diff --git a/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf b/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf index 821331f5..98f0f57c 100644 --- a/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf +++ b/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf @@ -17,6 +17,8 @@ suspendHotRollByDeleteQuery = 0 syncMeta = 1 maxTotalDataSizeMB = 5000 +[sysmon] + [idx_m-tic_windows] [idx_m-tic_fortigate] diff --git a/deployment-apps/TA-microsoft-sysmon/.DS_Store b/deployment-apps/TA-microsoft-sysmon/.DS_Store new file mode 100644 index 00000000..0f328807 Binary files /dev/null and b/deployment-apps/TA-microsoft-sysmon/.DS_Store differ diff --git a/deployment-apps/TA-microsoft-sysmon/LICENSE b/deployment-apps/TA-microsoft-sysmon/LICENSE new file mode 100644 index 00000000..806ac000 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2015 Splunk, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/deployment-apps/TA-microsoft-sysmon/README.md b/deployment-apps/TA-microsoft-sysmon/README.md new file mode 100644 index 00000000..88b4d46c --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/README.md @@ -0,0 +1,274 @@ +# TA-Microsoft-Sysmon + +* Original Author: Adrian Hall +* Current maintainers: Splunkworks + +## Update History + +## 10.6.2 + +* March 8, 2020 +* Fixes minor AppInspect failures +* + +## 10.6.1 + +* March 6, 2020 +* + +## 10.5.0 + +* March 3, 2020 +* +* Reverted change to source (XmlWinEventLog...), added source specification in inputs.conf to remeove dependancy on Splunk_TA_windows + +## 10.4.0 + +* March 2, 2020 +* Tested with Sysmon version 10 +* +* Updated props.conf + +## 10.3.0 + +* February 20, 2020 +* Tested with Sysmon version 10 +* +* Fixed DNS eventtype to use source rather than sourcetype + +## 10.2.0 + +* February 9, 2020 +* Tested with Sysmon version 10 +* +* Added Event Type [ms-sysmon-dns], to capture EventCode=22 Sysmon events as DNS events. +* Added network/resolution/dns tags for event type [ms-sysmon-dns]. +* Added FIELDALIAS for query/reply_code_id for CIM compatibility. +* Added transform entry [extract_dns_record_data] to extract record info for DNS responses like CNAME. Added transform entry [extract_dns_ip_data] to properly extract IP addresses from DNS responses. + +## 10.1.0 + +* July 30, 2019 +* Tested with Sysmon version 10 +* +* Updates to work with the new Splunk_TA_windows v5 and onwards - +* All searches,reports and dashboards using sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" need to use source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" instead, due to the upgrade to Splunk_TA_windows v5 + +## 10.0.0 + +* June 13, 2019 +* Tested with Sysmon version 10 +* +* Added support for Sysmon v10 having new DNS Query event type. +* Provided inputs.conf examples enabling blacklist of multiple DNS Query events based on complex rule groups + +## 8.1.0 + +* December 11, 2018 +* Tested with Sysmon version 8.0 +* +* Updates to work with the new Splunk Enpoint Data Model - http://docs.splunk.com/Documentation/CIM/4.12.0/User/Endpoint +* Thanks to Bhavin Patel for contributions (@patel-bhavin) + +## 8.0.0 + +* July 11, 2018 +* Tested with Sysmon version 8.0 +* + +## 6.0.8 + +* June 8, 2018 +* Tested with Sysmon version 6.20 +* + +## 6.0.7 + +* Nov 24, 2017 +* Tested with Sysmon version 6.20 +* + +## 6.0.6 + +* Nov 22, 2017 +* Added FIELDALIAS for EventID/EventCode for compatibility with Sigma rules. +* + +## 6.0.5 + +* Sep 12, 2017 +* Support for new features of Sysmon v6.10 + +## 6.0.4 + +* Sep 9, 2017 +* Prep for Splunk certification. + +## 6.0.3 + +* Typo corrected. +* Special thanks to David Dorsey ( for this contribution. + +## 6.0.2 + +* Field extractions added including but not limited to cmdline, parent_process, +* and parent_process_id. +* Special thanks to David Dorsey ( for this contribution. + +## 6.0.1 + +* Field extractions for MD5, SHA1, SHA256, IMPHASH +* Special thanks to David Staulcup ( for ongoing assistance and contributions + +## 6.0.0 + +* Updates to support sysmon V6 +* Special thanks to David Staulcup ( for ongoing assistance and contributions + +## 5.0.0 + +* Updates to support sysmon V5 +* Note the sample configuration included below was modified to exclued the +* ImageLoad section which was found to be causing BSOD on some Windows 7 test systems. +* Special thanks to David Staulcup ( for ongoing assistance and contributions + +## 4.0.0 + +* Minor updates to support Sysmon V4 and optimize the hash field extraction. + +## 3.2.3 + +* Minor updates to add workflow actions via pull request and subsequent fine tuning. + +## 3.2.2 + +* Minor updates to extract various hash values into individual fields for convenience: + +## 3.2.1 + +* Minor updates to align with sysmon version 3.21. For details see: + +## 3.1.1 + +* Major modification of the version to better align with SplunkBase. +* Fixed typos in eventtypes.conf and props.conf + +## 0.3.1 + +* Lookup table added to support Sysmon 3.1 +* Additional CIM compliance added +* Example config added +* Revved to version 0.3.1 to match current Sysmon version + +## Using this TA + +Configuration: Install TA via GUI on all search heads, install via your preferred method (manual or Deployment Server) on forwarders running on Windows that have Sysmon 3.1 or greater installed. + +Ensure that you have at least version 6.2.0 universal forwarders to take advantage of Windows XML event log format. + +Sysmon ProcessCreate events may pick up passwords in CommandLine and ParentCommandLine fields. Depending on organizational policy you may be required to mask passwords either at search time or prior to indexing. SEDCMD entries can be added to props.conf files on search heads or indexers to mask data in known positions of passwords. Note this contribution has not been widely tested and may require substantial additional configuration and tuning effort. Use at your own risk. + +```bash +SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g +``` + +The Sysmon v10 configuration XML spec does not allow for mutiple log-write exclusions based on rule groups. It is possible to achieve complex log forwarding exclusions for high volume DNS Query Events with inputs.conf blacklist specs. See comments in inputs.conf for implementation examples. + +For additional info on Sysmon see: + +## Support + +This is a community supported TA. As such, post to answers.splunk.com and reference it. + +## Recommended Configuration + +We strongly recommend that you use the popular Sysmon configuration shared by SwiftOnSecurity as your starting point: + + + +## Previously Recommended Configuration + +*3/16/2017* - The following configuration guidance was included historically +but should now be considered deprecated. We suggest instead that you use the +SwiftOnSecurity configuration as a starting point, and tune it to meet your needs. +You may choose to use elements of the legacy configuration below, particularly if +you are interested in excluding common Splunk image/file names from creating Sysmon +events. + +*NOTE:* If you choose to exclude certain events based on file name, please be aware +that this could potentially be abused by an attacker to hide malicious activity by +choosing an excluded name for their malware. If you are not willing to accept this +risk, do not use the configuration below. + +Sysmon is capable of delivering a large amount of events into your +Splunk instance. The following configuration, loaded into each +system running Sysmon 3.1 or greater, will reduce the amount of data considerably. +Special thanks go to Jeff Walzer from the University of Pittsburgh for +originally helping to test this (walzer@pitt.edu). + +Load this via sysmon -c (filename) from an admin-level command prompt. +(after you have placed it in a text file). You may get some +unusual errors - these are benign and can be ignored. Check the +filtering via a "sysmon -c" with no argument. + +For additional Sysmon filtering, remove the entire ImageLoad section. + +```xml + + * + + + + + microsoft + windows + + + + splunk + streamfwd + splunkd + splunkD + splunk + splunk-optimize + splunk-MonitorNoHandle + splunk-admon + splunk-netmon + splunk-regmon + splunk-winprintmon + btool + PYTHON + + + splunk + streamfwd + splunkd + splunkD + splunk + splunk-optimize + splunk-MonitorNoHandle + splunk-admon + splunk-netmon + splunk-regmon + splunk-winprintmon + btool + PYTHON + + + splunk + streamfwd + splunkd + splunkD + splunk + splunk-optimize + splunk-MonitorNoHandle + splunk-admon + splunk-netmon + splunk-regmon + splunk-winprintmon + btool + PYTHON + + + +``` diff --git a/deployment-apps/TA-microsoft-sysmon/default/app.conf b/deployment-apps/TA-microsoft-sysmon/default/app.conf new file mode 100644 index 00000000..aeddbf5f --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/app.conf @@ -0,0 +1,15 @@ +[launcher] +description = Provides data inputs for handling Microsoft Sysmon +version = 10.6.2 + +[package] +id = TA-microsoft-sysmon +check_for_updates = true + +[install] +is_configured = false +state = enabled + +[ui] +is_visible = false +label = Microsoft Sysmon Add-on diff --git a/deployment-apps/TA-microsoft-sysmon/default/eventtypes.conf b/deployment-apps/TA-microsoft-sysmon/default/eventtypes.conf new file mode 100644 index 00000000..d4e2702d --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/eventtypes.conf @@ -0,0 +1,17 @@ +[ms-sysmon-network] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="3" + +[ms-sysmon-process] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="1" OR EventCode="5" OR EventCode="6" OR EventCode="8" OR EventCode="9" OR EventCode="10" OR EventCode="15" OR EventCode="17" OR EventCode="18") + +[ms-sysmon-filemod] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="11" OR EventCode="2") + +[ms-sysmon-regmod] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="12" OR EventCode="13" OR EventCode="14") + +[ms-sysmon-wmimod] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode="19" OR EventCode="20" OR EventCode="21") + +[ms-sysmon-dns] +search = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="22" diff --git a/deployment-apps/TA-microsoft-sysmon/default/inputs.conf b/deployment-apps/TA-microsoft-sysmon/default/inputs.conf new file mode 100644 index 00000000..3af8ac05 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/inputs.conf @@ -0,0 +1,7 @@ +[WinEventLog://Microsoft-Windows-Sysmon/Operational] +disabled = true +renderXml = 1 +source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +# Prevent forwarding of multiple DNSQuery logs based on complex rule groups +# blacklist1 = EventCode="^22$" Message="(?i)QueryName:\s+(.*\.arpa\.)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\sysmon\.exe)$" +# blacklist2 = EventCode="^22$" Message="(?i)QueryName:\s+(HelloWorld.local)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\system32\\ping\.exe)$” diff --git a/deployment-apps/TA-microsoft-sysmon/default/props.conf b/deployment-apps/TA-microsoft-sysmon/default/props.conf new file mode 100644 index 00000000..18df59de --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/props.conf @@ -0,0 +1,72 @@ +##Below fields extractions have been moved from [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] +[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] +#SEDCMD-pwd_rule1 = s/ -pw ([^\s\<])+/ -pw ***MASK***/g +REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record,sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash,sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data + +FIELDALIAS-src_ip = SourceIp AS src_ip +FIELDALIAS-src_host = SourceHostname AS src_host +EVAL-src = if(isnotnull(SourceHostname),SourceHostname,SourceIp) +FIELDALIAS-src_port = SourcePort AS src_port +FIELDALIAS-app = Image AS app +FIELDALIAS-dest_ip = DestinationIp AS dest_ip +FIELDALIAS-dest_host = DestinationHostname AS dest_host +EVAL-dest = case(EventCode=="3" AND isnotnull(DestinationHostname),DestinationHostname,EventCode=="3",DestinationIp,EventCode=="1" OR EventCode == "11" OR EventCode == "12" OR EventCode == "13" OR EventCode == "14", Computer) +FIELDALIAS-dest_port = DestinationPort AS dest_port +EVAL-direction = if(Initiated=="true","outbound","inbound") +FIELDALIAS-dvc = Computer AS dvc +FIELDALIAS-transport = Protocol AS transport +EVAL-protocol = if(Initiated=="true",DestinationPortName,SourcePortName) +FIELDALIAS-session_id = ProcessGuid AS session_id +EVAL-vendor_product = "Microsoft Sysmon" +FIELDALIAS-cmdline = CommandLine AS cmdline + +#Common fieldnames for Registry, Process, FileSystem Node in Endpoint Datamodel +EVAL-action = case(EventCode=="1","allowed",EventCode=="12" AND EventType=="CreateKey","created",EventCode=="12" AND (EventType=="DeleteKey" OR EventType=="DeleteValue") ,"deleted",EventCode=="13" AND EventType=="SetValue","modified",EventCode=="11" AND EventDescription=="File Created","created") + +#Ports Node +EVAL-creation_time = case(EventCode=="3",UtcTime) +EVAL-state = case(EventCode=="3", "listening") + +#Processes Node +EVAL-parent_process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-parent_process_id = ParentProcessId AS parent_process_id +FIELDALIAS-parent_process_guid = ParentProcessGuid AS parent_process_guid +FIELDALIAS-parent_process_path = ParentImage AS parent_process_path +FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory +EVAL-process_exec = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-process_hash = Hashes AS process_hash +FIELDALIAS-process_guid = ProcessGuid AS process_guid +FIELDALIAS-process_id = ProcessId AS process_id +FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level +FIELDALIAS-process_path = Image AS process_path +FIELDALIAS-user_id = UserID AS user_id +REPORT-user_for_sysmon = User_as_user +FIELDALIAS-parent_process = ParentCommandLine AS parent_process +EVAL-parent_process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18", replace(ParentImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") +FIELDALIAS-process = CommandLine AS process +EVAL-process_name = case(EventCode=="1" OR EventCode=="2" OR EventCode=="3" OR EventCode=="5" OR EventCode=="7" OR EventCode=="9" OR EventCode=="11" OR EventCode=="12" OR EventCode=="13" OR EventCode=="14" OR EventCode=="15" OR EventCode=="17" OR EventCode=="18" OR EventCode="22", replace(Image,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(SourceImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") + +#Filesystem Node +FIELDALIAS-file_path = TargetFilename AS file_path +FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time + +#Fields for ChangeAnalysis DM (old field names) +EVAL-object_category = case(EventCode=="11" OR EventCode=="2", "file", EventCode=="12" OR EventCode=="13" OR EventCode="14", "registry", EventCode=="19" OR EventCode=="20" OR EventCode="21", "wmi") +EVAL-object_path = case(EventCode=="12" OR EventCode=="13", TargetObject, EventCode=="14", NewName) +LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature +FIELDALIAS-signature_id = EventCode AS signature_id +FIELDALIAS-eventid = EventCode AS EventID + +#Registry Node +EVAL-registry_path = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14", TargetObject) +EVAL-registry_value_name = case(EventCode=="13", Details) +EVAL-registry_key_name = case(EventCode=="12" OR EventCode=="13" OR EventCode=="14",replace(TargetObject,".+\\\\","")) + +#DNS Node +FIELDALIAS-query = QueryName AS query +FIELDALIAS-replycode = QueryStatus AS reply_code_id + +## To provide backward compatibility for WinEventLog and XmlWinEventLog data +## These will be deprecated in future +[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] +rename = xmlwineventlog diff --git a/deployment-apps/TA-microsoft-sysmon/default/tags.conf b/deployment-apps/TA-microsoft-sysmon/default/tags.conf new file mode 100644 index 00000000..e48884fb --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/tags.conf @@ -0,0 +1,28 @@ +[eventtype=ms-sysmon-network] +network = enabled +communicate = enabled +port = enabled +listening = enabled + +[eventtype=ms-sysmon-process] +process = enabled +report = enabled + +[eventtype=ms-sysmon-filemod] +change = enabled +endpoint = enabled +filesystem = enabled + +[eventtype=ms-sysmon-regmod] +change = enabled +endpoint = enabled +registry = enabled + +[eventtype=ms-sysmon-wmimod] +change = enabled +endpoint = enabled + +[eventtype=ms-sysmon-dns] +network = enabled +resolution = enabled +dns = enabled diff --git a/deployment-apps/TA-microsoft-sysmon/default/transforms.conf b/deployment-apps/TA-microsoft-sysmon/default/transforms.conf new file mode 100644 index 00000000..146790e4 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/transforms.conf @@ -0,0 +1,103 @@ +[sysmon-eventid] +REGEX = (\d+) +FORMAT = EventCode::$1 + +[sysmon-version] +REGEX = (\d+) +FORMAT = Version::$1 + +[sysmon-level] +REGEX = (\d+) +FORMAT = Level::$1 + +[sysmon-task] +REGEX = (\d+) +FORMAT = Task::$1 + +[sysmon-opcode] +REGEX = (\d+) +FORMAT = Opcode::$1 + +[sysmon-keywords] +REGEX = (0x[0-9a-fA-F]+) +FORMAT = Keywords::$1 + +[sysmon-created] +REGEX = +FORMAT = TimeCreated::$1 + +[sysmon-record] +REGEX = (\d+) +FORMAT = RecordID::$1 + +[sysmon-correlation] +REGEX = (.*?) +FORMAT = Correlation::$1 + +[sysmon-channel] +REGEX = (.*?) +FORMAT = EventChannel::$1 + +[sysmon-computer] +REGEX = (.*?) +FORMAT = Computer::$1 + +[sysmon-sid] +REGEX = +FORMAT = SecurityID::$1 + +[sysmon-data] +REGEX = (.*?) +FORMAT = $1::$2 + +[sysmon-md5] +REGEX = MD5\=([a-fA-F0-9]{32}?) +FORMAT = MD5::$1 + +[sysmon-sha1] +REGEX = SHA1\=([a-fA-F0-9]{40}?) +FORMAT = SHA1::$1 + +[sysmon-sha256] +REGEX = SHA256\=([a-fA-F0-9]{64}?) +FORMAT = SHA256::$1 + +[sysmon-imphash] +REGEX = IMPHASH\=([a-fA-F0-9]{32}?) +FORMAT = IMPHASH::$1 + +[sysmon-hashes] +SOURCE_KEY = Hashes +REGEX = (?[A-Fa-f0-9]{32,}) +MV_ADD = true +REPEAT_MATCH=true + +[sysmon-filename] +SOURCE_KEY = TargetFilename +REGEX = (?[^\\\\]+$) + +[sysmon-registry] +SOURCE_KEY = TargetObject +REGEX = (?[^\\\\]+$) + +[eventcode] +default_match = Unknown +filename = eventcode.csv +min_matches = 1 + +[User_as_user] +SOURCE_KEY = User +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = user::"$1" + +[sysmon-dns-record-data] +SOURCE_KEY = QueryResults +REGEX = type:\s+(?\d+)((?[^;]+)+) +REPEAT_MATCH = true +MV_ADD = true + +[sysmon-dns-ip-data] +SOURCE_KEY = QueryResults +REGEX = (?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})+) +REPEAT_MATCH = true +MV_ADD = true diff --git a/deployment-apps/TA-microsoft-sysmon/default/workflow_actions.conf b/deployment-apps/TA-microsoft-sysmon/default/workflow_actions.conf new file mode 100644 index 00000000..51c73b13 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/default/workflow_actions.conf @@ -0,0 +1,47 @@ +[get_parent_process_create] +display_location = both +eventtypes = ms-sysmon-* +fields = ParentProcessGuid, host +label = Get parent process creation event +search.app = search +search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ParentProcessGuid$ $ParentProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose +search.target = blank +type = search +search.earliest = -35d@d +search.latest = now + +[get_process_create] +display_location = both +eventtypes = ms-sysmon-* +fields = ProcessGuid, host +label = Get process creation event +search.app = search +search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ProcessGuid$ $ProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose +search.target = blank +type = search +search.earliest = -35d@d +search.latest = now + +[get_process_create_sysmon_create_remote_thread] +display_location = both +eventtypes = ms-sysmon-* +fields = SourceProcessGuid, host +label = Get process creation event +search.app = search +search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGuid$ $SourceProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose +search.target = blank +type = search +search.earliest = -35d@d +search.latest = now + +[get_process_create_sysmon_process_access] +display_location = both +eventtypes = ms-sysmon-* +fields = SourceProcessGUID, host +label = Get process creation event +search.app = search +search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGUID$ $SourceProcessGUID$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose +search.target = blank +type = search +search.earliest = -35d@d +search.latest = now diff --git a/deployment-apps/TA-microsoft-sysmon/local/inputs.conf b/deployment-apps/TA-microsoft-sysmon/local/inputs.conf new file mode 100644 index 00000000..6f96aa90 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/local/inputs.conf @@ -0,0 +1,8 @@ +[WinEventLog://Microsoft-Windows-Sysmon/Operational] +disabled = true +renderXml = 1 +source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +index = sysmon +# Prevent forwarding of multiple DNSQuery logs based on complex rule groups +# blacklist1 = EventCode="^22$" Message="(?i)QueryName:\s+(.*\.arpa\.)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\sysmon\.exe)$" +# blacklist2 = EventCode="^22$" Message="(?i)QueryName:\s+(HelloWorld.local)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\system32\\ping\.exe)$” \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-sysmon/lookups/eventcode.csv b/deployment-apps/TA-microsoft-sysmon/lookups/eventcode.csv new file mode 100644 index 00000000..08e2e80f --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/lookups/eventcode.csv @@ -0,0 +1,24 @@ +EventCode,EventDescription +1,"Process Create" +2,"File Create Time" +3,"Network Connect" +4,"Sysmon Start" +5,"Process Terminate" +6,"Driver Load" +7,"Image Load" +8,"Create Remote Thread" +9,"Raw Access Read" +10,"Process Access" +11,"File Created" +12,"Registry object added or deleted" +13,"Registry value set" +14,"Registry object renamed" +15,"File stream created" +16,"Sysmon Configuration Changed" +17,"Pipe Created" +18,"Pipe Connected" +19,"WmiEventFilter activity detected" +20,"WmiEventConsumer activity detected" +21,"WmiEventConsumerToFilter activity detected" +22,"DNS Query" +255,"Error" diff --git a/deployment-apps/TA-microsoft-sysmon/metadata/default.meta b/deployment-apps/TA-microsoft-sysmon/metadata/default.meta new file mode 100644 index 00000000..fb03ab48 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/metadata/default.meta @@ -0,0 +1,19 @@ +[] +access = read : [ * ], write : [ admin ] +export = system +owner = admin + +[lookups/eventcode.csv] +access = read : [ * ], write : [ admin ] +export = system +owner = admin + +[transforms/eventcode] +access = read : [ * ], write : [ admin ] +export = system +owner = admin + +[props/XmlWinEventLog%3AMicrosoft-Windows-Sysmon%2FOperational/LOOKUP-eventcode] +access = read : [ * ], write : [ admin ] +export = system +owner = admin diff --git a/deployment-apps/TA-microsoft-sysmon/splunkbase.manifest b/deployment-apps/TA-microsoft-sysmon/splunkbase.manifest new file mode 100644 index 00000000..72354836 --- /dev/null +++ b/deployment-apps/TA-microsoft-sysmon/splunkbase.manifest @@ -0,0 +1,115 @@ +{ + "version": "1.0", + "date": "2022-11-12T07:37:52.85389958Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 1914, + "version": "10.6.2", + "files": [ + { + "path": "LICENSE", + "hash": "fafadb38a456ef92b87c789d43e1f5196d20af522d20f278a5a5a94eaff02634" + }, + { + "path": "README.md", + "hash": "6afc4cb54ad03383d8f8302ed5f101a529abfecb2a1661d6d008b886e5ad33bb" + }, + { + "path": "metadata/default.meta", + "hash": "742349369b044cd452810ccb992a8204829c545493f91a7362f485480825c6e9" + }, + { + "path": "static/appIcon.png", + "hash": "eb32e7c1128dbf893556484ebe4e60ffd346c053ededb56183d4946695f09af1" + }, + { + "path": "static/appIcon_2x.png", + "hash": "36a2ba98b7c8f93b348fa5c05d959f3509e46e075b53709866e248b662a1f8d0" + }, + { + "path": "default/eventtypes.conf", + "hash": "3793dd0743f05a577ba2a634aa047024250975f592b4c97c03a704cecf919d8c" + }, + { + "path": "default/app.conf", + "hash": "de4b8d29080acbdd2a852149e345be97be94158655978ef59f11081746063c6e" + }, + { + "path": "default/tags.conf", + "hash": "fb44caea391dd55023f1430c3487188f2f0093aef2b8f698b55634513d15becb" + }, + { + "path": "default/props.conf", + "hash": "3372b9ea6a72872532e76c821bca51df6ef8387d071b17df8cea2d6d85c8a19b" + }, + { + "path": "default/inputs.conf", + "hash": "c5916bf171b84fe9e8782f3d5aaac3dcefebe4c4080a387d5691616f9294e223" + }, + { + "path": "default/transforms.conf", + "hash": "841ae8258aa880de9ec7ad4fbcbe2c1bf3033e983c4a898589d78798beb0cb51" + }, + { + "path": "default/workflow_actions.conf", + "hash": "a0d4912df84d2fc104ca546e197879eb6de371a83fe2d1a14c8b4c0da320daf8" + }, + { + "path": "lookups/eventcode.csv", + "hash": "98e01540455f697a3e43de4e5baa21f28d77a11923a09f3fce4590f97864dd07" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "7.0", + "7.1", + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + }, + { + "platform": "splunk", + "product": "cloud", + "versions": [ + "7.0", + "7.1", + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/TA-microsoft-sysmon/static/appIcon.png b/deployment-apps/TA-microsoft-sysmon/static/appIcon.png new file mode 100644 index 00000000..82990e58 Binary files /dev/null and b/deployment-apps/TA-microsoft-sysmon/static/appIcon.png differ diff --git a/deployment-apps/TA-microsoft-sysmon/static/appIcon_2x.png b/deployment-apps/TA-microsoft-sysmon/static/appIcon_2x.png new file mode 100644 index 00000000..e7c9de23 Binary files /dev/null and b/deployment-apps/TA-microsoft-sysmon/static/appIcon_2x.png differ