@ -1,6 +0,0 @@
|
|||||||
[user_account_control_property]
|
|
||||||
python.version = {default|python|python2|python3}
|
|
||||||
* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
|
|
||||||
* Either "default" or "python" select the system-wide default Python version.
|
|
||||||
* Optional.
|
|
||||||
* Default: not set; uses the system-wide Python version.
|
|
||||||
@ -1,61 +0,0 @@
|
|||||||
================================================================================
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
Third-Party Software for splunk-add-on-for-microsoft-windows
|
|
||||||
|
|
||||||
--------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-microsoft-windows. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
|
|
||||||
|
|
||||||
Date generated: 2023-8-2
|
|
||||||
|
|
||||||
Revision ID: c9bc8d87d1c4dbd6a12e48965c4ccce720073fbb
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
Declared License
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
No declared license found for splunk-add-on-for-microsoft-windows
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
First Party Licenses
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
No licenses found
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
Dependencies
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
License
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
|
|
||||||
--------------------------------------------------------------------------------
|
|
||||||
--------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
Report Generated by FOSSA on 2023-8-2
|
|
||||||
@ -1,2 +0,0 @@
|
|||||||
8.8.0
|
|
||||||
8.8.0
|
|
||||||
@ -1,75 +0,0 @@
|
|||||||
{
|
|
||||||
"dependencies": null,
|
|
||||||
"incompatibleApps": {
|
|
||||||
"Splunk_TA_microsoft_ad": "<=1.0.0",
|
|
||||||
"Splunk_TA_microsoft_dns": "<=1.0.1"
|
|
||||||
},
|
|
||||||
"info": {
|
|
||||||
"author": [
|
|
||||||
{
|
|
||||||
"name": "Splunk, Inc.",
|
|
||||||
"email": null,
|
|
||||||
"company": null
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"classification": {
|
|
||||||
"categories": [
|
|
||||||
"IT Operations",
|
|
||||||
"Utilities",
|
|
||||||
"Security, Fraud & Compliance"
|
|
||||||
],
|
|
||||||
"developmentStatus": "Production/Stable",
|
|
||||||
"intendedAudience": "IT Professionals"
|
|
||||||
},
|
|
||||||
"commonInformationModels": {
|
|
||||||
"Application_State": "==4.15.0",
|
|
||||||
"Authentication": "==4.18.0",
|
|
||||||
"Change": "==4.18.0",
|
|
||||||
"Change_Analysis": "==4.15.0",
|
|
||||||
"Compute_Inventory": "==4.15.0",
|
|
||||||
"Endpoint": "==4.18.0",
|
|
||||||
"Event_Signatures": "==4.18.0",
|
|
||||||
"Network_Sessions": "==4.15.0",
|
|
||||||
"Performance": "==4.15.0",
|
|
||||||
"Updates": "==4.15.0",
|
|
||||||
"Vulnerabilities": "==4.15.0"
|
|
||||||
},
|
|
||||||
"description": "Splunk Add-on for Microsoft Windows",
|
|
||||||
"id": {
|
|
||||||
"group": null,
|
|
||||||
"name": "Splunk_TA_windows",
|
|
||||||
"version": "8.8.0"
|
|
||||||
},
|
|
||||||
"license": {
|
|
||||||
"name": null,
|
|
||||||
"text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
|
|
||||||
"uri": null
|
|
||||||
},
|
|
||||||
"privacyPolicy": {
|
|
||||||
"name": null,
|
|
||||||
"text": null,
|
|
||||||
"uri": null
|
|
||||||
},
|
|
||||||
"releaseDate": null,
|
|
||||||
"releaseNotes": {
|
|
||||||
"name": "README",
|
|
||||||
"text": "./README.txt",
|
|
||||||
"uri": "http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes"
|
|
||||||
},
|
|
||||||
"title": "Splunk Add-on for Microsoft Windows"
|
|
||||||
},
|
|
||||||
"inputGroups": null,
|
|
||||||
"platformRequirements": null,
|
|
||||||
"schemaVersion": "2.0.0",
|
|
||||||
"supportedDeployments": [
|
|
||||||
"_standalone",
|
|
||||||
"_distributed",
|
|
||||||
"_search_head_clustering"
|
|
||||||
],
|
|
||||||
"targetWorkloads": [
|
|
||||||
"_search_heads",
|
|
||||||
"_forwarders",
|
|
||||||
"_indexers"
|
|
||||||
],
|
|
||||||
"tasks": null
|
|
||||||
}
|
|
||||||
|
Before Width: | Height: | Size: 3.3 KiB |
|
Before Width: | Height: | Size: 4.7 KiB |
@ -1,89 +0,0 @@
|
|||||||
<#
|
|
||||||
.SYNOPSIS
|
|
||||||
& .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
|
|
||||||
|
|
||||||
.DESCRIPTION
|
|
||||||
Outputs additional Splunk events related to the running and
|
|
||||||
errors in the script.
|
|
||||||
#>
|
|
||||||
[CmdletBinding()]
|
|
||||||
param(
|
|
||||||
#Command to execute.
|
|
||||||
[Parameter(Position=0, Mandatory=$true)]
|
|
||||||
[ValidateNotNullOrEmpty()]
|
|
||||||
[string] $Command,
|
|
||||||
|
|
||||||
# Splunk Sourcetype Prefix for generated events
|
|
||||||
[Parameter()]
|
|
||||||
[ValidateNotNull()]
|
|
||||||
[string] $SourceTypePrefix="Powershell:",
|
|
||||||
|
|
||||||
# Maximum number of errors to convert into events
|
|
||||||
[Parameter()]
|
|
||||||
[ValidateRange(0, 100)]
|
|
||||||
[int] $MaxErrorCount
|
|
||||||
)
|
|
||||||
|
|
||||||
$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
|
|
||||||
[ordered]@{
|
|
||||||
SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
|
|
||||||
Identity=[guid]::NewGuid().ToString();
|
|
||||||
InvocationLine=$MyInvocation.Line;
|
|
||||||
TerminatingError=$false; ErrorCount=0; Elapsed=""
|
|
||||||
})
|
|
||||||
$originalLocation = Get-Location
|
|
||||||
|
|
||||||
try
|
|
||||||
{
|
|
||||||
Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
|
|
||||||
$ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
|
|
||||||
$Error.Clear()
|
|
||||||
Invoke-Expression $Command
|
|
||||||
}
|
|
||||||
catch
|
|
||||||
{
|
|
||||||
$WrappedScriptExecutionSummary.TerminatingError = $true;
|
|
||||||
}
|
|
||||||
finally
|
|
||||||
{
|
|
||||||
Set-Location $originalLocation
|
|
||||||
$WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
|
|
||||||
$WrappedScriptExecutionSummary.ErrorCount = $Error.Count
|
|
||||||
|
|
||||||
if ($Error.Count -gt 0) {
|
|
||||||
$ei = $Error.Count - 1
|
|
||||||
if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
|
|
||||||
if ($MaxErrorCount -lt $Error.Count) {
|
|
||||||
$ei = $MaxErrorCount - 1
|
|
||||||
}
|
|
||||||
# Always emit terminating errors
|
|
||||||
if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
|
|
||||||
$ei = 1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for(; $ei -ge 0; $ei--) {
|
|
||||||
$errorRecord = New-Object -TypeName PSObject -Property (
|
|
||||||
[ordered]@{
|
|
||||||
SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
|
|
||||||
ParentIdentity=$WrappedScriptExecutionSummary.Identity;
|
|
||||||
ErrorIndex=$ei;
|
|
||||||
ErrorMessage=$Error[$ei].ToString();
|
|
||||||
PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
|
|
||||||
CategoryInfo=$Error[$ei].CategoryInfo.ToString();
|
|
||||||
FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
|
|
||||||
})
|
|
||||||
|
|
||||||
if ($Error[$ei].Exception -ne $null) {
|
|
||||||
Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
|
|
||||||
if ($Error[$ei].Exception.InnerException -ne $null) {
|
|
||||||
Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Output $errorRecord
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
Write-Output $WrappedScriptExecutionSummary
|
|
||||||
}
|
|
||||||
@ -1,120 +0,0 @@
|
|||||||
#
|
|
||||||
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
#
|
|
||||||
#
|
|
||||||
import logging
|
|
||||||
import logging.handlers as handlers
|
|
||||||
import os
|
|
||||||
import os.path as op
|
|
||||||
import time
|
|
||||||
|
|
||||||
try:
|
|
||||||
from splunk.clilib.bundle_paths import make_splunkhome_path
|
|
||||||
except ImportError:
|
|
||||||
from splunk.appserver.mrsparkle.lib.util import make_splunkhome_path
|
|
||||||
|
|
||||||
logging.Formatter.converter = time.gmtime
|
|
||||||
|
|
||||||
__LOG_FORMAT__ = (
|
|
||||||
"%(asctime)s +0000 log_level=%(levelname)s, pid=%(process)d, "
|
|
||||||
"tid=%(threadName)s, file=%(filename)s, "
|
|
||||||
"func_name=%(funcName)s, code_line_no=%(lineno)d | %(message)s"
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
class Log(object):
|
|
||||||
def __init__(self, namespace=None, default_level=logging.INFO):
|
|
||||||
self._loggers = {}
|
|
||||||
self._default_level = default_level
|
|
||||||
if namespace is None:
|
|
||||||
namespace = self._get_appname_from_path(op.abspath(__file__))
|
|
||||||
|
|
||||||
if namespace:
|
|
||||||
namespace = namespace.lower()
|
|
||||||
self._namespace = namespace
|
|
||||||
|
|
||||||
def get_logger(self, name, level=None, maxBytes=25000000, backupCount=5):
|
|
||||||
"""
|
|
||||||
Set up a default logger.
|
|
||||||
|
|
||||||
:param name: The log file name.
|
|
||||||
:param level: The logging level.
|
|
||||||
:param maxBytes: The maximum log file size before rollover.
|
|
||||||
:param backupCount: The number of log files to retain.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Strip ".py" from the log file name if auto-generated by a script.
|
|
||||||
if level is None:
|
|
||||||
level = self._default_level
|
|
||||||
|
|
||||||
name = self._get_log_name(name)
|
|
||||||
if name in self._loggers:
|
|
||||||
return self._loggers[name]
|
|
||||||
|
|
||||||
logger = logging.getLogger(name)
|
|
||||||
|
|
||||||
logfile = make_splunkhome_path(["var", "log", "splunk", name])
|
|
||||||
handler_exists = any(
|
|
||||||
[True for h in logger.handlers if h.baseFilename == logfile]
|
|
||||||
)
|
|
||||||
if not handler_exists:
|
|
||||||
file_handler = handlers.RotatingFileHandler(
|
|
||||||
logfile, mode="a", maxBytes=maxBytes, backupCount=backupCount
|
|
||||||
)
|
|
||||||
formatter = logging.Formatter(__LOG_FORMAT__)
|
|
||||||
file_handler.setFormatter(formatter)
|
|
||||||
logger.addHandler(file_handler)
|
|
||||||
logger.setLevel(level)
|
|
||||||
logger.propagate = False
|
|
||||||
|
|
||||||
self._loggers[name] = logger
|
|
||||||
return logger
|
|
||||||
|
|
||||||
def set_level(self, level, name=None):
|
|
||||||
"""
|
|
||||||
Change the log level of the logging
|
|
||||||
|
|
||||||
:param level: the level of the logging to be setLevel
|
|
||||||
:param name: the name of the logging to set, in case it is not set,
|
|
||||||
all the loggers will be affected
|
|
||||||
"""
|
|
||||||
|
|
||||||
if name is not None:
|
|
||||||
name = self._get_log_name(name)
|
|
||||||
logger = self._loggers.get(name)
|
|
||||||
if logger is not None:
|
|
||||||
logger.setLevel(level)
|
|
||||||
else:
|
|
||||||
self._default_level = level
|
|
||||||
for logger in self._loggers.values():
|
|
||||||
logger.setLevel(level)
|
|
||||||
|
|
||||||
def _get_log_name(self, name):
|
|
||||||
if name.endswith(".py"):
|
|
||||||
name = name.replace(".py", "")
|
|
||||||
|
|
||||||
if self._namespace:
|
|
||||||
name = "{}_{}.log".format(self._namespace, name)
|
|
||||||
else:
|
|
||||||
name = "{}.log".format(name)
|
|
||||||
return name
|
|
||||||
|
|
||||||
def _get_appname_from_path(self, absolute_path):
|
|
||||||
absolute_path = op.normpath(absolute_path)
|
|
||||||
parts = absolute_path.split(os.path.sep)
|
|
||||||
parts.reverse()
|
|
||||||
for key in ("apps", "slave-apps", "master-apps"):
|
|
||||||
try: # nosemgrep: gitlab.bandit.B112
|
|
||||||
idx = parts.index(key)
|
|
||||||
except ValueError:
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
try: # nosemgrep: gitlab.bandit.B110
|
|
||||||
if parts[idx + 1] == "etc":
|
|
||||||
return parts[idx - 1]
|
|
||||||
except IndexError:
|
|
||||||
pass
|
|
||||||
continue
|
|
||||||
# return None
|
|
||||||
return "-"
|
|
||||||
@ -1,5 +0,0 @@
|
|||||||
@echo off
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
netsh interface ip show address
|
|
||||||
@ -1,58 +0,0 @@
|
|||||||
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
|
|
||||||
$DomainController = Get-ADDomainController -Identity $ServerName
|
|
||||||
$Domain = Get-ADDomain -Identity $DomainController.Domain
|
|
||||||
$Forest = Get-ADForest -Identity $DomainController.Forest
|
|
||||||
$ReplicationSite = Get-ADReplicationSite -Identity $DomainController.Site
|
|
||||||
$Computer = Get-ADComputer -Identity $ServerName -Properties *
|
|
||||||
$RootDSE = Get-ADRootDSE -Server $ServerName
|
|
||||||
$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
|
|
||||||
|
|
||||||
$ISTG = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
|
|
||||||
$SYSVOL = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
|
|
||||||
Try {
|
|
||||||
$DnsRegister = [System.Net.Dns]::GetHostByName($DomainController.HostName)
|
|
||||||
} Catch {
|
|
||||||
# The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
|
|
||||||
}
|
|
||||||
$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
|
|
||||||
-SearchBase $RootDSE.schemaNamingContext
|
|
||||||
$DCWeight = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
|
|
||||||
if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
|
|
||||||
$DCWeight = 100
|
|
||||||
}
|
|
||||||
$FSMORoles = ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
|
|
||||||
|
|
||||||
$SvcRunning = @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
|
|
||||||
$SvcStopped = @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
|
|
||||||
$ProcsOK = (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
|
|
||||||
|
|
||||||
New-Object PSObject -Property @{
|
|
||||||
Server = $DomainController.Name
|
|
||||||
DomainDNSName = $DomainController.Domain
|
|
||||||
DomainNetBIOSName = $Domain.NetBIOSName
|
|
||||||
DomainLevel = $Domain.DomainMode
|
|
||||||
Site = $DomainController.Site
|
|
||||||
ForestName = $DomainController.Forest
|
|
||||||
ForestLevel = $Forest.ForestMode
|
|
||||||
Created = $Computer.whenCreated
|
|
||||||
Changed = $Computer.whenChanged
|
|
||||||
GlobalCatalog = $DomainController.IsGlobalCatalog
|
|
||||||
RODC = $DomainController.IsReadOnly
|
|
||||||
Enabled = $DomainController.Enabled
|
|
||||||
HighestUSN = $RootDSE.highestCommittedUSN
|
|
||||||
SchemaVersion = $SchemaVersion.objectVersion
|
|
||||||
DCWeight = $DCWeight
|
|
||||||
IsIntersiteTopologyGenerator = $ISTG
|
|
||||||
OperatingSystem = $DomainController.OperatingSystem
|
|
||||||
ServicePack = $DomainController.OperatingSystemServicePack
|
|
||||||
OSVersion = $DomainController.OperatingSystemVersion
|
|
||||||
FSMORoles = $FSMORoles -join " "
|
|
||||||
ServicesRunning = $SvcRunning -join ","
|
|
||||||
ServicesNotRunning = $SvcStopped -join ","
|
|
||||||
ProcsOK = $ProcsOK
|
|
||||||
SYSVOLShare = ($SYSVOL -ne $null)
|
|
||||||
DNSRegister = ($DnsRegister -ne $null)
|
|
||||||
}
|
|
||||||
@ -1,17 +0,0 @@
|
|||||||
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
|
|
||||||
|
|
||||||
Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
|
|
||||||
$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
|
|
||||||
-SearchScope Base -Properties dNSHostName
|
|
||||||
|
|
||||||
New-Object PSObject -Property @{
|
|
||||||
LastAttemptedSync = $_.LastReplicationAttempt
|
|
||||||
LastSuccessfulSync = $_.LastReplicationSuccess
|
|
||||||
type = "ReplicationEvent"
|
|
||||||
usn = $_.LastChangeUsn
|
|
||||||
src_host = $src_host.dNSHostName
|
|
||||||
Result = $_.LastReplicationResult
|
|
||||||
transport = $_.IntersiteTransportType
|
|
||||||
naming_context = $_.Partition
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@ -1,74 +0,0 @@
|
|||||||
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
|
|
||||||
#
|
|
||||||
# Get the Information about this site
|
|
||||||
#
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
|
|
||||||
$DC = Get-ADDomainController -Identity $ServerName
|
|
||||||
$Site = Get-ADReplicationSite -Identity $DC.Site
|
|
||||||
$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
|
|
||||||
-SearchBase $Site.DistinguishedName
|
|
||||||
|
|
||||||
$Location = if ($Object.location -eq $null) { "" } else { $Object.location }
|
|
||||||
$ISTG = Get-ADDomainController -Filter `
|
|
||||||
'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
|
|
||||||
$SiteLinks = Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
|
|
||||||
$AdjacentSites = ($SiteLinks | Select -Expand SitesIncluded | `
|
|
||||||
Where-Object { $_ -ne $Site.DistinguishedName } | `
|
|
||||||
Sort-Object | Get-Unique | `
|
|
||||||
Foreach-Object { Get-ADReplicationSite $_ } )
|
|
||||||
$Subnets = Get-ADReplicationSubnet -Filter 'Site -eq $Site'
|
|
||||||
|
|
||||||
########################################################################
|
|
||||||
#
|
|
||||||
# SITE
|
|
||||||
#
|
|
||||||
$SiteInfo = @(
|
|
||||||
"Type=`"Site`""
|
|
||||||
"ForestName=`"$($DC.Forest)`""
|
|
||||||
"Site=`"$($Object.CN)`""
|
|
||||||
"Location=`"$Location`""
|
|
||||||
"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
|
|
||||||
)
|
|
||||||
$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
|
|
||||||
$SiteLinks | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
|
|
||||||
$Subnets | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
|
|
||||||
Write-Output ($SiteInfo -join " ")
|
|
||||||
#
|
|
||||||
########################################################################
|
|
||||||
#
|
|
||||||
# SITELINK
|
|
||||||
#
|
|
||||||
$SiteLinks | %{
|
|
||||||
# These values are not stored in the object unless you change them
|
|
||||||
$cost = if ($_.Cost -eq $null) { 100 } else { $_.Cost }
|
|
||||||
$options = if ($_.options -eq $null) { 0 } else { $_.options }
|
|
||||||
$replInterval = if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
|
|
||||||
$notifications = if ($options -band 0x01) { "True" } else { "False" }
|
|
||||||
$reciprocal = if ($options -band 0x02) { "True" } else { "False" }
|
|
||||||
$compression = if ($options -band 0x04) { "False" } else { "True" }
|
|
||||||
|
|
||||||
$SiteLink = @(
|
|
||||||
"Type=`"SiteLink`""
|
|
||||||
"ForestName=`"$($DC.Forest)`""
|
|
||||||
"Name=`"$($_.Name)`""
|
|
||||||
"Cost=`"$($_.Cost)`""
|
|
||||||
"DataCompressionEnabled=$compression"
|
|
||||||
"NotificationEnabled=$notifications"
|
|
||||||
"ReciprocalReplicationEnabled=$reciprocal"
|
|
||||||
"TransportType=$($_.InterSiteTransportProtocol)"
|
|
||||||
"ReplicationIntervalSecs=$replInterval"
|
|
||||||
)
|
|
||||||
Write-Output ($SiteLink -join " ")
|
|
||||||
}
|
|
||||||
|
|
||||||
$Subnets | Foreach-Object {
|
|
||||||
$Subnet = @(
|
|
||||||
"Type=`"Subnet`""
|
|
||||||
"ForestName=`"$($DC.Forest)`""
|
|
||||||
"Name=`"$($_.Name)`""
|
|
||||||
"Site=`"$($Site.Name)`""
|
|
||||||
"Location=`"$($_.Location)`""
|
|
||||||
)
|
|
||||||
Write-Output ($Subnet -join " ")
|
|
||||||
}
|
|
||||||
@ -1,114 +0,0 @@
|
|||||||
#
|
|
||||||
# Determine the health and statistics of this Microsoft DNS Server
|
|
||||||
#
|
|
||||||
$Output = New-Object System.Collections.ArrayList
|
|
||||||
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
|
|
||||||
write-host -NoNewline ""$Date
|
|
||||||
|
|
||||||
# Name of Server
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
write-host -NoNewline ""Server=`"$ServerName`"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Windows Version and Build #
|
|
||||||
#
|
|
||||||
$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
|
|
||||||
$OS = $WindowsInfo.GetValue("ProductName")
|
|
||||||
$OSSP = $WindowsInfo.GetValue("CSDVersion")
|
|
||||||
$WinVer = $WindowsInfo.GetValue("CurrentVersion")
|
|
||||||
$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
|
|
||||||
$OSVER = "$WinVer ($WinBuild)"
|
|
||||||
|
|
||||||
write-host -NoNewline ""OperatingSystem=`"$OS`"
|
|
||||||
write-host -NoNewline ""ServicePack=`"$OSSP`"
|
|
||||||
write-host -NoNewline ""OSVersion=`"$OSVER`"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Required Processes Running
|
|
||||||
# DNS Dnscache w32time
|
|
||||||
#
|
|
||||||
$RequiredServices = @( "DNS", "Dnscache", "w32time" )
|
|
||||||
$srvr = @()
|
|
||||||
$srvnr = @()
|
|
||||||
foreach ($srv in $RequiredServices) {
|
|
||||||
$status = (Get-Service $srv).Status
|
|
||||||
if ($status -eq "Running") {
|
|
||||||
$srvr += $srv
|
|
||||||
} else {
|
|
||||||
$srvnr += $srv
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$ProcsOK = "False"
|
|
||||||
if ($srvnr.Count -eq 0) {
|
|
||||||
$ProcsOK = "True"
|
|
||||||
}
|
|
||||||
|
|
||||||
$ServicesRunning = [string]::join(',', $srvr)
|
|
||||||
$ServicesNotRunning = [string]::join(',', $srvnr)
|
|
||||||
write-host -NoNewline ""ServicesRunning=`"$ServicesRunning`" ServicesNotRunning=`"$ServicesNotRunning`" ProcsOK=`"$ProcsOK`"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Settings for this DNS Server
|
|
||||||
#
|
|
||||||
$dnsInfo = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Server -ComputerName $ServerName
|
|
||||||
|
|
||||||
# See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682725(v=vs.85).aspx for details
|
|
||||||
write-host -NoNewline "" Name=`"$($dnsInfo.Name)`"
|
|
||||||
write-host -NoNewline "" Version=`"$($dnsInfo.Version)`"
|
|
||||||
write-host -NoNewline "" LogLevel=`"$($dnsInfo.LogLevel)`"
|
|
||||||
write-host -NoNewline "" LogFilePath=`"$($dnsInfo.LogFilePath)`"
|
|
||||||
write-host -NoNewline "" LogFileMaxSize=`"$($dnsInfo.LogFileMaxSize)`"
|
|
||||||
write-host -NoNewline "" LogIPFilterList=`"$($dnsInfo.LogIPFilterList)`"
|
|
||||||
write-host -NoNewline "" EventLogLevel=`"$($dnsInfo.EventLogLevel)`"
|
|
||||||
write-host -NoNewline "" RpcProtocol=`"$($dnsInfo.RpcProtocol)`"
|
|
||||||
write-host -NoNewline "" NameCheckFlag=`"$NameCheckFlag`"
|
|
||||||
write-host -NoNewline "" AddressAnswerLimit=`"$($dnsInfo.AddressAnswerLimit)`"
|
|
||||||
write-host -NoNewline "" RecursionRetry=`"$($dnsInfo.RecursionRetry)`"
|
|
||||||
write-host -NoNewline "" RecursionTimeout=`"$($dnsInfo.RecursionTimeout)`"
|
|
||||||
write-host -NoNewline "" DsPollingInterval=`"$($dnsInfo.DsPollingInterval)`"
|
|
||||||
write-host -NoNewline "" DsTombstoneInteval=`"$($dnsInfo.DsTombstoneInteval)`"
|
|
||||||
write-host -NoNewline "" MaxCacheTTL=`"$($dnsInfo.MaxCacheTTL)`"
|
|
||||||
write-host -NoNewline "" MaxNegativeCacheTTL=`"$($dnsInfo.MaxNegativeCacheTTL)`"
|
|
||||||
write-host -NoNewline "" SendPort=`"$($dnsInfo.SendPort)`"
|
|
||||||
write-host -NoNewline "" XfrConnectTimeout=`"$($dnsInfo.XfrConnectTimeout)`"
|
|
||||||
write-host -NoNewline "" BootMethod=`"$($dnsInfo.BootMethod)`"
|
|
||||||
write-host -NoNewline "" AllowUpdate=`"$($dnsInfo.AllowUpdate)`"
|
|
||||||
write-host -NoNewline "" UpdateOptions=`"$($dnsInfo.UpdateOptions)`"
|
|
||||||
write-host -NoNewline "" DsAvailable=`"$($dnsInfo.DsAvailable)`"
|
|
||||||
write-host -NoNewline "" DisableAutoReverseZones=`"$($dnsInfo.DisableAutoReverseZones)`"
|
|
||||||
write-host -NoNewline "" AutoCacheUpdate=`"$($dnsInfo.AutoCacheUpdate)`"
|
|
||||||
write-host -NoNewline "" NoRecursion=`"$($dnsInfo.NoRecursion)`"
|
|
||||||
write-host -NoNewline "" RoundRobin=`"$($dnsInfo.RoundRobin)`"
|
|
||||||
write-host -NoNewline "" LocalNetPriority=`"$($dnsInfo.LocalNetPriority)`"
|
|
||||||
write-host -NoNewline "" StrictFileParsing=`"$($dnsInfo.StrictFileParsing)`"
|
|
||||||
write-host -NoNewline "" LooseWildcarding=`"$($dnsInfo.LooseWildcarding)`"
|
|
||||||
write-host -NoNewline "" BindSecondaries=`"$($dnsInfo.BindSecondaries)`"
|
|
||||||
write-host -NoNewline "" WriteAuthorityNS=`"$($dnsInfo.WriteAuthorityNS)`"
|
|
||||||
write-host -NoNewline "" ForwardDelegations=`"$($dnsInfo.ForwardDelegations)`"
|
|
||||||
write-host -NoNewline "" SecureResponses=`"$($dnsInfo.SecureResponses)`"
|
|
||||||
write-host -NoNewline "" DisjointNets=`"$($dnsInfo.DisjointNets)`"
|
|
||||||
write-host -NoNewline "" AutoConfigFileZones=`"$($dnsInfo.AutoConfigFileZones)`"
|
|
||||||
write-host -NoNewline "" ScavengingInterval=`"$($dnsInfo.ScavengingInterval)`"
|
|
||||||
write-host -NoNewline "" DefaultRefreshInterval=`"$($dnsInfo.DefaultRefreshInterval)`"
|
|
||||||
write-host -NoNewline "" DefaultNoRefreshInterval=`"$($dnsInfo.DefaultNoRefreshInterval)`"
|
|
||||||
write-host -NoNewline "" DefaultAgingState=`"$($dnsInfo.DefaultAgingState)`"
|
|
||||||
write-host -NoNewline "" EDnsCacheTimeout=`"$($dnsInfo.EDnsCacheTimeout)`"
|
|
||||||
write-host -NoNewline "" EnableEDnsProbes=`"$($dnsInfo.EnableEDnsProbes)`"
|
|
||||||
write-host -NoNewline "" EnableDnsSec=`"$($dnsInfo.EnableDnsSec)`"
|
|
||||||
write-host -NoNewline "" ForwardingTimeout=`"$($dnsInfo.ForwardingTimeout)`"
|
|
||||||
write-host -NoNewline "" IsSlave=`"$($dnsInfo.IsSlave)`"
|
|
||||||
write-host -NoNewline "" EnableDirectoryPartitions=`"$($dnsInfo.EnableDirectoryPartitions)`"
|
|
||||||
write-host -NoNewline "" Started=`"$($dnsInfo.Started)`"
|
|
||||||
write-host -NoNewline "" StartMode=`"$($dnsInfo.StartMode)`"
|
|
||||||
write-host -NoNewline "" Status=`"$($dnsInfo.Status)`"
|
|
||||||
|
|
||||||
foreach ($ip in $dnsInfo.Forwarders) {
|
|
||||||
write-host -NoNewline "" Forwarder=`"$ip`"
|
|
||||||
}
|
|
||||||
foreach ($ip in $dnsInfo.ServerAddresses) {
|
|
||||||
write-host -NoNewline "" ServerAddress=`"$ip`"
|
|
||||||
}
|
|
||||||
foreach ($ip in $dnsInfo.ListenAddresses) {
|
|
||||||
write-host "" ListenAddress=`"$ip`"
|
|
||||||
}
|
|
||||||
@ -1,79 +0,0 @@
|
|||||||
#
|
|
||||||
# DNS Zone Information
|
|
||||||
#
|
|
||||||
function Get-WmiCount($a) {
|
|
||||||
if ($a -eq $Null) {
|
|
||||||
$cnt = 0
|
|
||||||
} elseif ($a.GetType().Name -eq "ManagementObject") {
|
|
||||||
$cnt = 1
|
|
||||||
} else {
|
|
||||||
$cnt = $a.Length
|
|
||||||
}
|
|
||||||
|
|
||||||
$cnt
|
|
||||||
}
|
|
||||||
|
|
||||||
function Output-Zoneinfo($Zone) {
|
|
||||||
#$Output = New-Object System.Collections.ArrayList
|
|
||||||
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
|
|
||||||
write-host -NoNewline $Date Zone=`"$($Zone.Name)`" Aging=`"$($Zone.Aging)`" AllowUpdate=`"$($Zone.AllowUpdate)`" AutoCreated=`"$($Zone.AutoCreated)`" AvailForScavengeTime=`"$($Zone.AvailForScavengeTime)`" Caption=`"$($Zone.Caption)`" ContainerName=`"$($Zone.ContainerName)`" DataFile=`"$($Zone.DataFile)`" DnsServerName=`"$($Zone.DnsServerName)`" DsIntegrated=`"$($Zone.DsIntegrated)`" ForwarderSlave=`"$($Zone.ForwarderSlave)`" ForwarderTimeout=`"$($Zone.ForwarderTimeout)`" LastSuccessfulSoaCheck=`"$($Zone.LastSuccessfulSoaCheck)`" LastSuccessfulXfr=`"$($Zone.LastSuccessfulXfr)`" NoRefreshInterval=`"$($Zone.NoRefreshInterval)`" Notify=`"$($Zone.Notify)`" Paused=`"$($Zone.Paused)`" RefreshInterval=`"$($Zone.RefreshInterval)`" Reverse=`"$($Zone.Reverse)`" SecureSecondaries=`"$($Zone.SecureSecondaries)`" Shutdown=`"$($Zone.Shutdown)`" Status=`"$($Zone.Status)`" UseWins=`"$($Zone.UseWins)`" ZoneType=`"$($Zone.ZoneType)`"
|
|
||||||
|
|
||||||
# Some information on the zone itself - # record by type and total
|
|
||||||
$ZoneName = $Zone.Name
|
|
||||||
|
|
||||||
$SOA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SOAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$SOAlen = Get-WmiCount($SOA)
|
|
||||||
write-host -NoNewline ""SOA=$SOAlen
|
|
||||||
|
|
||||||
$NS = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_NSType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$NSlen = Get-WmiCount($NS)
|
|
||||||
write-host -NoNewline ""NS=$NSlen
|
|
||||||
|
|
||||||
$A = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$Alen = Get-WmiCount($A)
|
|
||||||
write-host -NoNewline ""A=$Alen
|
|
||||||
|
|
||||||
$AAAA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AAAAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$AAAAlen = Get-WmiCount($AAAA)
|
|
||||||
write-host -NoNewline ""AAAA=$AAAAlen
|
|
||||||
|
|
||||||
$CNAME= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_CNAMEType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$CNAMElen = Get-WmiCount($CNAME)
|
|
||||||
write-host -NoNewline ""CNAME=$CNAMElen
|
|
||||||
|
|
||||||
$MX = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_MXType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$MXlen = Get-WmiCount($MX)
|
|
||||||
write-host -NoNewline ""MX=$MXlen
|
|
||||||
|
|
||||||
$SRV = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SRVType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$SRVlen = Get-WmiCount($SRV)
|
|
||||||
write-host -NoNewline ""SRV=$SRVlen
|
|
||||||
|
|
||||||
$HINFO= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_HINFOType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$HINFOlen = Get-WmiCount($HINFO)
|
|
||||||
write-host -NoNewline ""HINFO=$HINFOlen
|
|
||||||
|
|
||||||
$TXT = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_TXTType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$TXTlen = Get-WmiCount($TXT)
|
|
||||||
write-host -NoNewline ""TXT=$TXTlen
|
|
||||||
|
|
||||||
$RR = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_ResourceRecord -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
|
|
||||||
$TotalRecords = Get-WmiCount($RR)
|
|
||||||
write-host ""TotalRecords=$TotalRecords
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Main Program
|
|
||||||
#
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
|
|
||||||
$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
|
|
||||||
$Options = New-Object Management.ObjectGetOptions($Null, [System.TimeSpan]::MaxValue, $True)
|
|
||||||
|
|
||||||
$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)
|
|
||||||
$Zones = Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
|
|
||||||
$OutputEncoding = [Text.Encoding]::UTF8
|
|
||||||
Foreach ($Zone in $Zones) {
|
|
||||||
Output-ZoneInfo($Zone)
|
|
||||||
}
|
|
||||||
@ -1,20 +0,0 @@
|
|||||||
## This script generates WindowsUpdate.Log using Get-WindowsUpdateLog in $SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate
|
|
||||||
## It monitors the WindowsUpdate.log from $SplunkHome\var\log\Splunk_TA_windows\
|
|
||||||
|
|
||||||
Set-Variable -Name "LogFolder" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate"
|
|
||||||
Set-Variable -Name "MonitoredLogFile" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate.log"
|
|
||||||
|
|
||||||
if (!(Test-Path -Path $LogFolder )) {
|
|
||||||
New-Item -ItemType directory -Path $LogFolder
|
|
||||||
}
|
|
||||||
|
|
||||||
Get-WindowsUpdateLog -LogPath $LogFolder\WindowsUpdate.log
|
|
||||||
|
|
||||||
if ([System.IO.File]::Exists("$MonitoredLogFile")) {
|
|
||||||
Get-Content "$LogFolder\WindowsUpdate.log" | Set-Content -Path "$MonitoredLogFile"
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
|
|
||||||
}
|
|
||||||
|
|
||||||
exit
|
|
||||||
@ -1,170 +0,0 @@
|
|||||||
#
|
|
||||||
# Determine the health and statistics of this Active Directory Controller
|
|
||||||
#
|
|
||||||
$Output = New-Object System.Collections.ArrayList
|
|
||||||
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
|
|
||||||
[void]$Output.Add($Date)
|
|
||||||
|
|
||||||
# Name of Server
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
[void]$Output.Add("Server=""$ServerName""")
|
|
||||||
$BSSN = "\\" + $ServerName
|
|
||||||
|
|
||||||
# Domain Information
|
|
||||||
|
|
||||||
$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
|
|
||||||
$WMI_CS = (Get-WmiObject Win32_ComputerSystem)
|
|
||||||
$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
|
|
||||||
|
|
||||||
$DomainDNSName = $WMI_CS.Domain
|
|
||||||
$DomainNetBIOSName = $WMI_DOMAIN.DomainName
|
|
||||||
$DomainLevel = $S_DS_AD_DOM.DomainMode
|
|
||||||
[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
|
|
||||||
[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
|
|
||||||
[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
|
|
||||||
|
|
||||||
# Site Information
|
|
||||||
$SiteName = $WMI_DOMAIN.ClientSiteName
|
|
||||||
[void]$Output.Add("Site=`"$SiteName`"");
|
|
||||||
|
|
||||||
# Forest Information
|
|
||||||
$ForestName = $S_DS_AD_DOM.Forest.Name
|
|
||||||
$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
|
|
||||||
[void]$Output.Add("ForestName=`"$ForestName`"");
|
|
||||||
[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
|
|
||||||
|
|
||||||
# Domain Controller Flags
|
|
||||||
$IsRO = "False"
|
|
||||||
$IsEnabled = "False"
|
|
||||||
$IsGC = "False"
|
|
||||||
$USN = "Unknown"
|
|
||||||
$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
|
|
||||||
if ($WMI_DOMAIN.Status -eq "OK") {
|
|
||||||
$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
|
|
||||||
if ($MyDC) {
|
|
||||||
if ($MyDC.IsGlobalCatalog()) {
|
|
||||||
$IsGC = "True"
|
|
||||||
}
|
|
||||||
$USN = $MyDC.HighestCommittedUsn
|
|
||||||
$IsEnabled = "True"
|
|
||||||
|
|
||||||
$entry = $MyDC.getDirectoryEntry()
|
|
||||||
[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
|
|
||||||
[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
|
|
||||||
|
|
||||||
$DN = $entry.Path
|
|
||||||
$ServerEntry = [ADSI]"$DN"
|
|
||||||
$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
|
|
||||||
$IsRO = $ServerEntry."msDS-IsRODC"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
|
|
||||||
[void]$Output.Add("RODC=`"$IsRO`"")
|
|
||||||
[void]$Output.Add("Enabled=`"$IsEnabled`"")
|
|
||||||
[void]$Output.Add("HighestUSN=`"$USN`"")
|
|
||||||
|
|
||||||
$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
|
|
||||||
$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
|
|
||||||
[void]$Output.Add("SchemaVersion=$SchemaVersion")
|
|
||||||
|
|
||||||
$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
|
|
||||||
$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
|
|
||||||
if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
|
|
||||||
$DCWeight = 100 # This is the default value
|
|
||||||
}
|
|
||||||
[void]$Output.Add("DCWeight=$DCWeight")
|
|
||||||
|
|
||||||
$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
|
|
||||||
|
|
||||||
# Is this host a BridgeHead Server?
|
|
||||||
# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
|
|
||||||
|
|
||||||
# Is this host a Intersite Topology Generator
|
|
||||||
if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
|
|
||||||
[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
|
|
||||||
} else {
|
|
||||||
[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Windows Version and Build #
|
|
||||||
#
|
|
||||||
$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
|
|
||||||
$OS = $WindowsInfo.GetValue("ProductName")
|
|
||||||
$OSSP = $WindowsInfo.GetValue("CSDVersion")
|
|
||||||
$WinVer = $WindowsInfo.GetValue("CurrentVersion")
|
|
||||||
$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
|
|
||||||
$OSVER = "$WinVer ($WinBuild)"
|
|
||||||
|
|
||||||
[void]$Output.Add("OperatingSystem=""$OS""")
|
|
||||||
[void]$Output.Add("ServicePack=""$OSSP""")
|
|
||||||
[void]$Output.Add("OSVersion=""$OSVER""")
|
|
||||||
|
|
||||||
#
|
|
||||||
# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
|
|
||||||
#
|
|
||||||
$aFSMO = @()
|
|
||||||
if ($MyDC -and $MyDC.Roles) {
|
|
||||||
foreach ($role in $MyDC.Roles) {
|
|
||||||
switch ($role) {
|
|
||||||
"SchemaRole" { $aFSMO += "Schema" }
|
|
||||||
"NamingRole" { $aFSMO += "DomainNaming" }
|
|
||||||
"InfrastructureRole" { $aFSMO += "Infrastructure" }
|
|
||||||
"PdcRole" { $aFSMO += "PDCEmulator" }
|
|
||||||
"RidRole" { $aFSMO += "RIDMaster" }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$FSMORoles = [string]::join(' ', $aFSMO)
|
|
||||||
[void]$Output.Add("FSMORoles=""$FSMORoles""")
|
|
||||||
|
|
||||||
#
|
|
||||||
# Required Processes Running
|
|
||||||
# FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
|
|
||||||
#
|
|
||||||
$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
|
|
||||||
$srvr = @()
|
|
||||||
$srvnr = @()
|
|
||||||
foreach ($srv in $RequiredServices) {
|
|
||||||
$status = (Get-Service $srv).Status
|
|
||||||
if ($status -eq "Running") {
|
|
||||||
$srvr += $srv
|
|
||||||
} else {
|
|
||||||
$srvnr += $srv
|
|
||||||
}
|
|
||||||
}
|
|
||||||
# Note that the only case that ProcsOK == True is when there is ONE service
|
|
||||||
# that isn't running - You need one replication services (ntfrs or dfsr) but
|
|
||||||
# not both
|
|
||||||
$ProcsOK = "False"
|
|
||||||
if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
|
|
||||||
$ProcsOK = "True"
|
|
||||||
}
|
|
||||||
$ServicesRunning = [string]::join(',', $srvr)
|
|
||||||
$ServicesNotRunning = [string]::join(',', $srvnr)
|
|
||||||
[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
|
|
||||||
[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
|
|
||||||
[void]$Output.Add("ProcsOK=""$ProcsOK""")
|
|
||||||
|
|
||||||
#
|
|
||||||
# Look for Common Problems
|
|
||||||
# SYSVOL is shared out
|
|
||||||
# DC is registered in DNS
|
|
||||||
#
|
|
||||||
$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
|
|
||||||
if ($SysvolShare) {
|
|
||||||
[void]$Output.Add("SYSVOLShare=""True""")
|
|
||||||
} else {
|
|
||||||
[void]$Output.Add("SYSVOLShare=""False""")
|
|
||||||
}
|
|
||||||
|
|
||||||
$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
|
|
||||||
if ($DNSEntry) {
|
|
||||||
[void]$Output.Add("DNSRegister=""True""")
|
|
||||||
} else {
|
|
||||||
[void]$Output.Add("DNSRegister=""False""")
|
|
||||||
}
|
|
||||||
|
|
||||||
# Output the final string
|
|
||||||
Write-Host ($output -join " ")
|
|
||||||
@ -1,41 +0,0 @@
|
|||||||
#
|
|
||||||
# Determine and output information about the Site the server is a member of
|
|
||||||
#
|
|
||||||
|
|
||||||
$ServerName = $env:ComputerName
|
|
||||||
$BSSN = "\\" + $ServerName
|
|
||||||
$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
|
|
||||||
$SiteName = $WMI_DOMAIN.ClientSiteName
|
|
||||||
$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
|
|
||||||
|
|
||||||
$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
|
|
||||||
$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
|
|
||||||
$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
|
|
||||||
|
|
||||||
|
|
||||||
write-host $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
|
|
||||||
$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
|
|
||||||
write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
|
|
||||||
$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
|
|
||||||
$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
|
|
||||||
|
|
||||||
write-host #Needed to print a newline for next object
|
|
||||||
|
|
||||||
#
|
|
||||||
# Output Information about Site Links in this site
|
|
||||||
#
|
|
||||||
$SiteInfoObj.SiteLinks | Foreach-Object {
|
|
||||||
write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
|
|
||||||
foreach ($site in $_.Sites) {
|
|
||||||
write-host ""Site=`"$($site.Name)`" -NoNewLine
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Write-Host #similar to above
|
|
||||||
|
|
||||||
#
|
|
||||||
# Output Information about Subnets in this site
|
|
||||||
#
|
|
||||||
|
|
||||||
$SiteInfoObj.Subnets | Foreach-Object {
|
|
||||||
write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
|
|
||||||
}
|
|
||||||
@ -1,5 +0,0 @@
|
|||||||
## This script fetches the Windows machine BIOS data using Get-WmiObject cmdlet
|
|
||||||
|
|
||||||
$bios_data = Get-WmiObject -class win32_bios | format-list -property * | Out-String
|
|
||||||
$bios_data = $bios_data.Trim()
|
|
||||||
$bios_data -replace '(.*?)\s:(.*)', '$1 = $2'
|
|
||||||
@ -1,14 +0,0 @@
|
|||||||
@ECHO OFF
|
|
||||||
|
|
||||||
:: ######################################################
|
|
||||||
:: #
|
|
||||||
:: # Splunk for Microsoft Windows
|
|
||||||
:: #
|
|
||||||
:: # Copyright (C) 2021 Splunk, Inc.
|
|
||||||
:: # All Rights Reserved
|
|
||||||
:: #
|
|
||||||
:: ######################################################
|
|
||||||
|
|
||||||
set SplunkApp=Splunk_TA_windows
|
|
||||||
|
|
||||||
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"
|
|
||||||
@ -1,112 +0,0 @@
|
|||||||
#
|
|
||||||
# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
#
|
|
||||||
#
|
|
||||||
import csv
|
|
||||||
import sys
|
|
||||||
import log
|
|
||||||
import logging
|
|
||||||
|
|
||||||
# Map for possible property flags
|
|
||||||
property_flags = {
|
|
||||||
"1": "SCRIPT",
|
|
||||||
"2": "ACCOUNTDISABLE",
|
|
||||||
"8": "HOMEDIR_REQUIRED",
|
|
||||||
"16": "LOCKOUT",
|
|
||||||
"32": "PASSWD_NOTREQD",
|
|
||||||
"64": "PASSWD_CANT_CHANGE",
|
|
||||||
"128": "ENCRYPTED_TEXT_PWD_ALLOWED",
|
|
||||||
"256": "TEMP_DUPLICATE_ACCOUNT",
|
|
||||||
"512": "NORMAL_ACCOUNT",
|
|
||||||
"2048": "INTERDOMAIN_TRUST_ACCOUNT",
|
|
||||||
"4096": "WORKSTATION_TRUST_ACCOUNT",
|
|
||||||
"8192": "SERVER_TRUST_ACCOUNT",
|
|
||||||
"65536": "DONT_EXPIRE_PASSWORD",
|
|
||||||
"131072": "MNS_LOGON_ACCOUNT",
|
|
||||||
"262144": "SMARTCARD_REQUIRED",
|
|
||||||
"524288": "TRUSTED_FOR_DELEGATION",
|
|
||||||
"1048576": "NOT_DELEGATED",
|
|
||||||
"2097152": "USE_DES_KEY_ONLY",
|
|
||||||
"4194304": "DONT_REQ_PREAUTH",
|
|
||||||
"8388608": "PASSWORD_EXPIRED",
|
|
||||||
"16777216": "TRUSTED_TO_AUTH_FOR_DELEGATION",
|
|
||||||
"67108864": "PARTIAL_SECRETS_ACCOUNT",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
|
||||||
|
|
||||||
logger = log.Log().get_logger("user_account_control_property")
|
|
||||||
logger.info("Lookup script started executing..")
|
|
||||||
|
|
||||||
# prints usage of the lookup script if wrong number of arguments provided
|
|
||||||
if len(sys.argv) != 3:
|
|
||||||
logger.debug(
|
|
||||||
"Usage: python user_account_control_property.py [userAccountControl] [userAccountPropertyFlag]"
|
|
||||||
)
|
|
||||||
logger.debug("Lookup script stopped..")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
# Lookup Field names
|
|
||||||
userAccountControl = sys.argv[1]
|
|
||||||
userAccountPropertyFlag = sys.argv[2]
|
|
||||||
|
|
||||||
infile = sys.stdin
|
|
||||||
outfile = sys.stdout
|
|
||||||
|
|
||||||
r = csv.DictReader(infile)
|
|
||||||
|
|
||||||
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
|
|
||||||
|
|
||||||
w.writeheader()
|
|
||||||
|
|
||||||
# Decode flags for every 'userAccountControl' attribute value present in a search result
|
|
||||||
for result in r:
|
|
||||||
try:
|
|
||||||
if result[userAccountControl].isdigit():
|
|
||||||
attribute_value = int(result[userAccountControl])
|
|
||||||
bit_cnt = 0
|
|
||||||
incorrect_result_flag = False
|
|
||||||
flags = list()
|
|
||||||
|
|
||||||
# Prepare flag list by decoding 'userAccountcontrol' decimal value
|
|
||||||
# As 'userAccountControl' is decimal value, For each bit set to '1' a property flag can be denoted by using 'property_flags' map given above
|
|
||||||
while attribute_value != 0:
|
|
||||||
if attribute_value & 1 == 1:
|
|
||||||
flags.append(str(1 << bit_cnt))
|
|
||||||
attribute_value = attribute_value >> 1
|
|
||||||
bit_cnt += 1
|
|
||||||
|
|
||||||
# If flag not present in 'property_flags' map, The 'userAccountPropertyFlag' won't be populated in search result
|
|
||||||
for flag in flags:
|
|
||||||
if flag not in list(property_flags.keys()):
|
|
||||||
logger.debug(
|
|
||||||
"'userAccountControl' attribute can not be decoded for value: {}".format(
|
|
||||||
result[userAccountControl]
|
|
||||||
)
|
|
||||||
)
|
|
||||||
incorrect_result_flag = True
|
|
||||||
break
|
|
||||||
if incorrect_result_flag:
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
for flag in flags:
|
|
||||||
result[userAccountPropertyFlag] = property_flags[flag]
|
|
||||||
w.writerow(result)
|
|
||||||
else:
|
|
||||||
logger.debug(
|
|
||||||
"'userAccountControl' attribute can not be decoded for value: {}".format(
|
|
||||||
result[userAccountControl]
|
|
||||||
)
|
|
||||||
)
|
|
||||||
except:
|
|
||||||
logger.debug(
|
|
||||||
"No results for 'userAccountControl' attribute value :{}".format(
|
|
||||||
result[userAccountControl]
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
||||||
@ -1,67 +0,0 @@
|
|||||||
@echo off
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
|
|
||||||
setlocal EnableDelayedExpansion
|
|
||||||
|
|
||||||
REM For each app key, print out the name of the app and any parameters under the entry
|
|
||||||
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)
|
|
||||||
|
|
||||||
REM Do the same as above but with 32-bit apps, first checking if the key exists
|
|
||||||
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
|
|
||||||
if %ERRORLEVEL% EQU 0 (
|
|
||||||
for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
|
|
||||||
)
|
|
||||||
|
|
||||||
goto :eof
|
|
||||||
|
|
||||||
:output_reg
|
|
||||||
|
|
||||||
|
|
||||||
REM Echo an empty line to indicate that this is a new entry
|
|
||||||
@echo.
|
|
||||||
|
|
||||||
REM Get the current date and time into into a variable
|
|
||||||
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
|
|
||||||
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
|
|
||||||
|
|
||||||
REM Print out the date & time
|
|
||||||
@echo %date_time%
|
|
||||||
|
|
||||||
REM Add the enumerated key
|
|
||||||
@echo Installed application enumerated from %1
|
|
||||||
|
|
||||||
REM Get the name of the app from the last segment in the registry path
|
|
||||||
set app_name=%1
|
|
||||||
|
|
||||||
REM Strips out the first x characters (from input) of the path in order to get just the app name
|
|
||||||
set "app_name=!app_name:~%2%,150!"
|
|
||||||
|
|
||||||
REM Strip the last quote
|
|
||||||
set "app_name=!app_name:~0,-1!"
|
|
||||||
|
|
||||||
REM Store a count value so that we can avoid printing the first entry
|
|
||||||
set count=0
|
|
||||||
|
|
||||||
REM This variable determines if the display name was found
|
|
||||||
set display_name_found=0
|
|
||||||
|
|
||||||
REM Now get the sub-keys
|
|
||||||
for /F "tokens=1,2*" %%A in ('reg query %1') do (
|
|
||||||
set /a count+=1
|
|
||||||
|
|
||||||
REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
|
|
||||||
|
|
||||||
REM Note that the display name was already found
|
|
||||||
if %%A==DisplayName (
|
|
||||||
set /a display_name_found=1
|
|
||||||
echo %%A="%%C"
|
|
||||||
) else (
|
|
||||||
|
|
||||||
REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
|
|
||||||
if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" if not "%%C" == "" if not %%A==DisplayName echo %%A=%%C
|
|
||||||
)
|
|
||||||
)
|
|
||||||
REM If the display name was not found, then use the name of the registry path name instead
|
|
||||||
if !display_name_found!==0 echo DisplayName="%app_name%"
|
|
||||||
@ -1,50 +0,0 @@
|
|||||||
@echo off
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
|
|
||||||
setlocal EnableDelayedExpansion
|
|
||||||
|
|
||||||
REM Get the current date and time into a variable
|
|
||||||
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
|
|
||||||
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
|
|
||||||
|
|
||||||
REM Get the Tasklist command output and store array with pid and processname
|
|
||||||
for /f "tokens=1,2 delims=," %%T in ('tasklist /nh /fo csv') do (
|
|
||||||
set topic[%%~U]=%%~T
|
|
||||||
)
|
|
||||||
|
|
||||||
REM Get the list of open ports by running netstat and filtering the results to those that contain actual ports (dropping the header)
|
|
||||||
for /f "tokens=*" %%G in ('netstat -nao ^| findstr /r "LISTENING"') do (call :output_ports "%%G")
|
|
||||||
goto :eof
|
|
||||||
|
|
||||||
:output_ports
|
|
||||||
|
|
||||||
REM Parse the ports list
|
|
||||||
for /f "tokens=1,2,4,5 delims= " %%A in (%1) do (
|
|
||||||
set protocol=%%A
|
|
||||||
set dest=%%B
|
|
||||||
set status=%%C
|
|
||||||
set pid=%%D
|
|
||||||
set appname=!topic[%%D]!
|
|
||||||
)
|
|
||||||
|
|
||||||
REM Skip the header
|
|
||||||
if "!protocol!"=="Proto" goto :eof
|
|
||||||
if "!protocol!"=="Active" goto :eof
|
|
||||||
|
|
||||||
REM Parse the each port
|
|
||||||
for /f "tokens=1,2,3 delims=:" %%A in ("%dest%") do (
|
|
||||||
set dest_ip=%%A
|
|
||||||
set dest_port=%%B
|
|
||||||
set alt_dest_port=%%C
|
|
||||||
|
|
||||||
REM Some entries will exist in the [::]:0 format and thus throw off the parsing. Correct for this:
|
|
||||||
if "!dest_port!" == "]" set dest_port=!alt_dest_port!
|
|
||||||
)
|
|
||||||
|
|
||||||
REM Replace the dest IP with the empty IP range if necessary
|
|
||||||
if "!dest_ip!"=="[" set dest_ip=[::]
|
|
||||||
|
|
||||||
REM Print out the result
|
|
||||||
echo %date_time% transport=%protocol% dest_ip=%dest_ip% dest_port=%dest_port% pid=!pid! appname=%appname%
|
|
||||||
@ -1,21 +0,0 @@
|
|||||||
@echo off
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
|
|
||||||
setlocal EnableDelayedExpansion
|
|
||||||
|
|
||||||
REM Get the time service configuration and timezone.
|
|
||||||
|
|
||||||
REM Get the date & time
|
|
||||||
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
|
|
||||||
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
|
|
||||||
|
|
||||||
REM Print the date and time. This will be the timestamp of the event.
|
|
||||||
echo Current time: %date_time%
|
|
||||||
|
|
||||||
REM Print the Windows time service configuration
|
|
||||||
w32tm /query /configuration /verbose
|
|
||||||
|
|
||||||
REM Print the Windows time zone information
|
|
||||||
w32tm /tz
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
@echo off
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
|
|
||||||
REM --------------------------------------------------------
|
|
||||||
|
|
||||||
setlocal EnableDelayedExpansion
|
|
||||||
|
|
||||||
REM Get the last current time synchronization status
|
|
||||||
REM
|
|
||||||
REM Example:
|
|
||||||
REM
|
|
||||||
REM Successful sync:
|
|
||||||
REM Last Successful Sync Time: 1/22/2014 12:06:43 PM
|
|
||||||
REM Unsuccessful sync:
|
|
||||||
REM Last Successful Sync Time: unspecified
|
|
||||||
|
|
||||||
REM Get the date & time
|
|
||||||
for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
|
|
||||||
set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
|
|
||||||
|
|
||||||
REM Print the date and time. This will be the timestamp of the event.
|
|
||||||
echo Current time: %date_time%
|
|
||||||
|
|
||||||
REM Print the Windows time service status
|
|
||||||
w32tm /query /status /verbose
|
|
||||||
|
|
||||||
REM Print the time zone
|
|
||||||
w32tm /tz
|
|
||||||
@ -1,28 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
##
|
|
||||||
##
|
|
||||||
|
|
||||||
[install]
|
|
||||||
is_configured = false
|
|
||||||
state = enabled
|
|
||||||
build = 1690943997
|
|
||||||
|
|
||||||
[ui]
|
|
||||||
is_visible = false
|
|
||||||
label = Splunk Add-on for Microsoft Windows
|
|
||||||
docs_section_override = AddOns:released
|
|
||||||
|
|
||||||
[launcher]
|
|
||||||
author = Splunk, Inc.
|
|
||||||
version = 8.8.0
|
|
||||||
description = Splunk Add-on for Microsoft Windows
|
|
||||||
|
|
||||||
[package]
|
|
||||||
id = Splunk_TA_windows
|
|
||||||
|
|
||||||
[id]
|
|
||||||
name = Splunk_TA_windows
|
|
||||||
version = 8.8.0
|
|
||||||
|
|
||||||
@ -1,761 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
## DO NOT EDIT THIS FILE!
|
|
||||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
||||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
||||||
## into ../local and edit there.
|
|
||||||
##
|
|
||||||
|
|
||||||
###### Global Windows Eventtype ######
|
|
||||||
|
|
||||||
[windows_event_signature]
|
|
||||||
search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog
|
|
||||||
#tags = track_event_signatures
|
|
||||||
|
|
||||||
[wineventlog_windows]
|
|
||||||
search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[wineventlog_application]
|
|
||||||
search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[wineventlog_system]
|
|
||||||
search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[wineventlog_security]
|
|
||||||
search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[perfmon_windows]
|
|
||||||
search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon*
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[hostmon_windows]
|
|
||||||
search = sourcetype=WinHostMon
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[hostmon_os]
|
|
||||||
search = sourcetype=WinHostMon Type=OperatingSystem
|
|
||||||
#tags = os windows memory performance
|
|
||||||
|
|
||||||
[hostmon_inventory]
|
|
||||||
search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor)
|
|
||||||
#tags = os inventory cpu memory
|
|
||||||
|
|
||||||
[hostmon_disk]
|
|
||||||
search = sourcetype=WinHostMon (Type=Disk)
|
|
||||||
#tags = inventory performance storage
|
|
||||||
|
|
||||||
[netmon_windows]
|
|
||||||
search = sourcetype=WinNetMon
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[printmon_windows]
|
|
||||||
search = sourcetype=WinPrintMon
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[script_windows]
|
|
||||||
search = sourcetype=Script:* source=*.bat
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[wmi_windows]
|
|
||||||
search = sourcetype=WMI:*
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[windowsupdatelog_windows]
|
|
||||||
search = sourcetype=WindowsUpdateLog
|
|
||||||
#tags = os windows
|
|
||||||
|
|
||||||
[winregistry_windows]
|
|
||||||
search = sourcetype=WinRegistry
|
|
||||||
#tags = os windows endpoint change registry
|
|
||||||
|
|
||||||
[winapp]
|
|
||||||
search = eventtype=wineventlog_application
|
|
||||||
|
|
||||||
[winsec]
|
|
||||||
search = eventtype=wineventlog_security
|
|
||||||
#tags = security
|
|
||||||
|
|
||||||
[winsystem]
|
|
||||||
search = eventtype=wineventlog_system
|
|
||||||
|
|
||||||
|
|
||||||
###### DHCP ######
|
|
||||||
[msdhcp]
|
|
||||||
search = sourcetype=msdhcp
|
|
||||||
#tags = dhcp network session windows
|
|
||||||
|
|
||||||
[msdhcp_start]
|
|
||||||
search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13)
|
|
||||||
#tags = start
|
|
||||||
|
|
||||||
[msdhcp_end]
|
|
||||||
search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17)
|
|
||||||
#tags = end
|
|
||||||
|
|
||||||
[DhcpSrvLog]
|
|
||||||
search = sourcetype=DhcpSrvLog
|
|
||||||
#tags = windows
|
|
||||||
|
|
||||||
[DhcpSrvLog_dhcp]
|
|
||||||
search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15)
|
|
||||||
#tags = dhcp network session
|
|
||||||
|
|
||||||
[DhcpSrvLog_start]
|
|
||||||
search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11)
|
|
||||||
#tags = dhcp network session start
|
|
||||||
|
|
||||||
[DhcpSrvLog_end]
|
|
||||||
search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18)
|
|
||||||
#tags = dhcp network session end
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Account Logon ######
|
|
||||||
|
|
||||||
## Authentication Ticket Granted/Failed
|
|
||||||
## EventCodes 4768, 4772, 672, 676
|
|
||||||
[windows_auth_ticket_granted]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Service Ticket Granted/Failed
|
|
||||||
## EventCodes 4769, 4773, 673, 677
|
|
||||||
[windows_service_ticket_granted]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Ticket Granted Renewed
|
|
||||||
## EventCodes 4770, 674
|
|
||||||
[windows_ticket_renewed]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674)
|
|
||||||
## tags intentionally left blank
|
|
||||||
#tags =
|
|
||||||
|
|
||||||
## Pre-authentication failed
|
|
||||||
## EventCodes 4771, 675
|
|
||||||
[windows_pre_auth_failed]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Account Mapped for Logon by
|
|
||||||
## EventCodes 4774, 678
|
|
||||||
[windows_account_mapped]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678)
|
|
||||||
## tags intentionally left blank
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## The name: %2 could not be mapped for logon by: %1
|
|
||||||
## EventCodes 4775, 679
|
|
||||||
[windows_account_notmapped]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Account Used for Logon by
|
|
||||||
## The domain controller attempted/failed to validate the credentials for an account
|
|
||||||
## The logon to account: %2 by: %1 from workstation: %3 failed.
|
|
||||||
## EventCodes 4776, 4777, 680, 681
|
|
||||||
[windows_account_used4logon]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Session reconnected to winstation
|
|
||||||
## EventCodes 4778, 682
|
|
||||||
[windows_session_reconnected]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682)
|
|
||||||
## tags intentionally left blank
|
|
||||||
#tags =
|
|
||||||
|
|
||||||
## Session disconnected from winstation
|
|
||||||
## EventCodes 4779, 683
|
|
||||||
[windows_session_disconnected]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683)
|
|
||||||
#tags = access stop logoff
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Account Management ######
|
|
||||||
[windows_account_management]
|
|
||||||
search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management")
|
|
||||||
#tags = account change management
|
|
||||||
|
|
||||||
## User/Computer Account Created
|
|
||||||
## EventCodes 4720, 4741, 624, 645
|
|
||||||
[windows_account_created]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
|
|
||||||
#tags = add account change
|
|
||||||
|
|
||||||
|
|
||||||
## User Account Enabled
|
|
||||||
## EventCodes 4722, 626
|
|
||||||
[windows_account_enabled]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626)
|
|
||||||
#tags = enable account change
|
|
||||||
|
|
||||||
## Change Password Attempt
|
|
||||||
## EventCodes 4723, 627
|
|
||||||
[windows_account_password_change]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627)
|
|
||||||
#tags = password modify account change
|
|
||||||
|
|
||||||
## User Account password set
|
|
||||||
## EventCodes 4724, 628
|
|
||||||
[windows_account_password_set]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628)
|
|
||||||
#tags = password modify account change
|
|
||||||
|
|
||||||
## User Account Disabled
|
|
||||||
## EventCodes 4725, 629
|
|
||||||
[windows_account_disabled]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629)
|
|
||||||
#tags = disable account change
|
|
||||||
|
|
||||||
## User/Computer Account Deleted
|
|
||||||
## EventCodes 4726, 4743, 630, 647
|
|
||||||
[windows_account_deleted]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647)
|
|
||||||
#tags = delete account change
|
|
||||||
|
|
||||||
## User/Computer Account Changed
|
|
||||||
## EventCodes 4738, 4742, 642, 646, 625
|
|
||||||
[windows_account_modified]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625)
|
|
||||||
#tags = modify account change
|
|
||||||
|
|
||||||
## User Account Locked Out
|
|
||||||
## EventCodes 4740, 644
|
|
||||||
[windows_account_lockout]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644)
|
|
||||||
#tags = lock lockout account change
|
|
||||||
|
|
||||||
## User Account Unlocked
|
|
||||||
## EventCodes 4767, 671
|
|
||||||
[windows_account_unlocked]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671)
|
|
||||||
#tags = modify account change
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Audit (Event Log) ######
|
|
||||||
|
|
||||||
## The event logging service has shut down
|
|
||||||
## EventCode 1100
|
|
||||||
[windows_audit_log_stopped]
|
|
||||||
search = eventtype=wineventlog_security EventCode=1100
|
|
||||||
#tags = stop stopped watchlist
|
|
||||||
|
|
||||||
## Audit events have been dropped by the transport.
|
|
||||||
## The security Log is now full
|
|
||||||
## The event logging service encountered an error
|
|
||||||
## EventCodes 1101, 1104, 1108
|
|
||||||
[windows_audit_errors]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108)
|
|
||||||
#tags = audit error
|
|
||||||
|
|
||||||
## The audit log was cleared
|
|
||||||
## EventCodes 1102, 517
|
|
||||||
[windows_audit_log_cleared]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517)
|
|
||||||
#tags = audit change delete cleared watchlist
|
|
||||||
|
|
||||||
## Event log automatic backup
|
|
||||||
## EventCode 1105
|
|
||||||
[windows_audit_backup]
|
|
||||||
search = eventtype=wineventlog_security EventCode=1105
|
|
||||||
#tags = audit backup change
|
|
||||||
|
|
||||||
## Logon/Logoff audit logs
|
|
||||||
## EventCode 4625
|
|
||||||
[windows_audit_log_logon]
|
|
||||||
search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413)
|
|
||||||
#tags = audit change
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Logon/Logoff ######
|
|
||||||
|
|
||||||
## User Logoff/User initiated logoff
|
|
||||||
## EventCodes 4634, 4647, 538, 551
|
|
||||||
[windows_logoff]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551)
|
|
||||||
#tags = access stop logoff
|
|
||||||
|
|
||||||
## A logon was attempted using explicit credentials
|
|
||||||
## EventCodes 4648, 552
|
|
||||||
[windows_logon_explicit]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552)
|
|
||||||
#tags = authentication privileged
|
|
||||||
|
|
||||||
## An account failed to log on
|
|
||||||
## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
|
|
||||||
[windows_logon_failure]
|
|
||||||
search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## An account was successfully logged on
|
|
||||||
## EventCodes 4624, 528, 540
|
|
||||||
[windows_logon_success]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Object Access ######
|
|
||||||
|
|
||||||
## Object Open
|
|
||||||
## EventCodes 4656, 560
|
|
||||||
[windows_object_open]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560)
|
|
||||||
#tags = resource file access start
|
|
||||||
|
|
||||||
## Handle Closed
|
|
||||||
## EventCodes 4658, 562
|
|
||||||
[windows_handle_closed]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562)
|
|
||||||
#tags = resource file access stop
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Policy Change ######
|
|
||||||
|
|
||||||
## Audit Policy Change/The audit policy (SACL) on an object was changed
|
|
||||||
## EventCodes 4715, 4719, 612
|
|
||||||
[windows_audit_policy_change]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612)
|
|
||||||
#tags = policy configuration modify audit change
|
|
||||||
|
|
||||||
## System security access was granted to an account
|
|
||||||
## EventCodes 4717, 621
|
|
||||||
[windows_security_access_granted]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621)
|
|
||||||
#tags = access authorization add change account
|
|
||||||
|
|
||||||
## System security access was removed from an account
|
|
||||||
## EventCodes 4718, 622
|
|
||||||
[windows_security_access_removed]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622)
|
|
||||||
#tags = access authorization delete change account
|
|
||||||
|
|
||||||
## Per User Audit Policy was changed
|
|
||||||
## EventCodes 4912, 807
|
|
||||||
[windows_audit_policy_changed]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807)
|
|
||||||
#tags = policy configuration modify audit change
|
|
||||||
|
|
||||||
## The following policy was active when the Windows Firewall started
|
|
||||||
## EventCodes 848, 849, 850
|
|
||||||
[windows_firewall_policy_active]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850)
|
|
||||||
#tags = application firewall configuration report
|
|
||||||
|
|
||||||
## A change has been made to Windows Firewall
|
|
||||||
## EventCodes 4946, 4947, 4948, 851, 852
|
|
||||||
[windows_firewall_policy_change]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852)
|
|
||||||
#tags = application firewall configuration modify
|
|
||||||
|
|
||||||
## The Windows Firewall has detected an application listening for incoming traffic
|
|
||||||
## EventCodes 4957, 861
|
|
||||||
[windows_firewall_port_listening]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861)
|
|
||||||
#tags = application firewall port listening report
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Privilege Use ######
|
|
||||||
|
|
||||||
## Special privileges assigned to new logon
|
|
||||||
## EventCodes 4672, 576
|
|
||||||
[windows_special_privileges]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576)
|
|
||||||
#tags = authentication privileged
|
|
||||||
|
|
||||||
## Privileged Service Called
|
|
||||||
## EventCodes 4673, 577
|
|
||||||
[windows_privileged_service_call]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577)
|
|
||||||
#tags = process execute start privileged
|
|
||||||
|
|
||||||
## Privileged object operation
|
|
||||||
## EventCodes 4674, 578
|
|
||||||
[windows_privileged_object_operation]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578)
|
|
||||||
#tags = resource execute start privileged
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Process Tracking ######
|
|
||||||
|
|
||||||
## A new process has been created
|
|
||||||
## EventCodes 4688, 592
|
|
||||||
[windows_process_new]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592)
|
|
||||||
#tags = process execute start
|
|
||||||
|
|
||||||
## A process has exited
|
|
||||||
## EventCodes 4689, 593
|
|
||||||
[windows_process_exit]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593)
|
|
||||||
#tags = process execute stop
|
|
||||||
|
|
||||||
## A process was assigned a primary token
|
|
||||||
## EventCodes 4696, 600
|
|
||||||
[windows_process_token]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600)
|
|
||||||
#tags = process execute start privileged
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: System ######
|
|
||||||
|
|
||||||
## An authentication package has been loaded by the Local Security Authority
|
|
||||||
## EventCodes 4610, 514
|
|
||||||
[windows_auth_package]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514)
|
|
||||||
#tags = process execute start
|
|
||||||
|
|
||||||
## A trusted logon process has registered with the Local Security Authority
|
|
||||||
## EventCodes 4611, 515
|
|
||||||
[windows_logon_process]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515)
|
|
||||||
#tags = process authorization add
|
|
||||||
|
|
||||||
## A notification package has been loaded by the Security Account Manager
|
|
||||||
## EventCodes 4614, 518
|
|
||||||
[windows_notification_package]
|
|
||||||
search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518)
|
|
||||||
#tags = process execute start
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Vulnerability ######
|
|
||||||
## System security domain policy was changed
|
|
||||||
## EventCode 4739
|
|
||||||
[windows_security_misconfiguration_password_minimum_length]
|
|
||||||
search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7)
|
|
||||||
#tags = misconfiguration password policy vulnerability report audit change
|
|
||||||
|
|
||||||
|
|
||||||
###### System: Time ######
|
|
||||||
|
|
||||||
## EventCode 35, 37
|
|
||||||
[windows_time_sync]
|
|
||||||
search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success)
|
|
||||||
#tags = report time synchronize success performance
|
|
||||||
|
|
||||||
## EventCodes 17, 29, 36, 38
|
|
||||||
[windows_time_failure]
|
|
||||||
search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure)
|
|
||||||
#tags = report time synchronize failure performance
|
|
||||||
|
|
||||||
|
|
||||||
###### System: Update ######
|
|
||||||
[windows_system_update]
|
|
||||||
search = eventtype=wineventlog_system "Windows Update Agent"
|
|
||||||
#tags = system update
|
|
||||||
|
|
||||||
## EventCodes 17, 18, 19
|
|
||||||
[windows_system_update_status]
|
|
||||||
search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19)
|
|
||||||
#tags = status
|
|
||||||
|
|
||||||
[windows_updatelog]
|
|
||||||
search = sourcetype=WindowsUpdateLog
|
|
||||||
#tags = system update
|
|
||||||
|
|
||||||
[windows_updatelog_status]
|
|
||||||
search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
|
|
||||||
#tags = status
|
|
||||||
|
|
||||||
## WMI:Update
|
|
||||||
[wmi_installed_packages]
|
|
||||||
search = sourcetype=WMI:InstalledUpdates
|
|
||||||
#tags = system update status
|
|
||||||
|
|
||||||
|
|
||||||
###### Splunk WMI ######
|
|
||||||
|
|
||||||
## ComputerSystem
|
|
||||||
[wmi_computersystem]
|
|
||||||
search = sourcetype=WMI:ComputerSystem
|
|
||||||
#tags = performance memory
|
|
||||||
|
|
||||||
## CPUTime
|
|
||||||
[perfmon_cputime]
|
|
||||||
search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime)
|
|
||||||
#tags = performance cpu report
|
|
||||||
|
|
||||||
[perfmon_cputime_anomalous]
|
|
||||||
search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
[wmi_cputime]
|
|
||||||
search = sourcetype=WMI:CPUTime
|
|
||||||
#tags = performance cpu report
|
|
||||||
|
|
||||||
[wmi_cputime_anomalous]
|
|
||||||
search = sourcetype=WMI:CPUTime windows_percent_processor_time>90
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
## System
|
|
||||||
[perfmon_system]
|
|
||||||
search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System
|
|
||||||
#tags = performance cpu report
|
|
||||||
|
|
||||||
## Disk
|
|
||||||
[perfmon_freediskspace]
|
|
||||||
search = sourcetype=Perfmon:FreeDiskSpace
|
|
||||||
#tags = performance storage disk report
|
|
||||||
|
|
||||||
[perfmon_freediskspace_anomalous]
|
|
||||||
search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
[perfmon_logicaldisk]
|
|
||||||
search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk
|
|
||||||
#tags = performance storage disk
|
|
||||||
|
|
||||||
##ProcessorInformation
|
|
||||||
[perfmon_processorinformation]
|
|
||||||
search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation)
|
|
||||||
#tags = performance cpu report process
|
|
||||||
|
|
||||||
[wmi_freediskspace]
|
|
||||||
search = sourcetype=WMI:FreeDiskSpace
|
|
||||||
#tags = performance storage disk report
|
|
||||||
|
|
||||||
[wmi_freediskspace_anomalous]
|
|
||||||
search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
[wmi_logicaldisk]
|
|
||||||
search = sourcetype=WMI:LogicalDisk
|
|
||||||
#tags = performance storage disk
|
|
||||||
|
|
||||||
## Listening Ports
|
|
||||||
[script_listeningports]
|
|
||||||
search = sourcetype=Script:ListeningPorts
|
|
||||||
#tags = port listening report
|
|
||||||
|
|
||||||
## Local Processes
|
|
||||||
[wmi_localprocesses]
|
|
||||||
search = sourcetype=WMI:LocalProcesses
|
|
||||||
#tags = process report
|
|
||||||
|
|
||||||
[wmi_localprocesses_anomalous]
|
|
||||||
search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
## Memory
|
|
||||||
[perfmon_memory]
|
|
||||||
search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory
|
|
||||||
#tags = performance memory report
|
|
||||||
|
|
||||||
[perfmon_memory_anomalous]
|
|
||||||
search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
[wmi_memory]
|
|
||||||
search = sourcetype=WMI:Memory
|
|
||||||
#tags = performance memory report
|
|
||||||
|
|
||||||
[wmi_memory_anomalous]
|
|
||||||
search = sourcetype=WMI:Memory windows_mem_free<104857600
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
## Service
|
|
||||||
[wmi_service]
|
|
||||||
search = sourcetype=WMI:Service
|
|
||||||
#tags = service report
|
|
||||||
|
|
||||||
[wmi_service_status_anomalous]
|
|
||||||
search = sourcetype=WMI:Service Status=* NOT Status=OK
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
[wmi_service_state_anomalous]
|
|
||||||
search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
## Network
|
|
||||||
[perfmon_network]
|
|
||||||
search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network
|
|
||||||
#tags = performance network
|
|
||||||
|
|
||||||
[perfmon_network_throughput]
|
|
||||||
search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *)
|
|
||||||
#tags = performance network
|
|
||||||
|
|
||||||
[perfmon_network_bandwidth]
|
|
||||||
search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*)
|
|
||||||
#tags = performance network
|
|
||||||
|
|
||||||
[wmi_network_throughput]
|
|
||||||
search = sourcetype=WMI:LocalNetwork BytesTotalPersec=*
|
|
||||||
#tags = performance network
|
|
||||||
|
|
||||||
[wmi_network_bandwidth]
|
|
||||||
search = sourcetype=WMI:LocalNetwork CurrentBandwidth=*
|
|
||||||
#tags = performance network
|
|
||||||
|
|
||||||
## Process
|
|
||||||
[perfmon_process]
|
|
||||||
search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process
|
|
||||||
#tags = performance process report
|
|
||||||
|
|
||||||
## Uptime
|
|
||||||
[wmi_uptime]
|
|
||||||
search = sourcetype=WMI:Uptime
|
|
||||||
#tags = performance uptime report
|
|
||||||
|
|
||||||
[wmi_uptime_anomalous]
|
|
||||||
search = sourcetype=WMI:Uptime windows_uptime>2592000
|
|
||||||
#tags = anomalous
|
|
||||||
|
|
||||||
## User Accounts
|
|
||||||
[wmi_useraccounts]
|
|
||||||
search = sourcetype=WMI:UserAccounts
|
|
||||||
#tags = account report inventory user
|
|
||||||
|
|
||||||
## Version
|
|
||||||
[wmi_version]
|
|
||||||
search = sourcetype=WMI:Version
|
|
||||||
#tags = system version report inventory
|
|
||||||
|
|
||||||
[microsoft_windows_hostmon_process]
|
|
||||||
search = sourcetype=WinHostMon source=process
|
|
||||||
#tags = process report
|
|
||||||
|
|
||||||
[microsoft_windows_hostmon_service]
|
|
||||||
search = sourcetype=WinHostMon source=service
|
|
||||||
#tags = service report
|
|
||||||
|
|
||||||
[microsoft_windows_hostmon_service_time]
|
|
||||||
search = sourcetype=WinHostMon source=service Name=W32Time
|
|
||||||
#tags = time synchronize os performance
|
|
||||||
|
|
||||||
|
|
||||||
### AD/DNS eventtypes###
|
|
||||||
|
|
||||||
[wineventlog-ds]
|
|
||||||
search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service"
|
|
||||||
|
|
||||||
[powershell]
|
|
||||||
search = source=Powershell
|
|
||||||
|
|
||||||
[msad-dc-health]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:Health"
|
|
||||||
|
|
||||||
[msad-rep-health]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:Replication"
|
|
||||||
|
|
||||||
[msad-site]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
|
|
||||||
|
|
||||||
[msad-subnetinfo]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
|
|
||||||
|
|
||||||
[msad-sitelinkinfo]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
|
|
||||||
|
|
||||||
[msad-siteinfo]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
|
|
||||||
|
|
||||||
[msad-subnet-affinity]
|
|
||||||
search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
|
|
||||||
|
|
||||||
[admon-gpo]
|
|
||||||
search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
|
|
||||||
|
|
||||||
[admon-group]
|
|
||||||
search = eventtype=admon objectCategory="*CN=Group*"
|
|
||||||
|
|
||||||
[admon-computer]
|
|
||||||
search = eventtype=admon objectCategory="*CN=Computer*"
|
|
||||||
|
|
||||||
[admon-user]
|
|
||||||
search = eventtype=admon objectCategory="*CN=Person*"
|
|
||||||
|
|
||||||
[admon]
|
|
||||||
search = sourcetype=ActiveDirectory
|
|
||||||
|
|
||||||
[perfmon]
|
|
||||||
search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*"
|
|
||||||
|
|
||||||
[ad-files]
|
|
||||||
search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS
|
|
||||||
|
|
||||||
[perfmon-ntds]
|
|
||||||
search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS")
|
|
||||||
|
|
||||||
[nt6-dns-events]
|
|
||||||
search = sourcetype=MSAD:NT6:DNS
|
|
||||||
|
|
||||||
[wineventlog-dns]
|
|
||||||
search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server"
|
|
||||||
|
|
||||||
[msad-dns-zoneinfo]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information"
|
|
||||||
|
|
||||||
[msad-dns-health]
|
|
||||||
search = eventtype=powershell sourcetype="MSAD:*:DNS-Health"
|
|
||||||
|
|
||||||
[msad-dns-debuglog]
|
|
||||||
search = eventtype=ad-files sourcetype="MSAD:*:DNS"
|
|
||||||
|
|
||||||
[perfmon-dns]
|
|
||||||
search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS")
|
|
||||||
|
|
||||||
[wineventlog-dfs]
|
|
||||||
search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication"
|
|
||||||
|
|
||||||
[wineventlog-filereplication]
|
|
||||||
search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service"
|
|
||||||
|
|
||||||
[wineventlog-keymanagement]
|
|
||||||
search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service"
|
|
||||||
|
|
||||||
[endpoint_services_processes]
|
|
||||||
search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog"
|
|
||||||
|
|
||||||
## Endpoint Processes
|
|
||||||
[windows_endpoint_processes]
|
|
||||||
search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674)
|
|
||||||
#tags = process report
|
|
||||||
|
|
||||||
## Endpoint Services
|
|
||||||
[windows_endpoint_services]
|
|
||||||
search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045)
|
|
||||||
#tags = service report
|
|
||||||
|
|
||||||
## Security-CIM Mappings
|
|
||||||
|
|
||||||
## Endpoint Registry
|
|
||||||
[windows_security_endpoint_registry]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry")))
|
|
||||||
#tags = endpoint registry
|
|
||||||
|
|
||||||
## Endpoint Port
|
|
||||||
[windows_security_endpoint_port]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158)
|
|
||||||
#tags = listening port
|
|
||||||
|
|
||||||
## Change Audit
|
|
||||||
[windows_security_change_audit]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102)
|
|
||||||
#tags = change audit
|
|
||||||
|
|
||||||
## Change
|
|
||||||
[windows_security_change]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799)
|
|
||||||
#tags = change
|
|
||||||
|
|
||||||
## Authentication
|
|
||||||
[windows_security_authentication]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625)
|
|
||||||
#tags = authentication
|
|
||||||
|
|
||||||
## Change Account - ADDON-42191
|
|
||||||
[windows_security_change_account]
|
|
||||||
search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801)
|
|
||||||
#tags = change account
|
|
||||||
|
|
||||||
## System-CIM Mapping
|
|
||||||
|
|
||||||
# Change Audit - ADDON-48489
|
|
||||||
[windows_system_change_audit]
|
|
||||||
search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104)
|
|
||||||
#tags = change audit
|
|
||||||
@ -1,442 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
## DO NOT EDIT THIS FILE!
|
|
||||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
||||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
||||||
## into ../local and edit there.
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
###### OS Logs ######
|
|
||||||
[WinEventLog://Application]
|
|
||||||
disabled = 1
|
|
||||||
start_from = oldest
|
|
||||||
current_only = 0
|
|
||||||
checkpointInterval = 5
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
[WinEventLog://Security]
|
|
||||||
disabled = 1
|
|
||||||
start_from = oldest
|
|
||||||
current_only = 0
|
|
||||||
evt_resolve_ad_obj = 1
|
|
||||||
checkpointInterval = 5
|
|
||||||
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
|
|
||||||
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
[WinEventLog://System]
|
|
||||||
disabled = 1
|
|
||||||
start_from = oldest
|
|
||||||
current_only = 0
|
|
||||||
checkpointInterval = 5
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
|
|
||||||
###### Forwarded WinEventLogs (WEF) ######
|
|
||||||
[WinEventLog://ForwardedEvents]
|
|
||||||
disabled = 1
|
|
||||||
start_from = oldest
|
|
||||||
current_only = 0
|
|
||||||
checkpointInterval = 5
|
|
||||||
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
|
|
||||||
renderXml=true
|
|
||||||
host=WinEventLogForwardHost
|
|
||||||
|
|
||||||
|
|
||||||
###### WinEventLog Inputs for Active Directory ######
|
|
||||||
|
|
||||||
## Application and Services Logs - DFS Replication
|
|
||||||
[WinEventLog://DFS Replication]
|
|
||||||
disabled = 1
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
## Application and Services Logs - Directory Service
|
|
||||||
[WinEventLog://Directory Service]
|
|
||||||
disabled = 1
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
## Application and Services Logs - File Replication Service
|
|
||||||
[WinEventLog://File Replication Service]
|
|
||||||
disabled = 1
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
## Application and Services Logs - Key Management Service
|
|
||||||
[WinEventLog://Key Management Service]
|
|
||||||
disabled = 1
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
|
|
||||||
###### WinEventLog Inputs for DNS ######
|
|
||||||
[WinEventLog://DNS Server]
|
|
||||||
disabled=1
|
|
||||||
renderXml=true
|
|
||||||
|
|
||||||
|
|
||||||
###### DHCP ######
|
|
||||||
[monitor://$WINDIR\System32\DHCP]
|
|
||||||
disabled = 1
|
|
||||||
whitelist = DhcpSrvLog*
|
|
||||||
crcSalt = <SOURCE>
|
|
||||||
sourcetype = DhcpSrvLog
|
|
||||||
|
|
||||||
|
|
||||||
###### Windows Update Log ######
|
|
||||||
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
|
|
||||||
[monitor://$WINDIR\WindowsUpdate.log]
|
|
||||||
disabled = 1
|
|
||||||
sourcetype = WindowsUpdateLog
|
|
||||||
|
|
||||||
## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
|
|
||||||
## Below stanza will automatically generate WindowsUpdate.log daily
|
|
||||||
[powershell://generate_windows_update_logs]
|
|
||||||
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
|
|
||||||
schedule = 0 */24 * * *
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
|
|
||||||
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
|
|
||||||
disabled = 1
|
|
||||||
sourcetype = WindowsUpdateLog
|
|
||||||
|
|
||||||
|
|
||||||
###### Monitor Inputs for Active Directory ######
|
|
||||||
[monitor://$WINDIR\debug\netlogon.log]
|
|
||||||
sourcetype=MSAD:NT6:Netlogon
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
|
|
||||||
###### Monitor Inputs for DNS ######
|
|
||||||
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
|
|
||||||
sourcetype=MSAD:NT6:DNS
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
|
|
||||||
###### Scripted Input (See also wmi.conf)
|
|
||||||
[script://.\bin\win_listening_ports.bat]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per hour
|
|
||||||
interval = 3600
|
|
||||||
sourcetype = Script:ListeningPorts
|
|
||||||
|
|
||||||
[script://.\bin\win_installed_apps.bat]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
sourcetype = Script:InstalledApps
|
|
||||||
|
|
||||||
[script://.\bin\win_timesync_status.bat]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per hour
|
|
||||||
interval = 3600
|
|
||||||
sourcetype = Script:TimesyncStatus
|
|
||||||
|
|
||||||
[script://.\bin\win_timesync_configuration.bat]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per hour
|
|
||||||
interval = 3600
|
|
||||||
sourcetype = Script:TimesyncConfiguration
|
|
||||||
|
|
||||||
[script://.\bin\netsh_address.bat]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
sourcetype = Script:NetworkConfiguration
|
|
||||||
|
|
||||||
###### Scripted/Powershell Mod inputs Active Directory ######
|
|
||||||
|
|
||||||
## Replication Information NT6
|
|
||||||
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:Replication
|
|
||||||
interval=300
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
## Replication Information 2012r2 and 2016
|
|
||||||
[powershell://Replication-Stats]
|
|
||||||
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
|
|
||||||
schedule = 0 */5 * ? * *
|
|
||||||
source = Powershell
|
|
||||||
sourcetype=MSAD:NT6:Replication
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
## Health and Topology Information NT6
|
|
||||||
[script://.\bin\runpowershell.cmd nt6-health.ps1]
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:Health
|
|
||||||
interval=300
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
## Health and Topology Information 2012r2 and 2016
|
|
||||||
[powershell://AD-Health]
|
|
||||||
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
|
|
||||||
schedule = 0 */5 * ? * *
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:Health
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
|
|
||||||
## Site, Site Link and Subnet Information NT6
|
|
||||||
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:SiteInfo
|
|
||||||
interval=3600
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
## Site, Site Link and Subnet Information 2012r2 and 2016
|
|
||||||
[powershell://Siteinfo]
|
|
||||||
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
|
|
||||||
schedule = 0 15 * ? * *
|
|
||||||
source = Powershell
|
|
||||||
sourcetype=MSAD:NT6:SiteInfo
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
|
|
||||||
##### Scripted Inputs for DNS #####
|
|
||||||
|
|
||||||
## DNS Zone Information Collection
|
|
||||||
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:DNS-Zone-Information
|
|
||||||
interval=3600
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
## DNS Health Information Collection
|
|
||||||
[script://.\bin\runpowershell.cmd dns-health.ps1]
|
|
||||||
source=Powershell
|
|
||||||
sourcetype=MSAD:NT6:DNS-Health
|
|
||||||
interval=3600
|
|
||||||
disabled=1
|
|
||||||
|
|
||||||
|
|
||||||
###### Host monitoring ######
|
|
||||||
[WinHostMon://Computer]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Computer
|
|
||||||
|
|
||||||
[WinHostMon://Process]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Process
|
|
||||||
|
|
||||||
[WinHostMon://Processor]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Processor
|
|
||||||
|
|
||||||
[WinHostMon://NetworkAdapter]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = NetworkAdapter
|
|
||||||
|
|
||||||
[WinHostMon://Service]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Service
|
|
||||||
|
|
||||||
[WinHostMon://OperatingSystem]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = OperatingSystem
|
|
||||||
|
|
||||||
[WinHostMon://Disk]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Disk
|
|
||||||
|
|
||||||
[WinHostMon://Driver]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Driver
|
|
||||||
|
|
||||||
[WinHostMon://Roles]
|
|
||||||
interval = 600
|
|
||||||
disabled = 1
|
|
||||||
type = Roles
|
|
||||||
|
|
||||||
###### Print monitoring ######
|
|
||||||
[WinPrintMon://printer]
|
|
||||||
type = printer
|
|
||||||
interval = 600
|
|
||||||
baseline = 1
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WinPrintMon://driver]
|
|
||||||
type = driver
|
|
||||||
interval = 600
|
|
||||||
baseline = 1
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WinPrintMon://port]
|
|
||||||
type = port
|
|
||||||
interval = 600
|
|
||||||
baseline = 1
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
###### Network monitoring ######
|
|
||||||
[WinNetMon://inbound]
|
|
||||||
direction = inbound
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WinNetMon://outbound]
|
|
||||||
direction = outbound
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
###### Splunk 5.0+ Performance Counters ######
|
|
||||||
## CPU
|
|
||||||
[perfmon://CPU]
|
|
||||||
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = Processor
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## Logical Disk
|
|
||||||
[perfmon://LogicalDisk]
|
|
||||||
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = LogicalDisk
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## Physical Disk
|
|
||||||
[perfmon://PhysicalDisk]
|
|
||||||
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = PhysicalDisk
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## Memory
|
|
||||||
[perfmon://Memory]
|
|
||||||
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
|
|
||||||
disabled = 1
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = Memory
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## Network
|
|
||||||
[perfmon://Network]
|
|
||||||
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = Network Interface
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## Process
|
|
||||||
[perfmon://Process]
|
|
||||||
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = Process
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## ProcessInformation
|
|
||||||
[perfmon://ProcessorInformation]
|
|
||||||
counters = % Processor Time; Processor Frequency
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = Processor Information
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
## System
|
|
||||||
[perfmon://System]
|
|
||||||
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
|
|
||||||
disabled = 1
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
mode = multikv
|
|
||||||
object = System
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
|
|
||||||
###### Perfmon Inputs from TA-AD/TA-DNS ######
|
|
||||||
[perfmon://Processor]
|
|
||||||
object = Processor
|
|
||||||
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
disabled = 1
|
|
||||||
mode = multikv
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
[perfmon://Network_Interface]
|
|
||||||
object = Network Interface
|
|
||||||
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
|
|
||||||
instances = *
|
|
||||||
interval = 10
|
|
||||||
disabled = 1
|
|
||||||
mode = multikv
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
[perfmon://DFS_Replicated_Folders]
|
|
||||||
object = DFS Replicated Folders
|
|
||||||
counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
|
|
||||||
instances = *
|
|
||||||
interval = 30
|
|
||||||
disabled = 1
|
|
||||||
mode = multikv
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
[perfmon://NTDS]
|
|
||||||
object = NTDS
|
|
||||||
counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run
|
|
||||||
interval = 10
|
|
||||||
disabled = 1
|
|
||||||
mode = multikv
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
[perfmon://DNS]
|
|
||||||
object = DNS
|
|
||||||
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received
|
|
||||||
interval = 10
|
|
||||||
disabled = 1
|
|
||||||
mode = multikv
|
|
||||||
useEnglishOnly=true
|
|
||||||
|
|
||||||
|
|
||||||
[admon://default]
|
|
||||||
disabled = 1
|
|
||||||
monitorSubtree = 1
|
|
||||||
|
|
||||||
|
|
||||||
[WinRegMon://default]
|
|
||||||
disabled = 1
|
|
||||||
hive = .*
|
|
||||||
proc = .*
|
|
||||||
type = rename|set|delete|create
|
|
||||||
|
|
||||||
[WinRegMon://hkcu_run]
|
|
||||||
disabled = 1
|
|
||||||
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
|
|
||||||
proc = .*
|
|
||||||
type = set|create|delete|rename
|
|
||||||
|
|
||||||
[WinRegMon://hklm_run]
|
|
||||||
disabled = 1
|
|
||||||
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
|
|
||||||
proc = .*
|
|
||||||
type = set|create|delete|rename
|
|
||||||
|
|
||||||
[powershell://windows_bios_data]
|
|
||||||
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\windows_bios_data.ps1"
|
|
||||||
schedule = 0 */24 * * *
|
|
||||||
source = Powershell
|
|
||||||
sourcetype = win:bios
|
|
||||||
disabled = 1
|
|
||||||
@ -1,38 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
##
|
|
||||||
##
|
|
||||||
[events-search(6)]
|
|
||||||
args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type
|
|
||||||
definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$"
|
|
||||||
|
|
||||||
[compute-ingestion-stats]
|
|
||||||
# The below post-process can be used to compute generic statistics about event ingestion
|
|
||||||
# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline.
|
|
||||||
definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB"
|
|
||||||
|
|
||||||
[netmon-hosts-search]
|
|
||||||
definition = eventtype=netmon_windows | stats count by host | sort +host
|
|
||||||
|
|
||||||
[event-hosts-search]
|
|
||||||
definition = eventtype=wineventlog_windows | stats count by host | sort +host
|
|
||||||
|
|
||||||
[log-names-search]
|
|
||||||
definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName
|
|
||||||
|
|
||||||
[source-names-search(1)]
|
|
||||||
args = LogName
|
|
||||||
definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName
|
|
||||||
|
|
||||||
[task-categories-search(2)]
|
|
||||||
args = LogName, SourceName
|
|
||||||
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory
|
|
||||||
|
|
||||||
[event-codes-search(3)]
|
|
||||||
args = LogName, SourceName, TaskCategory
|
|
||||||
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode
|
|
||||||
|
|
||||||
[event-types-search(4)]
|
|
||||||
args = LogName, SourceName, TaskCategory, EventCode
|
|
||||||
definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type
|
|
||||||
@ -1,674 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
## DO NOT EDIT THIS FILE!
|
|
||||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
||||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
||||||
## into ../local and edit there.
|
|
||||||
|
|
||||||
###### Global Windows Eventtype ######
|
|
||||||
|
|
||||||
[eventtype=windows_event_signature]
|
|
||||||
track_event_signatures = enabled
|
|
||||||
|
|
||||||
[eventtype=wineventlog_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=wineventlog_application]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=wineventlog_system]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=wineventlog_security]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_processorinformation]
|
|
||||||
process = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
cpu = enabled
|
|
||||||
|
|
||||||
[eventtype=hostmon_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=hostmon_os]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
memory = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=hostmon_inventory]
|
|
||||||
os = enabled
|
|
||||||
inventory = enabled
|
|
||||||
cpu = enabled
|
|
||||||
memory = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=hostmon_disk]
|
|
||||||
performance = enabled
|
|
||||||
inventory = enabled
|
|
||||||
storage = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=netmon_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=printmon_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=script_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=windowsupdatelog_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=winregistry_windows]
|
|
||||||
os = enabled
|
|
||||||
windows = enabled
|
|
||||||
endpoint = enabled
|
|
||||||
change = enabled
|
|
||||||
registry = enabled
|
|
||||||
|
|
||||||
[eventtype=winsec]
|
|
||||||
security = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### DHCP ######
|
|
||||||
[eventtype=msdhcp]
|
|
||||||
dhcp = enabled
|
|
||||||
network = enabled
|
|
||||||
session = enabled
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=msdhcp_start]
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
[eventtype=msdhcp_end]
|
|
||||||
end = disabled
|
|
||||||
|
|
||||||
[eventtype=DhcpSrvLog]
|
|
||||||
windows = enabled
|
|
||||||
|
|
||||||
[eventtype=DhcpSrvLog_dhcp]
|
|
||||||
dhcp = enabled
|
|
||||||
network = enabled
|
|
||||||
session = enabled
|
|
||||||
|
|
||||||
[eventtype=DhcpSrvLog_start]
|
|
||||||
dhcp = enabled
|
|
||||||
network = enabled
|
|
||||||
session = enabled
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
[eventtype=DhcpSrvLog_end]
|
|
||||||
dhcp = enabled
|
|
||||||
network = enabled
|
|
||||||
session = enabled
|
|
||||||
end = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Account Logon ######
|
|
||||||
[eventtype=windows_auth_ticket_granted]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_service_ticket_granted]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_pre_auth_failed]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_used4logon]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_session_disconnected]
|
|
||||||
access = enabled
|
|
||||||
stop = enabled
|
|
||||||
logoff = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Account Management ######
|
|
||||||
[eventtype=windows_account_management]
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
management = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_created]
|
|
||||||
add = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_enabled]
|
|
||||||
enable = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_password_change]
|
|
||||||
password = enabled
|
|
||||||
modify = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_password_set]
|
|
||||||
password = enabled
|
|
||||||
modify = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[Service_Name=kadmin%2Fchangepw]
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
password = enabled
|
|
||||||
modify = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_disabled]
|
|
||||||
disable = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_deleted]
|
|
||||||
delete = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_modified]
|
|
||||||
modify = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_lockout]
|
|
||||||
lock = enabled
|
|
||||||
lockout = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_unlocked]
|
|
||||||
modify = enabled
|
|
||||||
account = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
###### Security: Audit (Event Log) ######
|
|
||||||
[eventtype=windows_audit_log_stopped]
|
|
||||||
stop = enabled
|
|
||||||
stopped = enabled
|
|
||||||
watchlist = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_audit_errors]
|
|
||||||
audit = enabled
|
|
||||||
error = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_audit_log_cleared]
|
|
||||||
audit = enabled
|
|
||||||
change = enabled
|
|
||||||
delete = enabled
|
|
||||||
cleared = enabled
|
|
||||||
watchlist = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_audit_backup]
|
|
||||||
audit = enabled
|
|
||||||
backup = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_audit_log_logon]
|
|
||||||
audit = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[privilege_id=SeAuditPrivilege]
|
|
||||||
audit = enabled
|
|
||||||
|
|
||||||
[privilege_id=SeSecurityPrivilege]
|
|
||||||
audit = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Logon/Logoff ######
|
|
||||||
[eventtype=windows_logoff]
|
|
||||||
access = enabled
|
|
||||||
stop = enabled
|
|
||||||
logoff = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_logon_explicit]
|
|
||||||
authentication = enabled
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_logon_failure]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[app=win%3Alocal]
|
|
||||||
local = enabled
|
|
||||||
|
|
||||||
[app=win%3Aremote]
|
|
||||||
remote = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_logon_success]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[Logon_Type=8]
|
|
||||||
cleartext = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Object Access ######
|
|
||||||
[eventtype=windows_object_open]
|
|
||||||
resource = enabled
|
|
||||||
file = enabled
|
|
||||||
access = enabled
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_handle_closed]
|
|
||||||
resource = enabled
|
|
||||||
file = enabled
|
|
||||||
access = enabled
|
|
||||||
stop = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Policy Change ######
|
|
||||||
[eventtype=windows_audit_policy_change]
|
|
||||||
policy = enabled
|
|
||||||
configuration = enabled
|
|
||||||
modify = enabled
|
|
||||||
audit = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_security_access_granted]
|
|
||||||
access = enabled
|
|
||||||
authorization = enabled
|
|
||||||
add = enabled
|
|
||||||
change = enabled
|
|
||||||
account = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_security_access_removed]
|
|
||||||
access = enabled
|
|
||||||
authorization = enabled
|
|
||||||
delete = enabled
|
|
||||||
change = enabled
|
|
||||||
account = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_audit_policy_changed]
|
|
||||||
policy = enabled
|
|
||||||
configuration = enabled
|
|
||||||
modify = enabled
|
|
||||||
audit = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_firewall_policy_active]
|
|
||||||
application = enabled
|
|
||||||
firewall = enabled
|
|
||||||
configuration = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_firewall_policy_change]
|
|
||||||
application = enabled
|
|
||||||
firewall = enabled
|
|
||||||
configuration = enabled
|
|
||||||
modify = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_firewall_port_listening]
|
|
||||||
application = enabled
|
|
||||||
firewall = enabled
|
|
||||||
port = enabled
|
|
||||||
listening = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Privilege Use ######
|
|
||||||
[eventtype=windows_special_privileges]
|
|
||||||
authentication = enabled
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_privileged_service_call]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_privileged_object_operation]
|
|
||||||
resource = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Process Tracking ######
|
|
||||||
[eventtype=windows_process_new]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_process_exit]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
stop = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_process_token]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
[Token_Elevation_Type_id=2]
|
|
||||||
privileged = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: System ######
|
|
||||||
[eventtype=windows_auth_package]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_logon_process]
|
|
||||||
process = enabled
|
|
||||||
authorization = enabled
|
|
||||||
add = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_notification_package]
|
|
||||||
process = enabled
|
|
||||||
execute = enabled
|
|
||||||
start = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Security: Vulnerability ######
|
|
||||||
[eventtype=windows_security_misconfiguration_password_minimum_length]
|
|
||||||
misconfiguration = enabled
|
|
||||||
password = enabled
|
|
||||||
policy = enabled
|
|
||||||
vulnerability = enabled
|
|
||||||
report = enabled
|
|
||||||
audit = enabled
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### System: Time ######
|
|
||||||
[eventtype=windows_time_sync]
|
|
||||||
report = enabled
|
|
||||||
time = enabled
|
|
||||||
synchronize = enabled
|
|
||||||
success = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_time_failure]
|
|
||||||
report = enabled
|
|
||||||
time = enabled
|
|
||||||
synchronize = enabled
|
|
||||||
failure = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### System: Update ######
|
|
||||||
[eventtype=windows_system_update]
|
|
||||||
system = enabled
|
|
||||||
update = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_system_update_status]
|
|
||||||
status = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_updatelog]
|
|
||||||
system = enabled
|
|
||||||
update = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_updatelog_status]
|
|
||||||
status = enabled
|
|
||||||
|
|
||||||
## WMI:Update
|
|
||||||
[eventtype=wmi_installed_packages]
|
|
||||||
system = enabled
|
|
||||||
update = enabled
|
|
||||||
status = enabled
|
|
||||||
|
|
||||||
|
|
||||||
###### Splunk WMI ######
|
|
||||||
|
|
||||||
## ComputerSystem
|
|
||||||
[eventtype=wmi_computersystem]
|
|
||||||
performance = enabled
|
|
||||||
memory = enabled
|
|
||||||
|
|
||||||
## CPUTime
|
|
||||||
[eventtype=perfmon_cputime]
|
|
||||||
cpu = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_cputime_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_cputime]
|
|
||||||
cpu = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_cputime_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
## System
|
|
||||||
[eventtype=perfmon_system]
|
|
||||||
cpu = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
## Disk
|
|
||||||
[eventtype=perfmon_freediskspace]
|
|
||||||
disk = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
storage = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_freediskspace_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_freediskspace]
|
|
||||||
disk = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
storage = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_freediskspace_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_logicaldisk]
|
|
||||||
disk = enabled
|
|
||||||
performance = enabled
|
|
||||||
storage = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_logicaldisk]
|
|
||||||
disk = enabled
|
|
||||||
performance = enabled
|
|
||||||
storage = enabled
|
|
||||||
|
|
||||||
## Network
|
|
||||||
[eventtype=perfmon_network]
|
|
||||||
network = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_network_throughput]
|
|
||||||
network = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_network_bandwidth]
|
|
||||||
network = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_network_throughput]
|
|
||||||
network = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_network_bandwidth]
|
|
||||||
network = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
## Process
|
|
||||||
[eventtype=perfmon_process]
|
|
||||||
performance = enabled
|
|
||||||
process = enabled
|
|
||||||
oshost = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
## Listening Ports
|
|
||||||
[eventtype=script_listeningports]
|
|
||||||
port = enabled
|
|
||||||
listening = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
## Local Processes
|
|
||||||
[eventtype=wmi_localprocesses]
|
|
||||||
process = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_localprocesses_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
## Memory
|
|
||||||
[eventtype=perfmon_memory]
|
|
||||||
memory = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
oshost = enabled
|
|
||||||
|
|
||||||
[eventtype=perfmon_memory_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_memory]
|
|
||||||
memory = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_memory_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
## Service
|
|
||||||
[eventtype=wmi_service]
|
|
||||||
service = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_service_status_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_service_state_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
[app=W32Time]
|
|
||||||
time = enabled
|
|
||||||
synchronize = enabled
|
|
||||||
|
|
||||||
[app=wuauserv]
|
|
||||||
automatic = enabled
|
|
||||||
update = enabled
|
|
||||||
|
|
||||||
## Uptime
|
|
||||||
[eventtype=wmi_uptime]
|
|
||||||
uptime = enabled
|
|
||||||
report = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
[eventtype=wmi_uptime_anomalous]
|
|
||||||
anomalous = enabled
|
|
||||||
|
|
||||||
## User Accounts
|
|
||||||
[eventtype=wmi_useraccounts]
|
|
||||||
account = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
inventory = enabled
|
|
||||||
user = enabled
|
|
||||||
|
|
||||||
## Version
|
|
||||||
[eventtype=wmi_version]
|
|
||||||
system = enabled
|
|
||||||
version = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
inventory = enabled
|
|
||||||
|
|
||||||
|
|
||||||
[eventtype=windows_account_mapped]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_account_notmapped]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=microsoft_windows_hostmon_process]
|
|
||||||
process = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
[eventtype=microsoft_windows_hostmon_service]
|
|
||||||
service = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
[eventtype=microsoft_windows_hostmon_service_time]
|
|
||||||
time = enabled
|
|
||||||
synchronize = enabled
|
|
||||||
os = enabled
|
|
||||||
performance = enabled
|
|
||||||
|
|
||||||
## Endpoint.processes Data Model
|
|
||||||
[eventtype=windows_endpoint_processes]
|
|
||||||
process = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
## Endpoint.services Data Model
|
|
||||||
[eventtype=windows_endpoint_services]
|
|
||||||
service = enabled
|
|
||||||
report = enabled
|
|
||||||
|
|
||||||
## Security-CIM Mappings
|
|
||||||
|
|
||||||
## Endpoint Registry Data Model
|
|
||||||
[eventtype=windows_security_endpoint_registry]
|
|
||||||
endpoint = enabled
|
|
||||||
registry = enabled
|
|
||||||
|
|
||||||
## Endpoint Port Data Model
|
|
||||||
[eventtype=windows_security_endpoint_port]
|
|
||||||
listening = enabled
|
|
||||||
port = enabled
|
|
||||||
|
|
||||||
## Change Audit Data Model
|
|
||||||
[eventtype=windows_security_change_audit]
|
|
||||||
change = enabled
|
|
||||||
audit = enabled
|
|
||||||
|
|
||||||
## Change Data Model
|
|
||||||
[eventtype=windows_security_change]
|
|
||||||
change = enabled
|
|
||||||
|
|
||||||
# Authentication Data Model
|
|
||||||
[eventtype=windows_security_authentication]
|
|
||||||
authentication = enabled
|
|
||||||
|
|
||||||
[eventtype=windows_security_change_account]
|
|
||||||
change = enabled
|
|
||||||
account = enabled
|
|
||||||
|
|
||||||
# Change Audit DM for Windows System
|
|
||||||
[eventtype=windows_system_change_audit]
|
|
||||||
change = enabled
|
|
||||||
audit = enabled
|
|
||||||
|
|
||||||
# Network resolution (dns) DM for DNS events.
|
|
||||||
[eventtype=nt6-dns-events]
|
|
||||||
network = enabled
|
|
||||||
resolution = enabled
|
|
||||||
dns = enabled
|
|
||||||
@ -1,152 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
## DO NOT EDIT THIS FILE!
|
|
||||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
||||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
||||||
## into ../local and edit there.
|
|
||||||
##
|
|
||||||
## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
|
|
||||||
##
|
|
||||||
|
|
||||||
[settings]
|
|
||||||
initial_backoff = 5
|
|
||||||
max_backoff = 20
|
|
||||||
max_retries_at_max_backoff = 0
|
|
||||||
checkpoint_sync_interval = 2
|
|
||||||
|
|
||||||
## Pull event logs FROM the local system
|
|
||||||
## Usually disabled in favor of using WinEventLog inputs
|
|
||||||
[WMI:LocalApplication]
|
|
||||||
interval = 10
|
|
||||||
event_log_file = Application
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WMI:LocalSystem]
|
|
||||||
interval = 10
|
|
||||||
event_log_file = System
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WMI:LocalSecurity]
|
|
||||||
interval = 10
|
|
||||||
event_log_file = Security
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Gather performance data FROM the local system
|
|
||||||
|
|
||||||
## Computer System
|
|
||||||
[WMI:ComputerSystem]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
|
|
||||||
|
|
||||||
|
|
||||||
## CPU
|
|
||||||
## Usually disabled in favor of Perfmon counters
|
|
||||||
[WMI:CPUTime]
|
|
||||||
interval = 3
|
|
||||||
wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Disk
|
|
||||||
|
|
||||||
## Usually disabled in favor of Perfmon counters
|
|
||||||
[WMI:FreeDiskSpace]
|
|
||||||
interval = 120
|
|
||||||
wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WMI:LogicalDisk]
|
|
||||||
interval = 120
|
|
||||||
wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
[WMI:LocalPhysicalDisk]
|
|
||||||
interval = 10
|
|
||||||
wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Memory
|
|
||||||
## Usually disabled in favor of Perfmon counters
|
|
||||||
[WMI:Memory]
|
|
||||||
interval = 5
|
|
||||||
wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Network
|
|
||||||
## Usuall disabled in favor of Perfmon counters
|
|
||||||
[WMI:LocalNetwork]
|
|
||||||
interval = 10
|
|
||||||
wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Processes
|
|
||||||
[WMI:LocalProcesses]
|
|
||||||
interval = 30
|
|
||||||
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
|
|
||||||
disabled = 1
|
|
||||||
|
|
||||||
|
|
||||||
## Scheduled Jobs
|
|
||||||
|
|
||||||
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
|
|
||||||
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
|
|
||||||
[WMI:ScheduledJobs]
|
|
||||||
disabled = 1
|
|
||||||
## Run twice per day
|
|
||||||
interval = 43200
|
|
||||||
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
|
|
||||||
|
|
||||||
## Services
|
|
||||||
|
|
||||||
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
|
|
||||||
## Lists all services registered on the system,if they are running,and the status
|
|
||||||
[WMI:Service]
|
|
||||||
disabled = 1
|
|
||||||
## Run once an hour
|
|
||||||
interval = 3600
|
|
||||||
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
|
|
||||||
|
|
||||||
|
|
||||||
## Update
|
|
||||||
[WMI:InstalledUpdates]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
|
|
||||||
|
|
||||||
|
|
||||||
## Uptime
|
|
||||||
[WMI:Uptime]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
|
|
||||||
|
|
||||||
|
|
||||||
## User Accounts
|
|
||||||
[WMI:UserAccounts]
|
|
||||||
disabled = 1
|
|
||||||
## Run twice per day
|
|
||||||
interval = 43200
|
|
||||||
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
|
|
||||||
|
|
||||||
## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
|
|
||||||
## disabled = 1
|
|
||||||
## Run twice per day
|
|
||||||
## interval = 43200
|
|
||||||
## wql = SELECT * FROM Win32_AccountSID
|
|
||||||
|
|
||||||
|
|
||||||
## Version
|
|
||||||
[WMI:Version]
|
|
||||||
disabled = 1
|
|
||||||
## Run once per day
|
|
||||||
interval = 86400
|
|
||||||
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
|
|
||||||
@ -1,50 +0,0 @@
|
|||||||
##
|
|
||||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
||||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
||||||
## DO NOT EDIT THIS FILE!
|
|
||||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
||||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
||||||
## into ../local and edit there.
|
|
||||||
##
|
|
||||||
|
|
||||||
###### EventID.net ######
|
|
||||||
[windows_eventidnet_winapp]
|
|
||||||
display_location = both
|
|
||||||
eventtypes = winapp
|
|
||||||
fields = SourceName, EventCode, signature_id
|
|
||||||
label = EventId Encyclopedia
|
|
||||||
link.method = get
|
|
||||||
link.target = blank
|
|
||||||
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
|
|
||||||
type = link
|
|
||||||
|
|
||||||
[windows_eventidnet_winsec]
|
|
||||||
display_location = both
|
|
||||||
eventtypes = winsec
|
|
||||||
fields = SourceName, EventCode, signature_id
|
|
||||||
label = EventId Encyclopedia
|
|
||||||
link.method = get
|
|
||||||
link.target = blank
|
|
||||||
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
|
|
||||||
type = link
|
|
||||||
|
|
||||||
[windows_eventidnet_winsystem]
|
|
||||||
display_location = both
|
|
||||||
eventtypes = winsystem
|
|
||||||
fields = SourceName, EventCode, signature_id
|
|
||||||
label = EventId Encyclopedia
|
|
||||||
link.method = get
|
|
||||||
link.target = blank
|
|
||||||
link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
|
|
||||||
type = link
|
|
||||||
|
|
||||||
###### Ultimate Windows Security ######
|
|
||||||
[windows_ultimatewinsec]
|
|
||||||
display_location = both
|
|
||||||
eventtypes = winsec
|
|
||||||
fields = EventCode, signature_id
|
|
||||||
label = Winsec Encyclopedia
|
|
||||||
link.method = get
|
|
||||||
link.target = blank
|
|
||||||
link.uri = https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$signature_id$
|
|
||||||
type = link
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
[WinEventLog://Security]
|
|
||||||
disabled = 0
|
|
||||||
evt_resolve_ad_obj = 1
|
|
||||||
checkpointInterval = 5
|
|
||||||
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
|
|
||||||
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
|
|
||||||
blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
|
|
||||||
index = oswinsec
|
|
||||||
|
|
||||||
[WinEventLog://Application]
|
|
||||||
disabled = 0
|
|
||||||
checkpointInterval = 5
|
|
||||||
index = oswin
|
|
||||||
|
|
||||||
[WinEventLog://System]
|
|
||||||
disabled = 0
|
|
||||||
checkpointInterval = 5
|
|
||||||
index = oswin
|
|
||||||
|
|
||||||
[monitor://$WINDIR\WindowsUpdate.log]
|
|
||||||
disabled = 0
|
|
||||||
sourcetype = WindowsUpdateLog
|
|
||||||
index = oswinsec
|
|
||||||
|
|
||||||
[WinHostMon://Service]
|
|
||||||
interval = 3600
|
|
||||||
disabled = 0
|
|
||||||
type = Service
|
|
||||||
index = oswinscript
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Can't render this file because it contains an unexpected character in line 32 and column 44.
|
|
@ -1,5 +0,0 @@
|
|||||||
# Application-level permissions
|
|
||||||
|
|
||||||
[]
|
|
||||||
access = read : [ * ], write : [ admin, sc_admin ]
|
|
||||||
export = system
|
|
||||||
@ -1,349 +0,0 @@
|
|||||||
{
|
|
||||||
"version": "1.0",
|
|
||||||
"date": "2023-12-07T14:55:04.880743212Z",
|
|
||||||
"hashAlgorithm": "SHA-256",
|
|
||||||
"app": {
|
|
||||||
"id": 742,
|
|
||||||
"version": "8.8.0",
|
|
||||||
"files": [
|
|
||||||
{
|
|
||||||
"path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
|
|
||||||
"hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "README/transforms.conf.spec",
|
|
||||||
"hash": "607ea0cb0566ae97eb2c398eee32e883fd2ce125ff83a47b07ec78bb4f4a3ae6"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "README.txt",
|
|
||||||
"hash": "3b5d020d8b1f20f96a023b8f37d11277f629b63130071bc5f4896727a402b1ae"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "THIRDPARTY",
|
|
||||||
"hash": "4e7ebeca6b8f71ea66f0b3d7699b91917724ee6dbc168d46ea39d3c44792e91d"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "VERSION",
|
|
||||||
"hash": "e4e224e961aa088cd881e1a1e9afdf13622ad419074538278e69ce00a52acaa3"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "app.manifest",
|
|
||||||
"hash": "9dfd7091b4c5a38d125bf9d35f4d420bf0f47634f12f50b9fa71fea88cfe6f9f"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "appserver/static/appIcon.png",
|
|
||||||
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "appserver/static/appLogo.png",
|
|
||||||
"hash": "c19b2fc8219cd435a8d59d683c98590f5c0d198be4d0f5004a6af000266f64fd"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/Invoke-MonitoredScript.ps1",
|
|
||||||
"hash": "0146474b232f581fb8d7275809b7fa7a1d33260aaba6bf3f87150cfda4c59a51"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/log.py",
|
|
||||||
"hash": "d0dc08cd8fd0beba8312b63c34511a5ce9d8314db3526de42b306c801f95fe31"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/netsh_address.bat",
|
|
||||||
"hash": "d437daa86ca97b67cde2a2970dc2d7e3b377106c7cb8a8ba331b37ae825e9c05"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/2012r2-health.ps1",
|
|
||||||
"hash": "fb956717460f18c257fb15d5bbce79bc9d2017d1be15724a647bb4601316882b"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/2012r2-repl-stats.ps1",
|
|
||||||
"hash": "176427ac5b5baf5d2533a2c97a69015e94df44421795dd82acce702e8dfac60a"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/2012r2-siteinfo.ps1",
|
|
||||||
"hash": "dc6fa3b3fac0474f87f179bc11e530c95732e2803309b5ffd763acbaf8691171"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/dns-health.ps1",
|
|
||||||
"hash": "18465ca9ac26c5bc2edd3023f92dd0ac5978dcd9f28aeaa22d9ae685b4d6ecf8"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/dns-zoneinfo.ps1",
|
|
||||||
"hash": "b00d8981eb454ee68ac9c2648fedb8b3453eb39788727ee7afc1d16149e5152c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/generate_windows_update_logs.ps1",
|
|
||||||
"hash": "cbf6b5321b923b7585a0dc652acbe030730b974ab64149df3d1ef054bb87394e"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/nt6-health.ps1",
|
|
||||||
"hash": "f5557ba97869931ab694589762febe36a37e0585590653915feaed259071132c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/nt6-repl-stat.ps1",
|
|
||||||
"hash": "e97bab3d9eb8b15785c240ac80814638be20c2ce4a9fabeb23b9623e696bbf31"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/nt6-siteinfo.ps1",
|
|
||||||
"hash": "f51e87b154df9577aeda0641beac2861b73d9f9e044c54b8676836d443dbb3d4"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/powershell/windows_bios_data.ps1",
|
|
||||||
"hash": "eb685d39d95435b3c44e63776493f624bbdf13d0661b3799fa52885d2289ba47"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/runpowershell.cmd",
|
|
||||||
"hash": "2334c8d7368f3257ebc652dde990bef106cec539a33e076acd9296be2d7ba1c8"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/user_account_control_property.py",
|
|
||||||
"hash": "9adc1442351e66b4a2633913c4b1ff68c8f98a6aa744fdb28ec8ed7f72841e25"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/win_installed_apps.bat",
|
|
||||||
"hash": "deb67756a20e3c37a31fa77b8ba442e296213286951b4e22fddf2dbe78b0bceb"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/win_listening_ports.bat",
|
|
||||||
"hash": "894012fc9413df5a3ee6b311cdabfc97807d3704ab18eea82b085f9e05b49b46"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/win_timesync_configuration.bat",
|
|
||||||
"hash": "f95a829dd06f4c43e374dd8bdd2e55ca521e85d7b7277c77e90fadf48dc51944"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "bin/win_timesync_status.bat",
|
|
||||||
"hash": "a4697f547c886efa541102de2e5a27057c4629b5ca66bb19d37d4cbe90dc9923"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/app.conf",
|
|
||||||
"hash": "32d33afd2aa2b7544525f772570be7c331088c2189f2d2cb547fd486156995d5"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/eventtypes.conf",
|
|
||||||
"hash": "be883df17a2e5896701786f6030c83a2b0bcefd88db7759661643ab1f18cb605"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/inputs.conf",
|
|
||||||
"hash": "2f6fd871b7183936e21d1741ee9b8fc1faf7c025b42228d2e703dd4adab89927"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/macros.conf",
|
|
||||||
"hash": "67dea90fd9f4af58c855011e33b4b735885aae43adc6dca577c1394da045b564"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/props.conf",
|
|
||||||
"hash": "a5e05786d153f11fd8753e2a23a3b8a99cd9b42f25462d8d5fb7088efc33a94c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/tags.conf",
|
|
||||||
"hash": "2a2fd41f0e878294cac5b56991b0222bf732c6294aa4bd388165d766cfb14b1e"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/transforms.conf",
|
|
||||||
"hash": "9400270257bbfa58d2c6099eeae8c59292c40aed84e4ce3c8e359cd4195f0f30"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/wmi.conf",
|
|
||||||
"hash": "40fafadc47299a48bee522a1e6a2e76d60f63233e8a102d46716c1945f79c5ca"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "default/workflow_actions.conf",
|
|
||||||
"hash": "d0bbb3d3c61b9e95258b312f3e4976fa297862e470063220e90b578fc3638929"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/dns_recordclass_lookup.csv",
|
|
||||||
"hash": "56287694ff666ebab8d2c054d94a0b923e3f79ce3a7d7ea14437f4c682deaef9"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/msad_group_type.csv",
|
|
||||||
"hash": "c312edb9dfe6394b2f76b9f1d820fede58f898bb259aaf6c9f1a6190619b777b"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/msdhcp_signatures.csv",
|
|
||||||
"hash": "57d29d2602463528f543c9b7bf68f260853a36a0558b77649f403ad5c2cb010e"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/object_category_850.csv",
|
|
||||||
"hash": "3307577d3c0ba11912808fb8c21ec89ba86354d5068517bdc389a0312a4cdb01"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/status_850.csv",
|
|
||||||
"hash": "98f62611b8ae183f3023e551b7859aa7afcfa2145d3d2dc5b25261087e04d28b"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/user_types.csv",
|
|
||||||
"hash": "cab5e002aceb2932f66954dd2de422da370c4eea9dcdaa907f2b1753d1a72ac4"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/vendor_actions.csv",
|
|
||||||
"hash": "87b64b0da91a9d0c163ec63453ed2e1418b1ad24d7afd312f6b7766f92ff52a0"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_actions.csv",
|
|
||||||
"hash": "a696d510431d8532bf925bb21cc9d1a7d9efce9e40aa9abfea4e5a8244cfa85c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_apps.csv",
|
|
||||||
"hash": "6433f2214fdad6f5d9b9a262d9ab2508f7d518ecf4db6177f69b464f5bec6285"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_audit_changes_860.csv",
|
|
||||||
"hash": "81d55853a22c2dd4916e88f20fe81d361597b367132b0e38bfb6fc3917b82bb7"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_dns_action_lookup.csv",
|
|
||||||
"hash": "d2a2a81bc00d607ba005c6338f91f35d37116c751ae7c1138f87a8f1a9bc7ff2"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_dns_query_type_lookup.csv",
|
|
||||||
"hash": "8ea42c212d95de76d951a543b6f18bebf8d61fd869929ceef8133e3d5433bdd8"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_endpoint_port_transport.csv",
|
|
||||||
"hash": "c995b304ce28c433921bc8400c680b11370188bac916778088c66f5f8b73a0e0"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_endpoint_service_service_name.csv",
|
|
||||||
"hash": "7142d61c5dd4ba693e73a8247c590f55e87aa7edb90cfbe2d4dfb2ff54ff15c6"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_endpoint_service_service_type.csv",
|
|
||||||
"hash": "0bfcf6dee4634d9a5803dd349591178ca4fc6da6268715d061f327a0650ac443"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_eventtypes.csv",
|
|
||||||
"hash": "6d82b9e2a3aeeed09e6d0b01bc46199b80d625c46681a64680ff288a90605917"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_privileges.csv",
|
|
||||||
"hash": "4582b04b8ec594d98348acd5c0ccd0be27000bfa051e05dd9209f7ad182764c2"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_severities.csv",
|
|
||||||
"hash": "1aadf97658ff11a71e754b2f632b42ec0fd359b8fc94cc87856fc20c12760924"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_signatures_860.csv",
|
|
||||||
"hash": "62d9f1c59d60f1e768252809a393b65bdb2749ee2e66f53319f0325a49a433a1"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_signatures_substatus_850.csv",
|
|
||||||
"hash": "f0fd99a056f81b8a45b841b5d792ba390c0f70435d3419072e22b873fc9eaa85"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_start_mode_lookup.csv",
|
|
||||||
"hash": "ba8555b54afc901bbcbf8c9a172239587c19dfd0a37bbacf46042d0345344387"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_timesync_actions.csv",
|
|
||||||
"hash": "7ca18948fd296b3d24f0df767a314e10ed6d6efc7ac2c12a6c740c4026dbc356"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_update_statii.csv",
|
|
||||||
"hash": "f0d914d816c982134abab6b9fdacf8e7bc1ebd6dee36faaa641786220fc84620"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_wineventlog_change_action_860.csv",
|
|
||||||
"hash": "40b7c908b3245066c0e4ba4d56d89e45759d3555ae9f76aeddae0fdcc923e1cd"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/windows_wineventlog_change_object_fields_860.csv",
|
|
||||||
"hash": "0662a5e8aa80c933fccfb12678b5ba711eb61a47da8fc088ed95ae8a4a4e9f90"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/wmi_user_account_status.csv",
|
|
||||||
"hash": "c29c91036d6d466a198fc52dcff55b91fbc8341c0b86c35c2ecc4e4e56ca3966"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/wmi_version_range.csv",
|
|
||||||
"hash": "de15c72fcb18ccd890ffe8658f29329450c1ed0404506feef857386e54bce08e"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/xmlsecurity_change_audit_and_account_management_860.csv",
|
|
||||||
"hash": "3f1e9ffbeab129b36855d0ac9ad3ff4e3b9b5f802b2db472b5264df486262086"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/xmlsecurity_eventcode_action.csv",
|
|
||||||
"hash": "3fb7fc859d75d11d4366ba29bfd24e16445c4c0ca8aa1bcfd5ee5bae7b935d5c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/xmlsecurity_eventcode_action_multiinput.csv",
|
|
||||||
"hash": "14ef17a196b6745539abaf81ca9c8f0b19525d6d3aa8dcaf9378d2141a6ec3e5"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "lookups/xmlsecurity_eventcode_errorcode_action.csv",
|
|
||||||
"hash": "737195c4e417e20d96dabd43c54c74272d91fe6f60f830b8285cb76d17dd3d82"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "metadata/default.meta",
|
|
||||||
"hash": "06d4afd0a270c2b6f4cbb47cbf59fbb55180df866df034f575ac40ea7568cf48"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIcon.png",
|
|
||||||
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIconAlt.png",
|
|
||||||
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIconAlt_2x.png",
|
|
||||||
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIconLg.png",
|
|
||||||
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIconLg_2x.png",
|
|
||||||
"hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"path": "static/appIcon_2x.png",
|
|
||||||
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"products": [
|
|
||||||
{
|
|
||||||
"platform": "splunk",
|
|
||||||
"product": "enterprise",
|
|
||||||
"versions": [
|
|
||||||
"8.2",
|
|
||||||
"9.0",
|
|
||||||
"9.1"
|
|
||||||
],
|
|
||||||
"architectures": [
|
|
||||||
"x86_64"
|
|
||||||
],
|
|
||||||
"operatingSystems": [
|
|
||||||
"windows",
|
|
||||||
"linux",
|
|
||||||
"macos",
|
|
||||||
"freebsd",
|
|
||||||
"solaris",
|
|
||||||
"aix"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"platform": "splunk",
|
|
||||||
"product": "cloud",
|
|
||||||
"versions": [
|
|
||||||
"8.2",
|
|
||||||
"9.0",
|
|
||||||
"9.1"
|
|
||||||
],
|
|
||||||
"architectures": [
|
|
||||||
"x86_64"
|
|
||||||
],
|
|
||||||
"operatingSystems": [
|
|
||||||
"windows",
|
|
||||||
"linux",
|
|
||||||
"macos",
|
|
||||||
"freebsd",
|
|
||||||
"solaris",
|
|
||||||
"aix"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
Before Width: | Height: | Size: 3.3 KiB |
|
Before Width: | Height: | Size: 3.3 KiB |
|
Before Width: | Height: | Size: 6.6 KiB |
|
Before Width: | Height: | Size: 6.6 KiB |
|
Before Width: | Height: | Size: 15 KiB |
|
Before Width: | Height: | Size: 6.6 KiB |