From 7b416e8b7a7df1d6823c4ba65cc1f3a0345a019f Mon Sep 17 00:00:00 2001 From: admingit Date: Mon, 23 Oct 2023 14:44:51 +0200 Subject: [PATCH] del --- .../Splunk_TA_windows_local_only_et/.DS_Store | Bin 6148 -> 0 bytes .../local/eventtypes.conf | 761 ------------------ 2 files changed, 761 deletions(-) delete mode 100644 deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store delete mode 100644 deployment-apps/Splunk_TA_windows_local_only_et/local/eventtypes.conf diff --git a/deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store b/deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store deleted file mode 100644 index c07d36b1759ab6b724400e039565f70732bd2dd6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~J&pn~427Q;kXE9hq)fvBxIu)56YK@pg>s}R5Pgo$v*U(Y>eXoVEIBWB;`#ZC z$rym09=9W~1Mo?A#leS}8RHE`Ot|736QA|L`HAOa#F z0t+G#hd9sw?Sh_3k0JshunYqJeJFI-n%cU?r-MVZ0Ms?pVVp-VK`ox3*3{OO8JcDH zU|DL>hIl^8sU`Q-)Yi3^!?O9Xyt8>1L$h8ED-38>Lo|qh2+Rnqdc5=V|4e_^|IbPk zihv0GGXl0AzJ?QDD$mwmujlzoW_{l1)Y#79 -## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 -## DO NOT EDIT THIS FILE! -## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. -## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default -## into ../local and edit there. -## - -###### Global Windows Eventtype ###### - -[windows_event_signature] -search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog -#tags = track_event_signatures - -[wineventlog_windows] -search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns -#tags = os windows - -[wineventlog_application] -search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application -#tags = os windows - -[wineventlog_system] -search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System -#tags = os windows - -[wineventlog_security] -search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security -#tags = os windows - -[perfmon_windows] -search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon* -#tags = os windows - -[hostmon_windows] -search = sourcetype=WinHostMon -#tags = os windows - -[hostmon_os] -search = sourcetype=WinHostMon Type=OperatingSystem -#tags = os windows memory performance - -[hostmon_inventory] -search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor) -#tags = os inventory cpu memory - -[hostmon_disk] -search = sourcetype=WinHostMon (Type=Disk) -#tags = inventory performance storage - -[netmon_windows] -search = sourcetype=WinNetMon -#tags = os windows - -[printmon_windows] -search = sourcetype=WinPrintMon -#tags = os windows - -[script_windows] -search = sourcetype=Script:* source=*.bat -#tags = os windows - -[wmi_windows] -search = sourcetype=WMI:* -#tags = os windows - -[windowsupdatelog_windows] -search = sourcetype=WindowsUpdateLog -#tags = os windows - -[winregistry_windows] -search = sourcetype=WinRegistry -#tags = os windows endpoint change registry - -[winapp] -search = eventtype=wineventlog_application - -[winsec] -search = eventtype=wineventlog_security -#tags = security - -[winsystem] -search = eventtype=wineventlog_system - - -###### DHCP ###### -[msdhcp] -search = sourcetype=msdhcp -#tags = dhcp network session windows - -[msdhcp_start] -search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13) -#tags = start - -[msdhcp_end] -search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17) -#tags = end - -[DhcpSrvLog] -search = sourcetype=DhcpSrvLog -#tags = windows - -[DhcpSrvLog_dhcp] -search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15) -#tags = dhcp network session - -[DhcpSrvLog_start] -search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11) -#tags = dhcp network session start - -[DhcpSrvLog_end] -search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18) -#tags = dhcp network session end - - -###### Security: Account Logon ###### - -## Authentication Ticket Granted/Failed -## EventCodes 4768, 4772, 672, 676 -[windows_auth_ticket_granted] -search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676) -#tags = authentication - -## Service Ticket Granted/Failed -## EventCodes 4769, 4773, 673, 677 -[windows_service_ticket_granted] -search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677) -#tags = authentication - -## Ticket Granted Renewed -## EventCodes 4770, 674 -[windows_ticket_renewed] -search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674) -## tags intentionally left blank -#tags = - -## Pre-authentication failed -## EventCodes 4771, 675 -[windows_pre_auth_failed] -search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675) -#tags = authentication - -## Account Mapped for Logon by -## EventCodes 4774, 678 -[windows_account_mapped] -search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678) -## tags intentionally left blank -#tags = authentication - -## The name: %2 could not be mapped for logon by: %1 -## EventCodes 4775, 679 -[windows_account_notmapped] -search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679) -#tags = authentication - -## Account Used for Logon by -## The domain controller attempted/failed to validate the credentials for an account -## The logon to account: %2 by: %1 from workstation: %3 failed. -## EventCodes 4776, 4777, 680, 681 -[windows_account_used4logon] -search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681) -#tags = authentication - -## Session reconnected to winstation -## EventCodes 4778, 682 -[windows_session_reconnected] -search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682) -## tags intentionally left blank -#tags = - -## Session disconnected from winstation -## EventCodes 4779, 683 -[windows_session_disconnected] -search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683) -#tags = access stop logoff - - -###### Security: Account Management ###### -[windows_account_management] -search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management") -#tags = account change management - -## User/Computer Account Created -## EventCodes 4720, 4741, 624, 645 -[windows_account_created] -search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645) -#tags = add account change - - -## User Account Enabled -## EventCodes 4722, 626 -[windows_account_enabled] -search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626) -#tags = enable account change - -## Change Password Attempt -## EventCodes 4723, 627 -[windows_account_password_change] -search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627) -#tags = password modify account change - -## User Account password set -## EventCodes 4724, 628 -[windows_account_password_set] -search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628) -#tags = password modify account change - -## User Account Disabled -## EventCodes 4725, 629 -[windows_account_disabled] -search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629) -#tags = disable account change - -## User/Computer Account Deleted -## EventCodes 4726, 4743, 630, 647 -[windows_account_deleted] -search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647) -#tags = delete account change - -## User/Computer Account Changed -## EventCodes 4738, 4742, 642, 646, 625 -[windows_account_modified] -search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625) -#tags = modify account change - -## User Account Locked Out -## EventCodes 4740, 644 -[windows_account_lockout] -search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644) -#tags = lock lockout account change - -## User Account Unlocked -## EventCodes 4767, 671 -[windows_account_unlocked] -search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671) -#tags = modify account change - - -###### Security: Audit (Event Log) ###### - -## The event logging service has shut down -## EventCode 1100 -[windows_audit_log_stopped] -search = eventtype=wineventlog_security EventCode=1100 -#tags = stop stopped watchlist - -## Audit events have been dropped by the transport. -## The security Log is now full -## The event logging service encountered an error -## EventCodes 1101, 1104, 1108 -[windows_audit_errors] -search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108) -#tags = audit error - -## The audit log was cleared -## EventCodes 1102, 517 -[windows_audit_log_cleared] -search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517) -#tags = audit change delete cleared watchlist - -## Event log automatic backup -## EventCode 1105 -[windows_audit_backup] -search = eventtype=wineventlog_security EventCode=1105 -#tags = audit backup change - -## Logon/Logoff audit logs -## EventCode 4625 -[windows_audit_log_logon] -search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413) -#tags = audit change - - -###### Security: Logon/Logoff ###### - -## User Logoff/User initiated logoff -## EventCodes 4634, 4647, 538, 551 -[windows_logoff] -search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551) -#tags = access stop logoff - -## A logon was attempted using explicit credentials -## EventCodes 4648, 552 -[windows_logon_explicit] -search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552) -#tags = authentication privileged - -## An account failed to log on -## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539 -[windows_logon_failure] -search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) -#tags = authentication - -## An account was successfully logged on -## EventCodes 4624, 528, 540 -[windows_logon_success] -search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540) -#tags = authentication - - -###### Security: Object Access ###### - -## Object Open -## EventCodes 4656, 560 -[windows_object_open] -search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560) -#tags = resource file access start - -## Handle Closed -## EventCodes 4658, 562 -[windows_handle_closed] -search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562) -#tags = resource file access stop - - -###### Security: Policy Change ###### - -## Audit Policy Change/The audit policy (SACL) on an object was changed -## EventCodes 4715, 4719, 612 -[windows_audit_policy_change] -search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612) -#tags = policy configuration modify audit change - -## System security access was granted to an account -## EventCodes 4717, 621 -[windows_security_access_granted] -search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621) -#tags = access authorization add change account - -## System security access was removed from an account -## EventCodes 4718, 622 -[windows_security_access_removed] -search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622) -#tags = access authorization delete change account - -## Per User Audit Policy was changed -## EventCodes 4912, 807 -[windows_audit_policy_changed] -search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807) -#tags = policy configuration modify audit change - -## The following policy was active when the Windows Firewall started -## EventCodes 848, 849, 850 -[windows_firewall_policy_active] -search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850) -#tags = application firewall configuration report - -## A change has been made to Windows Firewall -## EventCodes 4946, 4947, 4948, 851, 852 -[windows_firewall_policy_change] -search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852) -#tags = application firewall configuration modify - -## The Windows Firewall has detected an application listening for incoming traffic -## EventCodes 4957, 861 -[windows_firewall_port_listening] -search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861) -#tags = application firewall port listening report - - -###### Security: Privilege Use ###### - -## Special privileges assigned to new logon -## EventCodes 4672, 576 -[windows_special_privileges] -search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576) -#tags = authentication privileged - -## Privileged Service Called -## EventCodes 4673, 577 -[windows_privileged_service_call] -search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577) -#tags = process execute start privileged - -## Privileged object operation -## EventCodes 4674, 578 -[windows_privileged_object_operation] -search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578) -#tags = resource execute start privileged - - -###### Security: Process Tracking ###### - -## A new process has been created -## EventCodes 4688, 592 -[windows_process_new] -search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592) -#tags = process execute start - -## A process has exited -## EventCodes 4689, 593 -[windows_process_exit] -search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593) -#tags = process execute stop - -## A process was assigned a primary token -## EventCodes 4696, 600 -[windows_process_token] -search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600) -#tags = process execute start privileged - - -###### Security: System ###### - -## An authentication package has been loaded by the Local Security Authority -## EventCodes 4610, 514 -[windows_auth_package] -search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514) -#tags = process execute start - -## A trusted logon process has registered with the Local Security Authority -## EventCodes 4611, 515 -[windows_logon_process] -search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515) -#tags = process authorization add - -## A notification package has been loaded by the Security Account Manager -## EventCodes 4614, 518 -[windows_notification_package] -search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518) -#tags = process execute start - - -###### Security: Vulnerability ###### -## System security domain policy was changed -## EventCode 4739 -[windows_security_misconfiguration_password_minimum_length] -search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7) -#tags = misconfiguration password policy vulnerability report audit change - - -###### System: Time ###### - -## EventCode 35, 37 -[windows_time_sync] -search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success) -#tags = report time synchronize success performance - -## EventCodes 17, 29, 36, 38 -[windows_time_failure] -search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure) -#tags = report time synchronize failure performance - - -###### System: Update ###### -[windows_system_update] -search = eventtype=wineventlog_system "Windows Update Agent" -#tags = system update - -## EventCodes 17, 18, 19 -[windows_system_update_status] -search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19) -#tags = status - -[windows_updatelog] -search = sourcetype=WindowsUpdateLog -#tags = system update - -[windows_updatelog_status] -search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update" -#tags = status - -## WMI:Update -[wmi_installed_packages] -search = sourcetype=WMI:InstalledUpdates -#tags = system update status - - -###### Splunk WMI ###### - -## ComputerSystem -[wmi_computersystem] -search = sourcetype=WMI:ComputerSystem -#tags = performance memory - -## CPUTime -[perfmon_cputime] -search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) -#tags = performance cpu report - -[perfmon_cputime_anomalous] -search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90 -#tags = anomalous - -[wmi_cputime] -search = sourcetype=WMI:CPUTime -#tags = performance cpu report - -[wmi_cputime_anomalous] -search = sourcetype=WMI:CPUTime windows_percent_processor_time>90 -#tags = anomalous - -## System -[perfmon_system] -search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System -#tags = performance cpu report - -## Disk -[perfmon_freediskspace] -search = sourcetype=Perfmon:FreeDiskSpace -#tags = performance storage disk report - -[perfmon_freediskspace_anomalous] -search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10 -#tags = anomalous - -[perfmon_logicaldisk] -search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk -#tags = performance storage disk - -##ProcessorInformation -[perfmon_processorinformation] -search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation) -#tags = performance cpu report process - -[wmi_freediskspace] -search = sourcetype=WMI:FreeDiskSpace -#tags = performance storage disk report - -[wmi_freediskspace_anomalous] -search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10 -#tags = anomalous - -[wmi_logicaldisk] -search = sourcetype=WMI:LogicalDisk -#tags = performance storage disk - -## Listening Ports -[script_listeningports] -search = sourcetype=Script:ListeningPorts -#tags = port listening report - -## Local Processes -[wmi_localprocesses] -search = sourcetype=WMI:LocalProcesses -#tags = process report - -[wmi_localprocesses_anomalous] -search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total -#tags = anomalous - -## Memory -[perfmon_memory] -search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory -#tags = performance memory report - -[perfmon_memory_anomalous] -search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600 -#tags = anomalous - -[wmi_memory] -search = sourcetype=WMI:Memory -#tags = performance memory report - -[wmi_memory_anomalous] -search = sourcetype=WMI:Memory windows_mem_free<104857600 -#tags = anomalous - -## Service -[wmi_service] -search = sourcetype=WMI:Service -#tags = service report - -[wmi_service_status_anomalous] -search = sourcetype=WMI:Service Status=* NOT Status=OK -#tags = anomalous - -[wmi_service_state_anomalous] -search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running -#tags = anomalous - -## Network -[perfmon_network] -search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network -#tags = performance network - -[perfmon_network_throughput] -search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *) -#tags = performance network - -[perfmon_network_bandwidth] -search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*) -#tags = performance network - -[wmi_network_throughput] -search = sourcetype=WMI:LocalNetwork BytesTotalPersec=* -#tags = performance network - -[wmi_network_bandwidth] -search = sourcetype=WMI:LocalNetwork CurrentBandwidth=* -#tags = performance network - -## Process -[perfmon_process] -search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process -#tags = performance process report - -## Uptime -[wmi_uptime] -search = sourcetype=WMI:Uptime -#tags = performance uptime report - -[wmi_uptime_anomalous] -search = sourcetype=WMI:Uptime windows_uptime>2592000 -#tags = anomalous - -## User Accounts -[wmi_useraccounts] -search = sourcetype=WMI:UserAccounts -#tags = account report inventory user - -## Version -[wmi_version] -search = sourcetype=WMI:Version -#tags = system version report inventory - -[microsoft_windows_hostmon_process] -search = sourcetype=WinHostMon source=process -#tags = process report - -[microsoft_windows_hostmon_service] -search = sourcetype=WinHostMon source=service -#tags = service report - -[microsoft_windows_hostmon_service_time] -search = sourcetype=WinHostMon source=service Name=W32Time -#tags = time synchronize os performance - - -### AD/DNS eventtypes### - -[wineventlog-ds] -search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service" - -[powershell] -search = source=Powershell - -[msad-dc-health] -search = eventtype=powershell sourcetype="MSAD:*:Health" - -[msad-rep-health] -search = eventtype=powershell sourcetype="MSAD:*:Replication" - -[msad-site] -search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" - -[msad-subnetinfo] -search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet" - -[msad-sitelinkinfo] -search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink" - -[msad-siteinfo] -search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site" - -[msad-subnet-affinity] -search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE - -[admon-gpo] -search = eventtype=admon objectCategory="*CN=Group-Policy-Container*" - -[admon-group] -search = eventtype=admon objectCategory="*CN=Group*" - -[admon-computer] -search = eventtype=admon objectCategory="*CN=Computer*" - -[admon-user] -search = eventtype=admon objectCategory="*CN=Person*" - -[admon] -search = sourcetype=ActiveDirectory - -[perfmon] -search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*" - -[ad-files] -search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS - -[perfmon-ntds] -search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS") - -[nt6-dns-events] -search = sourcetype=MSAD:NT6:DNS - -[wineventlog-dns] -search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server" - -[msad-dns-zoneinfo] -search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information" - -[msad-dns-health] -search = eventtype=powershell sourcetype="MSAD:*:DNS-Health" - -[msad-dns-debuglog] -search = eventtype=ad-files sourcetype="MSAD:*:DNS" - -[perfmon-dns] -search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS") - -[wineventlog-dfs] -search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication" - -[wineventlog-filereplication] -search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service" - -[wineventlog-keymanagement] -search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service" - -[endpoint_services_processes] -search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" - -## Endpoint Processes -[windows_endpoint_processes] -search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674) -#tags = process report - -## Endpoint Services -[windows_endpoint_services] -search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045) -#tags = service report - -## Security-CIM Mappings - -## Endpoint Registry -[windows_security_endpoint_registry] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry"))) -#tags = endpoint registry - -## Endpoint Port -[windows_security_endpoint_port] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158) -#tags = listening port - -## Change Audit -[windows_security_change_audit] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102) -#tags = change audit - -## Change -[windows_security_change] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799) -#tags = change - -## Authentication -[windows_security_authentication] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625) -#tags = authentication - -## Change Account - ADDON-42191 -[windows_security_change_account] -search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801) -#tags = change account - -## System-CIM Mapping - -# Change Audit - ADDON-48489 -[windows_system_change_audit] -search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104) -#tags = change audit