add

deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf

@@ -70,3 +70,734 @@ search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR sourc
 [windows_event_signature]
 search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog
 #tags = track_event_signatures
+
+[perfmon_windows]
+search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon*
+#tags = os windows
+
+[hostmon_windows]
+search = sourcetype=WinHostMon
+#tags = os windows
+
+[hostmon_os]
+search = sourcetype=WinHostMon Type=OperatingSystem
+#tags = os windows memory performance
+
+[hostmon_inventory]
+search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor)
+#tags = os inventory cpu memory
+
+[hostmon_disk]
+search = sourcetype=WinHostMon (Type=Disk)
+#tags = inventory performance storage
+
+[netmon_windows]
+search = sourcetype=WinNetMon
+#tags = os windows
+
+[printmon_windows]
+search = sourcetype=WinPrintMon
+#tags = os windows
+
+[script_windows]
+search = sourcetype=Script:* source=*.bat
+#tags = os windows
+
+[wmi_windows]
+search = sourcetype=WMI:*
+#tags = os windows
+
+[windowsupdatelog_windows]
+search = sourcetype=WindowsUpdateLog
+#tags = os windows
+
+[winregistry_windows]
+search = sourcetype=WinRegistry
+#tags = os windows endpoint change registry
+
+[winapp]
+search = eventtype=wineventlog_application
+
+[winsec]
+search = eventtype=wineventlog_security
+#tags = security
+
+[winsystem]
+search = eventtype=wineventlog_system
+
+
+###### DHCP ######
+[msdhcp]
+search = sourcetype=msdhcp
+#tags = dhcp network session windows
+
+[msdhcp_start]
+search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13)
+#tags = start
+
+[msdhcp_end]
+search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17)
+#tags = end
+
+[DhcpSrvLog]
+search = sourcetype=DhcpSrvLog
+#tags = windows
+
+[DhcpSrvLog_dhcp]
+search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15)
+#tags = dhcp network session
+
+[DhcpSrvLog_start]
+search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11)
+#tags = dhcp network session start
+
+[DhcpSrvLog_end]
+search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18)
+#tags = dhcp network session end
+
+
+###### Security: Account Logon ######
+
+## Authentication Ticket Granted/Failed
+## EventCodes 4768, 4772, 672, 676
+[windows_auth_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676)
+#tags = authentication
+
+## Service Ticket Granted/Failed
+## EventCodes 4769, 4773, 673, 677
+[windows_service_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677)
+#tags = authentication
+
+## Ticket Granted Renewed
+## EventCodes 4770, 674
+[windows_ticket_renewed]
+search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674)
+## tags intentionally left blank
+#tags =
+
+## Pre-authentication failed
+## EventCodes 4771, 675
+[windows_pre_auth_failed]
+search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675)
+#tags = authentication
+
+## Account Mapped for Logon by
+## EventCodes 4774, 678
+[windows_account_mapped]
+search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678)
+## tags intentionally left blank
+#tags = authentication
+
+## The name: %2 could not be mapped for logon by: %1
+## EventCodes 4775, 679
+[windows_account_notmapped]
+search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679)
+#tags = authentication
+
+## Account Used for Logon by
+## The domain controller attempted/failed to validate the credentials for an account
+## The logon to account: %2 by: %1 from workstation: %3 failed.
+## EventCodes 4776, 4777, 680, 681
+[windows_account_used4logon]
+search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681)
+#tags = authentication
+
+## Session reconnected to winstation
+## EventCodes 4778, 682
+[windows_session_reconnected]
+search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682)
+## tags intentionally left blank
+#tags =
+
+## Session disconnected from winstation
+## EventCodes 4779, 683
+[windows_session_disconnected]
+search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683)
+#tags = access stop logoff
+
+
+###### Security: Account Management ######
+[windows_account_management]
+search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management")
+#tags = account change management
+
+## User/Computer Account Created
+## EventCodes 4720, 4741, 624, 645
+[windows_account_created]
+search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
+#tags = add account change
+
+
+## User Account Enabled
+## EventCodes 4722, 626
+[windows_account_enabled]
+search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626)
+#tags = enable account change
+
+## Change Password Attempt
+## EventCodes 4723, 627
+[windows_account_password_change]
+search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627)
+#tags = password modify account change
+
+## User Account password set
+## EventCodes 4724, 628
+[windows_account_password_set]
+search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628)
+#tags = password modify account change
+
+## User Account Disabled
+## EventCodes 4725, 629
+[windows_account_disabled]
+search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629)
+#tags = disable account change
+
+## User/Computer Account Deleted
+## EventCodes 4726, 4743, 630, 647
+[windows_account_deleted]
+search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647)
+#tags = delete account change
+
+## User/Computer Account Changed
+## EventCodes 4738, 4742, 642, 646, 625
+[windows_account_modified]
+search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625)
+#tags = modify account change
+
+## User Account Locked Out
+## EventCodes 4740, 644
+[windows_account_lockout]
+search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644)
+#tags = lock lockout account change
+
+## User Account Unlocked
+## EventCodes 4767, 671
+[windows_account_unlocked]
+search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671)
+#tags = modify account change
+
+
+###### Security: Audit (Event Log) ######
+
+## The event logging service has shut down
+## EventCode 1100
+[windows_audit_log_stopped]
+search = eventtype=wineventlog_security EventCode=1100
+#tags = stop stopped watchlist
+
+## Audit events have been dropped by the transport.
+## The security Log is now full
+## The event logging service encountered an error
+## EventCodes 1101, 1104, 1108
+[windows_audit_errors]
+search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108)
+#tags = audit error
+
+## The audit log was cleared
+## EventCodes 1102, 517
+[windows_audit_log_cleared]
+search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517)
+#tags = audit change delete cleared watchlist
+
+## Event log automatic backup
+## EventCode 1105
+[windows_audit_backup]
+search = eventtype=wineventlog_security EventCode=1105
+#tags = audit backup change
+
+## Logon/Logoff audit logs
+## EventCode 4625
+[windows_audit_log_logon]
+search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413)
+#tags = audit change
+
+
+###### Security: Logon/Logoff ######
+
+## User Logoff/User initiated logoff
+## EventCodes 4634, 4647, 538, 551
+[windows_logoff]
+search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551)
+#tags = access stop logoff
+
+## A logon was attempted using explicit credentials
+## EventCodes 4648, 552
+[windows_logon_explicit]
+search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552)
+#tags = authentication privileged
+
+## An account failed to log on
+## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
+[windows_logon_failure]
+search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
+#tags = authentication
+
+## An account was successfully logged on
+## EventCodes 4624, 528, 540
+[windows_logon_success]
+search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540)
+#tags = authentication
+
+
+###### Security: Object Access ######
+
+## Object Open
+## EventCodes 4656, 560
+[windows_object_open]
+search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560)
+#tags = resource file access start
+
+## Handle Closed
+## EventCodes 4658, 562
+[windows_handle_closed]
+search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562)
+#tags = resource file access stop
+
+
+###### Security: Policy Change ######
+
+## Audit Policy Change/The audit policy (SACL) on an object was changed
+## EventCodes 4715, 4719, 612
+[windows_audit_policy_change]
+search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612)
+#tags = policy configuration modify audit change
+
+## System security access was granted to an account
+## EventCodes 4717, 621
+[windows_security_access_granted]
+search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621)
+#tags = access authorization add change account
+
+## System security access was removed from an account
+## EventCodes 4718, 622
+[windows_security_access_removed]
+search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622)
+#tags = access authorization delete change account
+
+## Per User Audit Policy was changed
+## EventCodes 4912, 807
+[windows_audit_policy_changed]
+search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807)
+#tags = policy configuration modify audit change
+
+## The following policy was active when the Windows Firewall started
+## EventCodes 848, 849, 850
+[windows_firewall_policy_active]
+search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850)
+#tags = application firewall configuration report
+
+## A change has been made to Windows Firewall
+## EventCodes 4946, 4947, 4948, 851, 852
+[windows_firewall_policy_change]
+search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852)
+#tags = application firewall configuration modify
+
+## The Windows Firewall has detected an application listening for incoming traffic
+## EventCodes 4957, 861
+[windows_firewall_port_listening]
+search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861)
+#tags = application firewall port listening report
+
+
+###### Security: Privilege Use ######
+
+## Special privileges assigned to new logon
+## EventCodes 4672, 576
+[windows_special_privileges]
+search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576)
+#tags = authentication privileged
+
+## Privileged Service Called
+## EventCodes 4673, 577
+[windows_privileged_service_call]
+search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577)
+#tags = process execute start privileged
+
+## Privileged object operation
+## EventCodes 4674, 578
+[windows_privileged_object_operation]
+search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578)
+#tags = resource execute start privileged
+
+
+###### Security: Process Tracking ######
+
+## A new process has been created
+## EventCodes 4688, 592
+[windows_process_new]
+search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592)
+#tags = process execute start
+
+## A process has exited
+## EventCodes 4689, 593
+[windows_process_exit]
+search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593)
+#tags = process execute stop
+
+## A process was assigned a primary token
+## EventCodes 4696, 600
+[windows_process_token]
+search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600)
+#tags = process execute start privileged
+
+
+###### Security: System ######
+
+## An authentication package has been loaded by the Local Security Authority
+## EventCodes 4610, 514
+[windows_auth_package]
+search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514)
+#tags = process execute start
+
+## A trusted logon process has registered with the Local Security Authority
+## EventCodes 4611, 515
+[windows_logon_process]
+search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515)
+#tags = process authorization add
+
+## A notification package has been loaded by the Security Account Manager
+## EventCodes 4614, 518
+[windows_notification_package]
+search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518)
+#tags = process execute start
+
+
+###### Security:  Vulnerability ######
+## System security domain policy was changed
+## EventCode 4739
+[windows_security_misconfiguration_password_minimum_length]
+search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7)
+#tags = misconfiguration password policy vulnerability report audit change
+
+
+###### System: Time ######
+
+## EventCode 35, 37
+[windows_time_sync]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success)
+#tags = report time synchronize success performance
+
+## EventCodes 17, 29, 36, 38
+[windows_time_failure]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure)
+#tags = report time synchronize failure performance
+
+
+###### System: Update ######
+[windows_system_update]
+search = eventtype=wineventlog_system "Windows Update Agent"
+#tags = system update
+
+## EventCodes 17, 18, 19
+[windows_system_update_status]
+search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19)
+#tags = status
+
+[windows_updatelog]
+search = sourcetype=WindowsUpdateLog
+#tags = system update
+
+[windows_updatelog_status]
+search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
+#tags = status
+
+## WMI:Update
+[wmi_installed_packages]
+search = sourcetype=WMI:InstalledUpdates
+#tags = system update status
+
+
+###### Splunk WMI ######
+
+## ComputerSystem
+[wmi_computersystem]
+search = sourcetype=WMI:ComputerSystem
+#tags = performance memory
+
+## CPUTime
+[perfmon_cputime]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime)
+#tags = performance cpu report
+
+[perfmon_cputime_anomalous]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90
+#tags = anomalous
+
+[wmi_cputime]
+search = sourcetype=WMI:CPUTime
+#tags = performance cpu report
+
+[wmi_cputime_anomalous]
+search = sourcetype=WMI:CPUTime windows_percent_processor_time>90
+#tags = anomalous
+
+## System
+[perfmon_system]
+search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System
+#tags = performance cpu report
+
+## Disk
+[perfmon_freediskspace]
+search = sourcetype=Perfmon:FreeDiskSpace
+#tags = performance storage disk report
+
+[perfmon_freediskspace_anomalous]
+search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[perfmon_logicaldisk]
+search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk
+#tags = performance storage disk
+
+##ProcessorInformation
+[perfmon_processorinformation]
+search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation)
+#tags = performance cpu report process
+
+[wmi_freediskspace]
+search = sourcetype=WMI:FreeDiskSpace
+#tags = performance storage disk report
+
+[wmi_freediskspace_anomalous]
+search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[wmi_logicaldisk]
+search = sourcetype=WMI:LogicalDisk
+#tags = performance storage disk
+
+## Listening Ports
+[script_listeningports]
+search = sourcetype=Script:ListeningPorts
+#tags = port listening report
+
+## Local Processes
+[wmi_localprocesses]
+search = sourcetype=WMI:LocalProcesses
+#tags = process report
+
+[wmi_localprocesses_anomalous]
+search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total
+#tags = anomalous
+
+## Memory
+[perfmon_memory]
+search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory
+#tags = performance memory report
+
+[perfmon_memory_anomalous]
+search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600
+#tags = anomalous
+
+[wmi_memory]
+search = sourcetype=WMI:Memory
+#tags = performance memory report
+
+[wmi_memory_anomalous]
+search = sourcetype=WMI:Memory windows_mem_free<104857600
+#tags = anomalous
+
+## Service
+[wmi_service]
+search = sourcetype=WMI:Service
+#tags = service report
+
+[wmi_service_status_anomalous]
+search = sourcetype=WMI:Service Status=* NOT Status=OK
+#tags = anomalous
+
+[wmi_service_state_anomalous]
+search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running
+#tags = anomalous
+
+## Network
+[perfmon_network]
+search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network
+#tags = performance network
+
+[perfmon_network_throughput]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *)
+#tags = performance network
+
+[perfmon_network_bandwidth]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*)
+#tags = performance network
+
+[wmi_network_throughput]
+search = sourcetype=WMI:LocalNetwork BytesTotalPersec=*
+#tags = performance network
+
+[wmi_network_bandwidth]
+search = sourcetype=WMI:LocalNetwork CurrentBandwidth=*
+#tags = performance network
+
+## Process
+[perfmon_process]
+search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process
+#tags = performance process report
+
+## Uptime
+[wmi_uptime]
+search = sourcetype=WMI:Uptime
+#tags = performance uptime report
+
+[wmi_uptime_anomalous]
+search = sourcetype=WMI:Uptime windows_uptime>2592000
+#tags = anomalous
+
+## User Accounts
+[wmi_useraccounts]
+search = sourcetype=WMI:UserAccounts
+#tags = account report inventory user
+
+## Version
+[wmi_version]
+search = sourcetype=WMI:Version
+#tags = system version report inventory
+
+[microsoft_windows_hostmon_process]
+search = sourcetype=WinHostMon source=process
+#tags = process report
+
+[microsoft_windows_hostmon_service]
+search = sourcetype=WinHostMon source=service
+#tags = service report
+
+[microsoft_windows_hostmon_service_time]
+search = sourcetype=WinHostMon source=service Name=W32Time
+#tags = time synchronize os performance
+
+
+### AD/DNS eventtypes###
+
+[wineventlog-ds]
+search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service"
+
+[powershell]
+search = source=Powershell
+
+[msad-dc-health]
+search = eventtype=powershell sourcetype="MSAD:*:Health"
+
+[msad-rep-health]
+search = eventtype=powershell sourcetype="MSAD:*:Replication"
+
+[msad-site]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
+
+[msad-subnetinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
+
+[msad-sitelinkinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
+
+[msad-siteinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
+
+[msad-subnet-affinity]
+search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
+
+[admon-gpo]
+search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
+
+[admon-group]
+search = eventtype=admon objectCategory="*CN=Group*"
+
+[admon-computer]
+search = eventtype=admon objectCategory="*CN=Computer*"
+
+[admon-user]
+search = eventtype=admon objectCategory="*CN=Person*"
+
+[admon]
+search = sourcetype=ActiveDirectory
+
+[perfmon]
+search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*"
+
+[ad-files]
+search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS
+
+[perfmon-ntds]
+search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS")
+
+[nt6-dns-events]
+search = sourcetype=MSAD:NT6:DNS
+
+[wineventlog-dns]
+search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server"
+
+[msad-dns-zoneinfo]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information"
+
+[msad-dns-health]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Health"
+
+[msad-dns-debuglog]
+search = eventtype=ad-files sourcetype="MSAD:*:DNS"
+
+[perfmon-dns]
+search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS")
+
+[wineventlog-dfs]
+search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication"
+
+[wineventlog-filereplication]
+search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service"
+
+[wineventlog-keymanagement]
+search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service"
+
+[endpoint_services_processes]
+search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog"
+
+## Endpoint Processes
+[windows_endpoint_processes]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674)
+#tags = process report
+
+## Endpoint Services
+[windows_endpoint_services]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045)
+#tags = service report
+
+## Security-CIM Mappings
+
+## Endpoint Registry
+[windows_security_endpoint_registry]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry")))
+#tags = endpoint registry
+
+## Endpoint Port
+[windows_security_endpoint_port]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158)
+#tags = listening port
+
+## Change Audit
+[windows_security_change_audit]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102)
+#tags = change audit
+
+## Change
+[windows_security_change]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799)
+#tags = change
+
+## Authentication
+[windows_security_authentication]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625)
+#tags = authentication
+
+## Change Account - ADDON-42191
+[windows_security_change_account]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801)
+#tags = change account
+
+## System-CIM Mapping
+
+# Change Audit - ADDON-48489
+[windows_system_change_audit]
+search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104)
+#tags = change audit