuineIntel" +Architecture="x64" +ClockSpeedMHz=2079 +NumberOfCores=2 +NumberOfProcessors=4 +Processor Id="BFEBFBFF00040651" diff --git a/deployment-apps/TA-microsoft-windows/samples/WindowsUpdateClient.19.windows b/deployment-apps/TA-microsoft-windows/samples/WindowsUpdateClient.19.windows new file mode 100644 index 00000000..35cc41e2 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/WindowsUpdateClient.19.windows @@ -0,0 +1,150 @@ +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28136 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28137 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28138 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975562) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28139 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28140 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28141 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980218) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28142 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28143 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979559) +06/16/10 06:48:43 PM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=28136 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +10/06/09 10:37:04 AM +LogName=System +SourceName=Microsoft-Windows-WindowsUpdateClient +EventCode=19 +EventType=4 +Type=Information +ComputerName=WIN-5K02CFOZADA +User=SYSTEM +Sid=S-1-5-18 +SidType=1 +TaskCategory=Windows Update Agent +OpCode=Installation +RecordNumber=11640 +Keywords=Installation +Message=Installation Successful: Windows successfully installed the following update: Windows Update Aux \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4608.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4608.windows.xml new file mode 100755 index 00000000..ac9bdda3 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4608.windows.xml @@ -0,0 +1 @@ +4608001228800x802000000000000028SecurityWIN-9DV9ENFEJEG \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4616.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4616.windows.xml new file mode 100755 index 00000000..0df7f849 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4616.windows.xml @@ -0,0 +1 @@ +4616101228800x8020000000000000418SecurityWIN-9DV9ENFEJEGS-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e72014-07-21T22:45:03.965938600Z2014-07-21T22:45:15.050000000Z0x504C:\Program Files\VMware\VMware Tools\vmtoolsd.exe \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4624.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4624.windows.xml new file mode 100755 index 00000000..93514b1b --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4624.windows.xml @@ -0,0 +1 @@ +4624101254400x8020000000000000524SecurityWIN-9DV9ENFEJEGS-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e75Advapi Negotiate{00000000-0000-0000-0000-000000000000}--00x1e4C:\Windows\System32\services.exe--%%1833 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4625.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4625.windows.xml new file mode 100755 index 00000000..bae34d5a --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4625.windows.xml @@ -0,0 +1 @@ +4625001254400x80100000000000001880SecurityWIN-9DV9ENFEJEGS-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7S-1-0-0AdministratorWIN-9DV9ENFEJEG0xc000010b%%23040x011CredProNegotiateWIN-9DV9ENFEJEG--00xd20C:\Windows\System32\consent.exe::10 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4634.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4634.windows.xml new file mode 100755 index 00000000..baa7d907 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4634.windows.xml @@ -0,0 +1 @@ +4634001254500x80200000000000001895SecurityWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0xaf04b02 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4647.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4647.windows.xml new file mode 100755 index 00000000..eb404f8e --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4647.windows.xml @@ -0,0 +1 @@ +4647001254500x8020000000000000182SecurityWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0x20157d \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4648.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4648.windows.xml new file mode 100755 index 00000000..5ad4a42f --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4648.windows.xml @@ -0,0 +1 @@ +4648001254400x8020000000000000430SecurityWIN-9DV9ENFEJEGS-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7{00000000-0000-0000-0000-000000000000}DWM-1Window Manager{00000000-0000-0000-0000-000000000000}localhostlocalhost0x1a4C:\Windows\System32\winlogon.exe-- \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4672.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4672.windows.xml new file mode 100755 index 00000000..9de5bfdc --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4672.windows.xml @@ -0,0 +1,11 @@ +4672001254800x8020000000000000768SecurityWIN-9DV9ENFEJEGS-1-5-18SYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege + SeTcbPrivilege + SeSecurityPrivilege + SeTakeOwnershipPrivilege + SeLoadDriverPrivilege + SeBackupPrivilege + SeRestorePrivilege + SeDebugPrivilege + SeAuditPrivilege + SeSystemEnvironmentPrivilege + SeImpersonatePrivilege \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4720.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4720.windows.xml new file mode 100755 index 00000000..16d4fc03 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4720.windows.xml @@ -0,0 +1,4 @@ +4720001382400x80200000000000001850SecurityWIN-9DV9ENFEJEGaramaniWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-1001S-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0x9caebb-aramani%%1793-%%1793%%1793%%1793%%1793%%1793%%1794%%1794513-0x00x15 + %%2080 + %%2082 + %%2084%%1793-%%1797 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4722.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4722.windows.xml new file mode 100755 index 00000000..8d4e494d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4722.windows.xml @@ -0,0 +1 @@ +4722001382400x80200000000000001851SecurityWIN-9DV9ENFEJEGaramaniWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-1001S-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0x9caebb \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4724.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4724.windows.xml new file mode 100755 index 00000000..6a7ecea7 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4724.windows.xml @@ -0,0 +1 @@ +4724001382400x8020000000000000128SecurityWIN-9DV9ENFEJEGAdministratorWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-500S-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4728.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4728.windows.xml new file mode 100755 index 00000000..e996dc66 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4728.windows.xml @@ -0,0 +1 @@ +4728001382600x80200000000000001849SecurityWIN-9DV9ENFEJEG-S-1-5-21-3971707290-3287975982-528657165-1001NoneWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-513S-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0x9caebb- \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4732.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4732.windows.xml new file mode 100755 index 00000000..705e933c --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4732.windows.xml @@ -0,0 +1 @@ +4732001382600x80200000000000001891SecurityWIN-9DV9ENFEJEG-S-1-5-21-807344451-4160805990-1156053029-512AdministratorsBuiltinS-1-5-32-544S-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0xaf1ccd- \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4735.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4735.windows.xml new file mode 100755 index 00000000..11315cd5 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4735.windows.xml @@ -0,0 +1 @@ +4735001382600x802000000000000057SecurityWIN-9DV9ENFEJEGReplicatorBuiltinS-1-5-32-552S-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7--- \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4738.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4738.windows.xml new file mode 100755 index 00000000..01ccac0d --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4738.windows.xml @@ -0,0 +1 @@ +4738001382400x80200000000000001855SecurityWIN-9DV9ENFEJEG-aramaniWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-1001S-1-5-21-3971707290-3287975982-528657165-500AdministratorWIN-9DV9ENFEJEG0x9caebb-aramaniaramani-%%1793%%1793%%1793%%1793%%17938/12/2014 5:42:24 PM%%1794513-0x2100x210---%%1797 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4776.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4776.windows.xml new file mode 100755 index 00000000..10c345e2 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4776.windows.xml @@ -0,0 +1 @@ +4776001433600x8020000000000000157SecurityWIN-9DV9ENFEJEGMICROSOFT_AUTHENTICATION_PACKAGE_V1_0AdministratorWIN-9DV9ENFEJEG0x0 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4781.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4781.windows.xml new file mode 100755 index 00000000..924effc4 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4781.windows.xml @@ -0,0 +1 @@ +4781001382400x802000000000000049SecurityWIN-9DV9ENFEJEGUsersUsersBuiltinS-1-5-32-545S-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7- \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4797.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4797.windows.xml new file mode 100755 index 00000000..53b7e25e --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4797.windows.xml @@ -0,0 +1 @@ +4797001382400x80200000000000001874SecurityWIN-9DV9ENFEJEGS-1-5-21-3971707290-3287975982-528657165-1001aramaniWIN-9DV9ENFEJEG0xa13207WIN-9DV9ENFEJEGAdministratorWIN-9DV9ENFEJEG \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4902.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4902.windows.xml new file mode 100755 index 00000000..5fd40e7c --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4902.windows.xml @@ -0,0 +1 @@ +4902001356800x8020000000000000387SecurityWIN-9DV9ENFEJEG00xb8c4 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4907.windows.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4907.windows.xml new file mode 100755 index 00000000..9d845c3f --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSecurity.4907.windows.xml @@ -0,0 +1 @@ +4907001356800x80200000000000001298SecurityWIN-9DV9ENFEJEGS-1-5-18WIN-9DV9ENFEJEG$WORKGROUP0x3e7SecurityFileC:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms0x14S:ARAI(AU;SAFA;0x1f0116;;;WD)0xa6cC:\Windows\System32\poqexec.exe \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_ready.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_ready.xml new file mode 100755 index 00000000..de791d9b --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_ready.xml @@ -0,0 +1,25 @@ +17042120x80000000000000142944SystemWIN-9DV9ENFEJEG +- Update for Windows Server 2012 R2 (KB2971203) +- Update for Windows Server 2012 R2 (KB2950153) +- Security Update for Windows Server 2012 R2 (KB2964736) +- Update for Windows Server 2012 R2 (KB2938066) +- Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 (KB2962872) +- Update for Windows Server 2012 R2 (KB2975061) +- Update for Windows Server 2012 R2 (KB2956575) +- Update for .NET Native on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2954879) +- Security Update for Windows Server 2012 R2 (KB2926765) +- Update for Windows Server 2012 R2 (KB2939087) +- Security Update for Windows Server 2012 R2 (KB2920189) +- Update for Windows Server 2012 R2 (KB2958262) +- Security Update for Windows Server 2012 R2 (KB2973351) +- Security Update for Windows Server 2012 R2 (KB2939576) +- Update for Windows Server 2012 R2 (KB2959626) +- Security Update for Windows Server 2012 R2 (KB2957189) +- Security Update for Microsoft .NET Framework 4.5.1 on Windows 8.1 and Windows Server 2012 R2 for x64-based Systems (KB2931366) +- Windows Malicious Software Removal Tool for Windows 8, 8.1 and Windows Server 2012, 2012 R2 x64 Edition - July 2014 (KB890830) +- Security Update for Windows Server 2012 R2 (KB2964718) +- Security Update for Windows Server 2012 R2 (KB2973201) +- Security Update for Windows Server 2012 R2 (KB2965788) +- Update for Windows Server 2012 R2 (KB2966804) +- Update for Windows Server 2012 R2 (KB2955164) +- Security Update for Windows Server 2012 R2 (KB2961072) \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_success.xml b/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_success.xml new file mode 100755 index 00000000..dfee19ab --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/XmlSystem.update_success.xml @@ -0,0 +1 @@ +19141130x80000000000000182956SystemWIN-9DV9ENFEJEGUpdate for Windows Server 2012 R2 (KB2958262){1DE3F386-F36C-4E64-8098-D01B8BEA37CF}200{9482F4B4-E343-43B6-B170-9A65BC822C77} \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/audit_types.list b/deployment-apps/TA-microsoft-windows/samples/audit_types.list new file mode 100644 index 00000000..3bbdb4f1 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/audit_types.list @@ -0,0 +1,2 @@ +Success +Failure diff --git a/deployment-apps/TA-microsoft-windows/samples/sample.DhcpSrvLog b/deployment-apps/TA-microsoft-windows/samples/sample.DhcpSrvLog new file mode 100644 index 00000000..bd9b944c --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/sample.DhcpSrvLog @@ -0,0 +1,7 @@ +ID,Date,Time,Description,IPAddress,HostName,MAC Address +10,07/21/06,19:42:47,,172.168.15.10,winfish,01:00:00:00:00:00 +11,07/21/06,19:42:47,,172.168.15.12,storefront,02:00:00:00:00:00 +13,07/21/06,19:42:47,,172.168.15.13,bugsbunny,03:00:00:00:00:00 +12,07/21/06,19:42:47,,172.168.15.10,winfish,01:00:00:00:00:00 +16,07/21/06,19:42:47,,172.168.15.12,storefront,02:00:00:00:00:00 +17,07/21/06,19:42:47,,172.168.15.13,bugsbunny,03:00:00:00:00:00 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/sample.win_installed_apps b/deployment-apps/TA-microsoft-windows/samples/sample.win_installed_apps new file mode 100644 index 00000000..6d51c618 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/sample.win_installed_apps @@ -0,0 +1,25 @@ +05/19/2011 10:48:34 +Installed application enumerated from "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{163025bb-ef60-4329-9384-9aeb595a0179}" +AuthorizedCDFPrefix= +Comments=The IT Search Engine +Contact=Contact Support at http://www.splunk.com/page/submit_issue +DisplayVersion=108.1.32730 +HelpLink=http://www.splunk.com/page/submit_issue +HelpTelephone= +InstallDate=20110318 +InstallLocation=C:\Program Files\Splunk\ +InstallSource=C:\Users\David\Desktop\ +ModifyPath=MsiExec.exe /I{163025bb-ef60-4329-9384-9aeb595a0179} +Publisher=Splunk, Inc. +Readme=C:\Program Files\Splunk\README.txt +Size= +EstimatedSize=0x1c991 +UninstallString=MsiExec.exe /I{163025bb-ef60-4329-9384-9aeb595a0179} +URLInfoAbout=http://www.splunk.com +URLUpdateInfo=http://www.splunk.com/download +VersionMajor=0x6c +VersionMinor=0x1 +WindowsInstaller=0x1 +Version=0x6c017fda +Language=0x409 +DisplayName=Splunk \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/sample.win_listening_ports b/deployment-apps/TA-microsoft-windows/samples/sample.win_listening_ports new file mode 100644 index 00000000..11727a20 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/sample.win_listening_ports @@ -0,0 +1 @@ +04/14/2011 19:42:27 transport=TCP dest_ip=[0.0.0.0] dest_port=443 pid=476 \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/sample.winregistry b/deployment-apps/TA-microsoft-windows/samples/sample.winregistry new file mode 100644 index 00000000..7636ebe6 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/sample.winregistry @@ -0,0 +1,40 @@ +09/09/2010 23:36:32.0128 +event_status="(0)The operation completed successfully." +pid=1300 +process_image="\Device\HarddiskVolume1\Windows\System32\spoolsv.exe" +registry_type="CreateKey" +key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\DAVID-PC\Printers\{676235CD-B656-42D5-B737-49856E97D072}\PrinterDriverData" +data_type="REG_NONE" +data="" +09/09/2010 23:36:31.0800 +event_status="(0)The operation completed successfully." +pid=1300 +process_image="\Device\HarddiskVolume1\Windows\System32\spoolsv.exe" +registry_type="SetValue" +key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\DAVID-PC\Printers\{676235CD-B656-42D5-B737-49856E97D072}\DsKeyUpdateForeground" +data_type="REG_DWORD" +data="0x00000003(3)" +09/09/2010 23:36:29.0519 +event_status="(-1073741790)Access is denied." +pid=2940 +process_image="\Device\HarddiskVolume1\Program Files\VMware\VMware Tools\TPAutoConnect.exe" +registry_type="CreateKey" +key_path="\REGISTRY\MACHINE\SOFTWARE\ThinPrint\TPVMW321-2169411598-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED8C108E-4349-11D2-91A4-00C04F7969E8}\iexplore" +data_type="REG_NONE" +data="" +09/09/2010 23:28:36.0860 +event_status="(0)The operation completed successfully." +pid=1836 +process_image="\Device\HarddiskVolume1\Program Files\Windows Media Player\wmpnetwk.exe" +registry_type="DeleteKey" +key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\982BF570-9638-D16C-DA56-63BCFA515AD3\DeviceCompatFlags" +data_type="REG_NONE" +data="" +09/09/2010 23:23:44.0542 +event_status="(0)The operation completed successfully." +pid=4032 +process_image="\Device\HarddiskVolume1\Windows\regedit.exe" +registry_type="RenameKey" +key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\cookies" +data_type="REG_NONE" +data="" \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/samples/server2k8.WindowsUpdateLog b/deployment-apps/TA-microsoft-windows/samples/server2k8.WindowsUpdateLog new file mode 100644 index 00000000..38dba3d7 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/samples/server2k8.WindowsUpdateLog @@ -0,0 +1,72 @@ +2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {79ADCB2A-E5A4-4D87-84E4-38E53410C65A} 2010-06-16 18:47:44:234-0700 1 190 101 {5A12AB6D-696D-430B-92DD-25FC9A78E777} 109 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979559) +2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {7AAFCF20-54AA-4C47-AE76-D50AC35C6CF8} 2010-06-16 18:47:44:234-0700 1 190 101 {5332AD75-1EE5-49A7-B962-A52CDCB5381B} 106 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) +2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {BD9FD786-D33E-40EC-9EAD-004CE249A210} 2010-06-16 18:47:44:219-0700 1 190 101 {94094676-871B-4543-96DE-DC72EA75CDBE} 105 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980218) +2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {E61ED1F2-63C6-4F6D-A350-6AF9C2E73B10} 2010-06-16 18:47:44:203-0700 1 190 101 {2A523F8D-80C9-410B-8E38-BEE4836A6537} 107 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) +2010-06-16 18:48:43:586 992 a4c Report REPORT EVENT: {29353A5A-EA08-43AF-A0C3-50C3060FD915} 2010-06-16 18:47:44:188-0700 1 190 101 {13C557C8-6E62-4C86-ADD4-37C9735D05DE} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) +2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {DBE3C1FD-3849-4851-9C08-22CCC04D5E6B} 2010-06-16 18:47:44:188-0700 1 190 101 {EFE89ED6-0EC3-498B-A703-5B35D0EB261C} 105 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975562) +2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {09576D5E-7485-4D1A-96D0-3EC0DEC0730E} 2010-06-16 18:47:44:172-0700 1 190 101 {681D30E8-9897-4E29-BBA1-FFBD1115B526} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) +2010-06-16 18:48:43:165 992 a4c Report REPORT EVENT: {C808B3E7-81FE-4AF3-8544-04F9222A4277} 2010-06-16 18:47:44:141-0700 1 190 101 {5C4E80F2-C99C-4F20-B7A7-E6AF2A20EA7A} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +2010-06-16 18:42:31:865 1000 b00 Report REPORT EVENT: {FE882D48-9534-4F7E-9880-2993F61499C4} 2010-06-16 18:37:44:091-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Security Update for Windows Server 2008 x64 Edition (KB975562) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB9825 +2010-06-16 18:35:22:743 1000 5dc Report REPORT EVENT: {43DA0C73-108E-4863-9F5D-033D0A84F7CF} 2010-06-16 18:35:17:729-0700 1 190 101 {104EB8DD-8924-46BE-8441-25C407114986} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) +2010-06-16 18:33:37:759 1000 5dc Report REPORT EVENT: {CBA3BAF6-B5FD-4D19-A5D3-468207CCF88A} 2010-06-16 18:33:32:744-0700 1 190 101 {1ABDADA5-F2D7-4099-9AE7-0812C3E40A72} 101 240006 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-06-16 18:33:24:653 1000 5dc Report REPORT EVENT: {97AB8A73-AAAA-46FA-9E5B-B99F85B98B18} 2010-06-16 18:30:56:241-0700 1 190 101 {48D29613-FB99-4F1B-8ED0-AA122F54FFDE} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979482) +2010-06-16 18:33:24:653 1000 5dc Report REPORT EVENT: {C5231FB6-8FFD-4A76-820C-8C2DD8E006D3} 2010-06-16 18:30:52:101-0700 1 190 101 {60767E01-93EF-4226-A7F3-2C2DE1CE016E} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB981793) +2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {E5EBE6CA-90F5-43BE-BAAA-4F80C40ABADF} 2010-06-14 08:09:42:718-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Security Update for Windows Server 2008 x64 Edition (KB975562) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB9825 +2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {F3D6877B-A2FD-467B-8294-A80B41BF0D47} 2010-06-14 08:09:41:577-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB982632) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +2010-06-14 08:09:46:015 1000 218 Report REPORT EVENT: {49D393A6-D19F-4035-9682-66F41AC18EC7} 2010-06-14 08:09:41:015-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Security Update for Windows Server 2008 x64 Edition (KB980218) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +2010-06-14 08:09:36:578 1000 218 Report REPORT EVENT: {284300E5-E053-4A07-B559-31AB62F4225E} 2010-06-14 08:09:33:171-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) - Microsoft .NET Framework 3.5 SP1 Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB982535) +2010-06-14 08:09:36:578 1000 218 Report REPORT EVENT: {5FFE4517-B11E-481F-B4AA-83A9246592FE} 2010-06-14 08:09:29:781-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB982381) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) +2010-06-14 08:09:11:703 1000 218 Report REPORT EVENT: {1A21691C-C677-4455-8F87-1A2FC4FAA399} 2010-06-14 08:09:06:703-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Security Update for Windows Server 2008 x64 Edition (KB979559) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) +2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {2D612129-372F-4625-A87B-129247D91417} 2010-06-14 08:09:03:610-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) - Microsoft .NET Framework 3.5 SP1 Security Update for Windows Vista SP1 and Windows Server 2008 for x64-based Systems (KB979911) +2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {AB09170F-683E-4D1E-B057-35AFDC0B53C9} 2010-06-14 08:09:03:516-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Security Update for Windows Server 2008 x64 Edition (KB979482) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) +2010-06-14 08:09:06:875 1000 218 Report REPORT EVENT: {760700C1-617C-4325-B25C-1393029DF771} 2010-06-14 08:09:01:875-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) - Windows Malicious Software Removal Tool x64 - June 2010 (KB890830) +2010-06-14 08:08:58:172 1000 218 Report REPORT EVENT: {4D342AE6-81AF-41FE-B7F9-E06A0BDCBD20} 2010-06-14 08:08:53:188-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB981793) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-06-14 08:08:23:002 1000 218 Report REPORT EVENT: {B288D33F-BC8A-453C-BEF5-102B7096B0ED} 2010-06-14 08:08:18:002-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB980195) - Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-06-14 08:07:56:548 1000 218 Report REPORT EVENT: {898853CF-B9F6-4CB2-8BAB-935659C6E30B} 2010-06-14 08:06:51:895-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎June ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-06-14 08:03:21:998 1000 218 Report REPORT EVENT: {F3BD6618-BFF9-42BB-A1D8-0894DBD3211E} 2010-06-14 08:01:02:332-0700 1 190 101 {1ABDADA5-F2D7-4099-9AE7-0812C3E40A72} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-06-14 08:03:21:998 1000 218 Report REPORT EVENT: {15876081-DBB0-4D59-84FD-40A55F45200C} 2010-06-14 08:00:25:224-0700 1 190 101 {4FAC5B5F-19C1-467C-A26D-5CA7712D3494} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - May 2010 (KB890830) +2010-05-11 14:36:08:529 1000 4f8 Report REPORT EVENT: {303F0E1B-0292-4908-86C3-B14892B8C294} 2010-05-11 14:36:03:607-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎May ‎12, ‎2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - May 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978542) +2010-05-11 14:34:12:923 1000 4f8 Report REPORT EVENT: {CA86BA76-103B-4BBF-A2EC-BB34F1C66C22} 2010-05-11 14:34:08:033-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎May ‎12, ‎2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - May 2010 (KB890830) +2010-05-11 12:50:06:546 984 878 Report REPORT EVENT: {A4AF26FB-0475-4E41-A542-D3176BDFF2DB} 2010-05-11 12:48:04:046-0700 1 190 101 {06E723E4-CBE2-4EF5-8DBF-3BBCC8584960} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB973917) +2010-05-11 12:50:06:546 984 878 Report REPORT EVENT: {DE0C737D-1AF1-4C9E-BDC3-CF529061EF70} 2010-05-11 12:48:03:953-0700 1 190 101 {38829BE4-0F12-4502-B5E4-D640A3CF4B78} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182) +2010-05-11 12:50:06:515 984 878 Report REPORT EVENT: {198290A1-80A9-4562-B537-5638FF959E05} 2010-05-11 12:48:03:953-0700 1 190 101 {D526370A-65A0-4D88-A935-64893E66BEC4} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB981332) +2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {1B5B7CAC-1507-4E07-942B-55A4B46C7FDE} 2010-05-11 12:48:03:953-0700 1 190 101 {A7C58B11-FC3E-4B50-A5A3-7037CFB38764} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979683) +2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {66566F17-EDD3-4364-AF57-089DA1772037} 2010-05-11 12:48:03:921-0700 1 190 101 {FDA2974B-C8C0-42B2-A60B-E56C76B6E6EF} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB979309) +2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {23B47B49-5C8E-403C-862D-5BC49762A766} 2010-05-11 12:48:03:890-0700 1 190 101 {A4CD7882-E067-4ED4-8713-16F845085BBE} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB980232) +2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {AA9AF2A0-C29D-47EE-8DFA-2E581A1BD4D0} 2010-05-11 12:48:03:875-0700 1 190 101 {C54B88AA-A639-470E-B505-FD0C46865393} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978601) +2010-05-11 12:48:05:890 984 878 Report REPORT EVENT: {64ABBAF4-4872-40E4-98C9-8DE6F2E7CB0D} 2010-05-11 12:48:03:875-0700 1 190 101 {D35216C1-66AA-45A7-B182-6B375789E2CD} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978338) +2010-05-11 12:43:11:448 976 710 Report REPORT EVENT: {4C703373-B930-496D-A783-AD68777A01EE} 2010-05-11 12:40:57:449-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979683) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338) +2010-05-11 12:40:03:630 976 a58 Report REPORT EVENT: {41161CCC-026F-4F01-B281-3C8565513289} 2010-05-11 12:40:03:567-0700 1 190 101 {E4AB408F-0208-4BB8-9782-C1D895DC4F78} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) +2010-04-14 04:20:37:369 976 464 Report REPORT EVENT: {4647FA59-C41B-45BE-B229-191180266B51} 2010-04-14 04:20:32:384-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979683) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338) +2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {955E6D76-5F46-4B98-A948-8A7E73193AE2} 2010-04-14 04:20:28:822-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Security Update for Windows Server 2008 x64 Edition (KB980232) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338) +2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {A6C06AEF-A34E-43E5-9008-B10CE1E9596A} 2010-04-14 04:20:28:072-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) - Security Update for Windows Server 2008 x64 Edition (KB978338) +2010-04-14 04:20:31:666 976 464 Report REPORT EVENT: {AC8420D8-4834-45A6-BAFA-FC89699437D2} 2010-04-14 04:20:26:541-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) - Security Update for Windows Server 2008 x64 Edition (KB978601) +2010-04-14 04:19:40:462 976 464 Report REPORT EVENT: {E15B21BD-7DCA-4905-B9EE-9FB173DE5BD0} 2010-04-14 04:19:36:166-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) - Windows Malicious Software Removal Tool x64 - April 2010 (KB890830) +2010-04-14 04:19:40:462 976 464 Report REPORT EVENT: {28BDB1E5-D652-4BA8-8241-C9E95D3ED68E} 2010-04-14 04:19:36:025-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB981332) - Security Update for Windows Server 2008 x64 Edition (KB979309) +2010-04-14 04:19:03:087 976 464 Report REPORT EVENT: {5DDE0553-8DE0-4F57-8CAD-0D00948BFB0A} 2010-04-14 04:18:58:150-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Thursday, ‎April ‎15, ‎2010 at 3:00 AM: - Security Update for Windows Server 2008 x64 Edition (KB979309) +2010-04-14 04:18:06:634 976 464 Report REPORT EVENT: {E473CEEC-A328-483B-89E5-8FE8BA21D5DA} 2010-04-14 04:11:11:257-0700 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302) - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182) +2010-04-14 04:10:45:179 976 464 Report REPORT EVENT: {67F2CC5D-D3EF-4D38-8E6D-5867CB5CF727} 2010-04-14 04:08:37:476-0700 1 190 101 {055A2DB4-D7D0-488C-8102-106A2F3DC434} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) +2010-04-14 04:10:45:179 976 464 Report REPORT EVENT: {587EA1F5-47CE-4306-9377-487961D8AD94} 2010-04-14 04:05:45:304-0700 1 190 101 {C1307437-88DB-47C7-961F-79794798F83F} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302) +2010-04-05 14:30:20:043 976 9c4 Report REPORT EVENT: {38912DE8-A85C-4805-99B5-483173E6AB40} 2010-04-05 14:30:15:278-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎06, ‎2010 at 3:00 AM: - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB980302) - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182) +2010-04-05 14:30:20:043 976 9c4 Report REPORT EVENT: {1963927F-F6EF-40D3-B376-798132443FA6} 2010-04-05 14:30:15:043-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎06, ‎2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB980182) +2010-04-05 14:27:32:250 976 9c4 Report REPORT EVENT: {1C976668-F03C-40DD-BAAE-F1A17196C642} 2010-04-05 14:27:27:172-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎06, ‎2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) - Update for Windows Server 2008 x64 Edition (KB973917) +2010-04-05 14:27:25:907 976 9c4 Report REPORT EVENT: {1C34811E-FEF8-44CF-B880-43A0CE0F4124} 2010-04-05 14:27:20:938-0700 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Tuesday, ‎April ‎06, ‎2010 at 3:00 AM: - Windows Malicious Software Removal Tool x64 - March 2010 (KB890830) +2010-03-04 09:25:36:117 976 464 Report REPORT EVENT: {C9A94429-436B-4EBA-A86E-4873B6A820A9} 2010-03-04 09:24:38:085-0800 1 190 101 {0FF84F82-ECE3-4714-9313-13517E9BDD2F} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB975929) +2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {B344761D-3738-47A0-9DB1-8BB314EED644} 2010-03-04 05:02:59:752-0800 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB976662) - Update for Windows Server 2008 x64 Edition (KB975929) +2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {62CA6F5B-32D4-4A19-B968-B807645B14F2} 2010-03-04 05:01:37:251-0800 1 190 101 {BD962A37-FBD1-4765-851C-B9AE4D0CE758} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB976662) +2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {4CA2C4D3-33E1-4D2D-8B5D-510876508F5F} 2010-03-04 05:01:31:173-0800 1 190 101 {6E6CDC1F-8BB9-41CF-9AF3-44053752B7E9} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) +2010-03-04 05:07:08:864 360 be8 Report REPORT EVENT: {6A82AFE7-8A12-4543-BA68-B55B6B740D2D} 2010-03-04 05:00:31:094-0800 1 190 101 {2A8FD60C-D83D-42B1-BCF2-77D0843E97B9} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 x64 Edition (KB979306) +2010-03-02 08:57:57:960 360 90c Report REPORT EVENT: {C830E8CA-9621-4D7D-A464-1E414444946E} 2010-03-02 08:57:54:038-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎March ‎03, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB976662) - Update for Windows Server 2008 x64 Edition (KB975929) +2010-03-02 08:57:57:960 360 90c Report REPORT EVENT: {16DE031E-8C26-4CDB-BFE4-C8BB72CBCF58} 2010-03-02 08:57:52:960-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎March ‎03, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Rights Management Services Client for Windows Server 2008 x64 Edition (KB979099) - Update for Windows Server 2008 x64 Edition (KB975929) +2010-03-02 08:57:46:147 360 90c Report REPORT EVENT: {F17C6159-02D6-4321-879C-C6E79AB5CCC7} 2010-03-02 08:57:41:163-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎March ‎03, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB979306) - Update for Windows Server 2008 x64 Edition (KB975929) +2010-03-02 08:57:10:318 360 90c Report REPORT EVENT: {94442B66-AE2D-43EC-838C-406160F2C0DD} 2010-03-02 08:57:00:303-0800 1 188 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on ‎Wednesday, ‎March ‎03, ‎2010 at 3:00 AM: - Update for Windows Server 2008 x64 Edition (KB975929) +2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {7F1D2AD1-5461-48F1-97E2-A96AF919098C} 2010-02-18 16:41:54:614-0800 1 190 101 {2894BC0E-468D-4924-B3A9-62433D8EEEC1} 103 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB974145) +2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {F7D791B3-1B88-49F4-A7ED-93692D0B4144} 2010-02-18 16:41:54:598-0800 1 190 101 {C8852319-F9CE-4ABC-88C1-4147BABDCCC1} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB978506) +2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {BB1F8B5A-AA6C-40C3-8377-82E38C7C565C} 2010-02-18 16:41:54:598-0800 1 190 101 {7BCAA235-DEF2-414E-9CA0-18DC03D24DF0} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB971468) +2010-02-18 16:41:59:598 360 b34 Report REPORT EVENT: {3CC2261C-D94E-4A32-82AF-2B011BD21B11} 2010-02-18 16:41:54:598-0800 1 190 101 {3D7E1949-2F56-4447-A3F1-92E14DEA38FC} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB978207) +2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {5D5E24C2-34CA-45F3-BDB8-7C8F66876DD7} 2010-02-18 16:41:54:567-0800 1 190 101 {A5767053-D87A-488E-8B61-47E4A7A9462C} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB975560) +2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {F6C05449-1E0A-4063-9F06-9512813877BA} 2010-02-18 16:41:54:567-0800 1 190 101 {F4FA9962-B4AF-4CB1-A31D-38150AEDF5DB} 104 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB978251) +2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {0C1A45B2-A1B4-4A81-AB23-80B35D796591} 2010-02-18 16:41:54:567-0800 1 190 101 {79680E7B-D9F8-4F16-B86D-2F2A9B3FC456} 102 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Security Update for Windows Server 2008 x64 Edition (KB977165) +2010-02-18 16:41:55:192 360 b34 Report REPORT EVENT: {D5E62AF4-1D57-40E5-AFDD-256B9C44CA1E} 2010-02-18 16:41:54:552-0800 1 190 101 {D40A2EF5-550A-4853-AC31-F37F53149913} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB978262) +2010-02-18 16:26:30:574 276 570 Report REPORT EVENT: {40382407-4793-49F6-8DD1-C983F00DA540} 2010-02-18 16:22:04:290-0800 1 194 102 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Content Install Restart Required: To complete the installation of the following updates, the computer will be restarted within 15 minutes: - Security Update for Windows Server 2008 x64 Edition (KB974145) - Update for Internet Explorer 8 Compatibility View List for Windows Server 2008 x64 Edition (KB978506) - Security Update for Windows Server 2008 x64 Edition (KB971468) - Cumulative Security Update for Internet Explorer 8 for Windows Server 2008 x64 Edition (KB978207) - Security Update for Windows Server 2008 x64 Edition (KB975560) - Security Update for Windows Server 2008 x64 Edition (KB978251) - Security Update for Windows Server 2008 x64 Edition (KB977165) - Windows Malicious Software Removal Tool x64 - February 2010 (KB890830) - Cumulative Security Update for ActiveX Killbits for Windows Server 2008 x64 Edition (KB978262) +2010-02-18 16:26:30:574 276 570 Report REPORT EVENT: {F6748A4E-52EA-49D3-8742-1F19B44542C2} 2010-02-18 16:21:36:317-0800 1 190 101 {51D4C9AC-5D5F-44B9-9CAB-2408BCD7B81B} 100 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - February 2010 (KB890830) \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-windows/splunkbase.manifest b/deployment-apps/TA-microsoft-windows/splunkbase.manifest new file mode 100644 index 00000000..597954b5 --- /dev/null +++ b/deployment-apps/TA-microsoft-windows/splunkbase.manifest @@ -0,0 +1,320 @@ +{ + "version": "1.0", + "date": "2022-11-14T11:59:06.107321276Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 3228, + "version": "1.0", + "files": [ + { + "path": "README.txt", + "hash": "78adb8389991391bdfbf5ec025233929751169a85d9cba83058b4c3e16dd09e6" + }, + { + "path": "default/app.conf", + "hash": "bb96a4d5ab1732f8cfc045f288f645bccb8ccdc302de0b0d53e28d1c914c3a40" + }, + { + "path": "default/eventgen.conf", + "hash": "313180f9bc739388f9d06f235bdc9e0fb4a924e6a807616b8edad6d08212e1d2" + }, + { + "path": "default/eventtypes.conf", + "hash": "03fa3732172e90b89518bab44512fae12e658d446d9ddb698551cd50536a631b" + }, + { + "path": "default/inputs.conf.example", + "hash": "f82cb4d5f5fed83576df73e685a02b3963bc43517f336951a187e6e403a22649" + }, + { + "path": "default/props.conf", + "hash": "a59fd21926f32ac0af17312c0703471d01457b72aabf460ada8afb11f9fc24e7" + }, + { + "path": "default/tags.conf", + "hash": "faf8670fa9d885941f6013fc5dc8f24e6dcca34a8b3bb57a257da4d290a0c95c" + }, + { + "path": "default/transforms.conf", + "hash": "325b921959d1b6670f23ca8d8666eb72b8ffaacef90f0fbcb665d50923dbb8a0" + }, + { + "path": "lookups/windows_msdhcp_id.csv", + "hash": "1fc2bfb3baa0a49836c8bd5a9a6b3f96d098aa9838691e466b4f16111161a45b" + }, + { + "path": "lookups/windows_object_category.csv", + "hash": "6e1c80f7606afcb2cc09a85ca24da58eec76175471a72ae7005c92ad6a2068b9" + }, + { + "path": "lookups/windows_service_startmode.csv", + "hash": "cfe085d97dd9719a5c7b57d6f5b3c23eb69fcfa082d6caafcfd7b9832412d1ac" + }, + { + "path": "lookups/windows_service_status.csv", + "hash": "729bfed26977d92c15641b16ebc49586c030127bc09d30a135b943dd60c89344" + }, + { + "path": "lookups/windows_status.csv", + "hash": "98f62611b8ae183f3023e551b7859aa7afcfa2145d3d2dc5b25261087e04d28b" + }, + { + "path": "lookups/windows_timesync_action.csv", + "hash": "6c2102b47e3047d94147884522c587377d339fcc23b105f4c6aa0f22ea36f224" + }, + { + "path": "lookups/windows_vendor_action.csv", + "hash": "59d54f20ca8ec9c37264ee667494344fa06ad5c23e4e381b6a572ec9c1e3f18c" + }, + { + "path": "lookups/windowsupdatelog_status.csv", + "hash": "49a11187d1d05f8d9e08472f4ca005f0b8137c3e2f4cce4d35b6d5b20458e4c3" + }, + { + "path": "lookups/wineventlog_app.csv", + "hash": "cc29dbca9e0fb3c05ec19b37210791ad3fdb6fd6f812ab9204175d17ae7de098" + }, + { + "path": "lookups/wineventlog_security_signature_id.csv", + "hash": "424bc664f49392397e1c1b893c8b6226c46941803737ffbe1f86d8cbbf58df69" + }, + { + "path": "lookups/wineventlog_security_signature_sub_id.csv", + "hash": "af99d09e81745d729c037398e6951a5c8c1ad3d75d0765e5cc396c47360c05ef" + }, + { + "path": "lookups/wineventlog_sourcetype_vendor_product.csv", + "hash": "b57a46af06604f965586665b65f89580cea69ec1026e0c4d7469cb65b9dc01ab" + }, + { + "path": "lookups/wineventlog_vendor_severity_id.csv", + "hash": "41836e4c99c60ba26eb95bb13b80db53dbce94c0088b5fc6d9f3d169200af899" + }, + { + "path": "metadata/default.meta", + "hash": "339a3f925347e42129a9305ee7426ec400734ef0fb851cb19914c9eaf180a66b" + }, + { + "path": "samples/AppPopup.26.windows", + "hash": "70c8d5213b2fe32edbef3dbd55def501b141290165fde31395b7444edebbcebb" + }, + { + "path": "samples/CPUTime.perfmon", + "hash": "053efbad6d3acc332b6e56a7b705b0aa6db6fc4f2c0acdacdf17eff2674f1d19" + }, + { + "path": "samples/FreeDiskSpace.perfmon", + "hash": "8813af107b95a4d9eeb1f3edfdc925722d070aa062dbded963bcf4758ab5ed4c" + }, + { + "path": "samples/LSASRV.40961.windows", + "hash": "260f36dd25a4a86ad71075c0c9b3af99ab8c9de4f0613264c9869bcf429a0482" + }, + { + "path": "samples/LocalNetwork.perfmon", + "hash": "816a0c730e893c32b5541a006adeb252283bde9a1b5f1aaae275735da099cd72" + }, + { + "path": "samples/Memory.perfmon", + "hash": "cf4b6af4fd48f3d986ebe2f3e7b25bf05a824079e0f9f8045f5814502389f221" + }, + { + "path": "samples/SCM.7036.windows", + "hash": "b7b83911fdf57804cc8cbabdc834a992b2eca99ae1582f992149f863b0de8192" + }, + { + "path": "samples/Security.1102.windows", + "hash": "f1642973de7a946cb0cdca18045130635a04340fc4ed4dcdedd9c040049886a6" + }, + { + "path": "samples/Security.4672.windows", + "hash": "286beacd86dc1582b4858029cfeabb5a5ee8bce7ece1e2e23d552b91f37c102f" + }, + { + "path": "samples/Security.4673.windows", + "hash": "9934fb181419d9e2e295d97f7b7947d8d9d5ec5301d46eeba4891b33070701d7" + }, + { + "path": "samples/Security.4688.windows", + "hash": "9569a939a92db843b8d43c3726a64f4230f2b4b1bfc544d6f5c7930ec21d556f" + }, + { + "path": "samples/Security.4689.windows", + "hash": "341cfc42541c3a8c77f152394688fd01c03c11269eba907b42efaa84271829e5" + }, + { + "path": "samples/Security.4717.windows", + "hash": "e3d241b8702b7e87d4080269feb4f100d25f899d2dfc876bb1925654886e2a9d" + }, + { + "path": "samples/Security.4718.windows", + "hash": "2120b8ca879ccb0141245bdda1bf62d935dc5bd439c0c7103509b523fdac107e" + }, + { + "path": "samples/Security.4726.windows", + "hash": "66de6836fb51ec7adef0ed315ff8bc8f93d195962c515318a8f480d00f77d0fb" + }, + { + "path": "samples/Security.4743.windows", + "hash": "37239ddc25d3875927cdd030ad7f0132ce82b6f540cb30dde733fe0f2fa217a5" + }, + { + "path": "samples/W32Time.17.windows", + "hash": "5ccc5c79d915a23f203903f00fd85963dd6ec9a800cbf61374390f94115795af" + }, + { + "path": "samples/W32Time.29.windows", + "hash": "49e538547d47e48c9b4cfc63d496548245269a4078c39586652c257528127990" + }, + { + "path": "samples/W32Time.35.windows", + "hash": "1a747b129ad214d5173feecc1e7b948f929aa471aae7c0123df6a203a780c029" + }, + { + "path": "samples/WinHostMon-OperatingSystem", + "hash": "35e895178fc87c5f47a925479179b6dd9bf16989b29d351f37f94d2fbe8e6f41" + }, + { + "path": "samples/WinHostMon-Processor", + "hash": "8637250f72637ea1b8ca090da63e4dd5aca4b5a67dba459913ad2d49ab1fc2a8" + }, + { + "path": "samples/WindowsUpdateClient.19.windows", + "hash": "d7235bdb690dd16c521a5358cc19865ef9ff0f47b183fc1de9a582e54111cfbc" + }, + { + "path": "samples/XmlSecurity.4608.windows.xml", + "hash": "dcf929d3d9fd81e21fccd19d1162a374fd64e27e1b1d0017a2a0d6ad20661915" + }, + { + "path": "samples/XmlSecurity.4616.windows.xml", + "hash": "56a93755306532b4f70955ec9aabc1b575df95729789e8051a82f4d0847bcf01" + }, + { + "path": "samples/XmlSecurity.4624.windows.xml", + "hash": "51bbfd2b257eeab6ce0c0e772a8b33561a11721e0e7b6a585ac434d68edd19c7" + }, + { + "path": "samples/XmlSecurity.4625.windows.xml", + "hash": "5f858bf803b721cf9353392e530a2db452c7687a221675d958bfb87c4e3d240f" + }, + { + "path": "samples/XmlSecurity.4634.windows.xml", + "hash": "17f452534e056ae6249eae40fd472a2915e839eaeda4fdc32df8e4a1ee7f2fd9" + }, + { + "path": "samples/XmlSecurity.4647.windows.xml", + "hash": "4a7db02076f286f7d7224e3d8daba28d27bf2178923dc349d8b072d685bf267b" + }, + { + "path": "samples/XmlSecurity.4648.windows.xml", + "hash": "22c24df61a30bc5945da817f756d55c0a40481abdf3d96b6323b47cae64c1071" + }, + { + "path": "samples/XmlSecurity.4672.windows.xml", + "hash": "7ae4a61bd4671ce380476e6b4d82edd6e47dc36713715b15a1aa8ea2005423f9" + }, + { + "path": "samples/XmlSecurity.4720.windows.xml", + "hash": "39b73be3aa4ed536ed2bc0d75c9fa1f33472b70f86baab963a04ee76ce051047" + }, + { + "path": "samples/XmlSecurity.4722.windows.xml", + "hash": "1acdd2df3aeeb60f42488e2753bceaa2fa83c64e63431c0447fd42a6f167e9c2" + }, + { + "path": "samples/XmlSecurity.4724.windows.xml", + "hash": "0433a5aea1ff3b6d6851c6b6eaed9d55bad03528c6d445c43ac74eddf65bec6c" + }, + { + "path": "samples/XmlSecurity.4728.windows.xml", + "hash": "256275198e67afc593e40b2310e135c80c65518c99d144fca0b0115de06428c8" + }, + { + "path": "samples/XmlSecurity.4732.windows.xml", + "hash": "62edccf12ef5fbdfc33705af33802c5a8a31e8d5cd5117f9a0a9854366eb603c" + }, + { + "path": "samples/XmlSecurity.4735.windows.xml", + "hash": "526dffc3d8ae22d677869b675fed42abc81129b103061bacee2850bf2f0c9b7c" + }, + { + "path": "samples/XmlSecurity.4738.windows.xml", + "hash": "5361837ce56b4858e673c1bf93308aa0372b2d2bf4bd8b5b112ee4a8bfb7bfc4" + }, + { + "path": "samples/XmlSecurity.4776.windows.xml", + "hash": "35f2ccc218105821de506274f674f132b6d0c87b6ab6828a24929de7f94144a8" + }, + { + "path": "samples/XmlSecurity.4781.windows.xml", + "hash": "57d163f8f4d29492643e400c171cb851d223d95dac5ac0acd40e104ccb1d6e55" + }, + { + "path": "samples/XmlSecurity.4797.windows.xml", + "hash": "004f220c437194a2043fd884d6d53b8feb96f089764c98153a87b04d32f7a24b" + }, + { + "path": "samples/XmlSecurity.4902.windows.xml", + "hash": "3da56e945ab738f81df630bb96c4cf0f6e1506e10a1127882de12f42b454ebc9" + }, + { + "path": "samples/XmlSecurity.4907.windows.xml", + "hash": "4547d6ae9303fbe2c3d64c5bae8106101c07eaf57d9449afcef54081bb37e051" + }, + { + "path": "samples/XmlSystem.update_ready.xml", + "hash": "31b7abcd7183328d7a3ba287a22bbc577489c061848ec8102c0bf37cfafe46bb" + }, + { + "path": "samples/XmlSystem.update_success.xml", + "hash": "4089d7fe41b329c85957080fd27d9e9b6a967ada4a5f0c9860279e53af7226f9" + }, + { + "path": "samples/audit_types.list", + "hash": "4b80d07cb0ba034ab90e670498f171af1dc4d0e6edbca93a70a43da8d97f3143" + }, + { + "path": "samples/sample.DhcpSrvLog", + "hash": "7d57e2987235c9966aa738e7d5bfc31ed713b33d8e6dd74af346337aafe47bb8" + }, + { + "path": "samples/sample.win_installed_apps", + "hash": "bc6c82176c18b1c4d4d1ce52270fcf061e83dd95518a3cf0555ec0395d5f85ad" + }, + { + "path": "samples/sample.win_listening_ports", + "hash": "fee5d98d7f4b515f57e951a36e0352685bda666349966e7150e33593c34c1373" + }, + { + "path": "samples/sample.winregistry", + "hash": "9c964b50c6bc615e514f92ee8d28129a2e5fd1dcb7e3d89152316c94c85e2e57" + }, + { + "path": "samples/server2k8.WindowsUpdateLog", + "hash": "ff57295beec95936a315a1ee17b9f01785b56d1c08e9d6925d3a7c2bb448892e" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "7.0", + "7.1" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file