diff --git a/deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf b/deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf index 069a6262..b03fc741 100644 --- a/deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf +++ b/deployment-apps/Splunk_TA_microsoft_ad_FW_Other/default/eventtypes.conf @@ -57,4 +57,16 @@ search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR ev [wineventlog_application] search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application -#tags = os windows \ No newline at end of file +#tags = os windows + +[wineventlog_system] +search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System +#tags = os windows + +[wineventlog_security] +search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security +#tags = os windows + +[windows_event_signature] +search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog +#tags = track_event_signatures \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store b/deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store new file mode 100644 index 00000000..c07d36b1 Binary files /dev/null and b/deployment-apps/Splunk_TA_windows_local_only_et/.DS_Store differ diff --git a/deployment-apps/Splunk_TA_windows_local_only_et/local/eventtypes.conf b/deployment-apps/Splunk_TA_windows_local_only_et/local/eventtypes.conf new file mode 100644 index 00000000..be813bbe --- /dev/null +++ b/deployment-apps/Splunk_TA_windows_local_only_et/local/eventtypes.conf @@ -0,0 +1,761 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## + +###### Global Windows Eventtype ###### + +[windows_event_signature] +search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog +#tags = track_event_signatures + +[wineventlog_windows] +search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns +#tags = os windows + +[wineventlog_application] +search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application +#tags = os windows + +[wineventlog_system] +search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System +#tags = os windows + +[wineventlog_security] +search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security +#tags = os windows + +[perfmon_windows] +search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon* +#tags = os windows + +[hostmon_windows] +search = sourcetype=WinHostMon +#tags = os windows + +[hostmon_os] +search = sourcetype=WinHostMon Type=OperatingSystem +#tags = os windows memory performance + +[hostmon_inventory] +search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor) +#tags = os inventory cpu memory + +[hostmon_disk] +search = sourcetype=WinHostMon (Type=Disk) +#tags = inventory performance storage + +[netmon_windows] +search = sourcetype=WinNetMon +#tags = os windows + +[printmon_windows] +search = sourcetype=WinPrintMon +#tags = os windows + +[script_windows] +search = sourcetype=Script:* source=*.bat +#tags = os windows + +[wmi_windows] +search = sourcetype=WMI:* +#tags = os windows + +[windowsupdatelog_windows] +search = sourcetype=WindowsUpdateLog +#tags = os windows + +[winregistry_windows] +search = sourcetype=WinRegistry +#tags = os windows endpoint change registry + +[winapp] +search = eventtype=wineventlog_application + +[winsec] +search = eventtype=wineventlog_security +#tags = security + +[winsystem] +search = eventtype=wineventlog_system + + +###### DHCP ###### +[msdhcp] +search = sourcetype=msdhcp +#tags = dhcp network session windows + +[msdhcp_start] +search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13) +#tags = start + +[msdhcp_end] +search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17) +#tags = end + +[DhcpSrvLog] +search = sourcetype=DhcpSrvLog +#tags = windows + +[DhcpSrvLog_dhcp] +search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15) +#tags = dhcp network session + +[DhcpSrvLog_start] +search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11) +#tags = dhcp network session start + +[DhcpSrvLog_end] +search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18) +#tags = dhcp network session end + + +###### Security: Account Logon ###### + +## Authentication Ticket Granted/Failed +## EventCodes 4768, 4772, 672, 676 +[windows_auth_ticket_granted] +search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676) +#tags = authentication + +## Service Ticket Granted/Failed +## EventCodes 4769, 4773, 673, 677 +[windows_service_ticket_granted] +search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677) +#tags = authentication + +## Ticket Granted Renewed +## EventCodes 4770, 674 +[windows_ticket_renewed] +search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674) +## tags intentionally left blank +#tags = + +## Pre-authentication failed +## EventCodes 4771, 675 +[windows_pre_auth_failed] +search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675) +#tags = authentication + +## Account Mapped for Logon by +## EventCodes 4774, 678 +[windows_account_mapped] +search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678) +## tags intentionally left blank +#tags = authentication + +## The name: %2 could not be mapped for logon by: %1 +## EventCodes 4775, 679 +[windows_account_notmapped] +search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679) +#tags = authentication + +## Account Used for Logon by +## The domain controller attempted/failed to validate the credentials for an account +## The logon to account: %2 by: %1 from workstation: %3 failed. +## EventCodes 4776, 4777, 680, 681 +[windows_account_used4logon] +search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681) +#tags = authentication + +## Session reconnected to winstation +## EventCodes 4778, 682 +[windows_session_reconnected] +search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682) +## tags intentionally left blank +#tags = + +## Session disconnected from winstation +## EventCodes 4779, 683 +[windows_session_disconnected] +search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683) +#tags = access stop logoff + + +###### Security: Account Management ###### +[windows_account_management] +search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management") +#tags = account change management + +## User/Computer Account Created +## EventCodes 4720, 4741, 624, 645 +[windows_account_created] +search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645) +#tags = add account change + + +## User Account Enabled +## EventCodes 4722, 626 +[windows_account_enabled] +search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626) +#tags = enable account change + +## Change Password Attempt +## EventCodes 4723, 627 +[windows_account_password_change] +search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627) +#tags = password modify account change + +## User Account password set +## EventCodes 4724, 628 +[windows_account_password_set] +search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628) +#tags = password modify account change + +## User Account Disabled +## EventCodes 4725, 629 +[windows_account_disabled] +search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629) +#tags = disable account change + +## User/Computer Account Deleted +## EventCodes 4726, 4743, 630, 647 +[windows_account_deleted] +search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647) +#tags = delete account change + +## User/Computer Account Changed +## EventCodes 4738, 4742, 642, 646, 625 +[windows_account_modified] +search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625) +#tags = modify account change + +## User Account Locked Out +## EventCodes 4740, 644 +[windows_account_lockout] +search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644) +#tags = lock lockout account change + +## User Account Unlocked +## EventCodes 4767, 671 +[windows_account_unlocked] +search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671) +#tags = modify account change + + +###### Security: Audit (Event Log) ###### + +## The event logging service has shut down +## EventCode 1100 +[windows_audit_log_stopped] +search = eventtype=wineventlog_security EventCode=1100 +#tags = stop stopped watchlist + +## Audit events have been dropped by the transport. +## The security Log is now full +## The event logging service encountered an error +## EventCodes 1101, 1104, 1108 +[windows_audit_errors] +search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108) +#tags = audit error + +## The audit log was cleared +## EventCodes 1102, 517 +[windows_audit_log_cleared] +search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517) +#tags = audit change delete cleared watchlist + +## Event log automatic backup +## EventCode 1105 +[windows_audit_backup] +search = eventtype=wineventlog_security EventCode=1105 +#tags = audit backup change + +## Logon/Logoff audit logs +## EventCode 4625 +[windows_audit_log_logon] +search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413) +#tags = audit change + + +###### Security: Logon/Logoff ###### + +## User Logoff/User initiated logoff +## EventCodes 4634, 4647, 538, 551 +[windows_logoff] +search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551) +#tags = access stop logoff + +## A logon was attempted using explicit credentials +## EventCodes 4648, 552 +[windows_logon_explicit] +search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552) +#tags = authentication privileged + +## An account failed to log on +## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539 +[windows_logon_failure] +search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) +#tags = authentication + +## An account was successfully logged on +## EventCodes 4624, 528, 540 +[windows_logon_success] +search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540) +#tags = authentication + + +###### Security: Object Access ###### + +## Object Open +## EventCodes 4656, 560 +[windows_object_open] +search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560) +#tags = resource file access start + +## Handle Closed +## EventCodes 4658, 562 +[windows_handle_closed] +search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562) +#tags = resource file access stop + + +###### Security: Policy Change ###### + +## Audit Policy Change/The audit policy (SACL) on an object was changed +## EventCodes 4715, 4719, 612 +[windows_audit_policy_change] +search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612) +#tags = policy configuration modify audit change + +## System security access was granted to an account +## EventCodes 4717, 621 +[windows_security_access_granted] +search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621) +#tags = access authorization add change account + +## System security access was removed from an account +## EventCodes 4718, 622 +[windows_security_access_removed] +search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622) +#tags = access authorization delete change account + +## Per User Audit Policy was changed +## EventCodes 4912, 807 +[windows_audit_policy_changed] +search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807) +#tags = policy configuration modify audit change + +## The following policy was active when the Windows Firewall started +## EventCodes 848, 849, 850 +[windows_firewall_policy_active] +search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850) +#tags = application firewall configuration report + +## A change has been made to Windows Firewall +## EventCodes 4946, 4947, 4948, 851, 852 +[windows_firewall_policy_change] +search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852) +#tags = application firewall configuration modify + +## The Windows Firewall has detected an application listening for incoming traffic +## EventCodes 4957, 861 +[windows_firewall_port_listening] +search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861) +#tags = application firewall port listening report + + +###### Security: Privilege Use ###### + +## Special privileges assigned to new logon +## EventCodes 4672, 576 +[windows_special_privileges] +search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576) +#tags = authentication privileged + +## Privileged Service Called +## EventCodes 4673, 577 +[windows_privileged_service_call] +search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577) +#tags = process execute start privileged + +## Privileged object operation +## EventCodes 4674, 578 +[windows_privileged_object_operation] +search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578) +#tags = resource execute start privileged + + +###### Security: Process Tracking ###### + +## A new process has been created +## EventCodes 4688, 592 +[windows_process_new] +search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592) +#tags = process execute start + +## A process has exited +## EventCodes 4689, 593 +[windows_process_exit] +search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593) +#tags = process execute stop + +## A process was assigned a primary token +## EventCodes 4696, 600 +[windows_process_token] +search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600) +#tags = process execute start privileged + + +###### Security: System ###### + +## An authentication package has been loaded by the Local Security Authority +## EventCodes 4610, 514 +[windows_auth_package] +search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514) +#tags = process execute start + +## A trusted logon process has registered with the Local Security Authority +## EventCodes 4611, 515 +[windows_logon_process] +search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515) +#tags = process authorization add + +## A notification package has been loaded by the Security Account Manager +## EventCodes 4614, 518 +[windows_notification_package] +search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518) +#tags = process execute start + + +###### Security: Vulnerability ###### +## System security domain policy was changed +## EventCode 4739 +[windows_security_misconfiguration_password_minimum_length] +search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7) +#tags = misconfiguration password policy vulnerability report audit change + + +###### System: Time ###### + +## EventCode 35, 37 +[windows_time_sync] +search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success) +#tags = report time synchronize success performance + +## EventCodes 17, 29, 36, 38 +[windows_time_failure] +search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure) +#tags = report time synchronize failure performance + + +###### System: Update ###### +[windows_system_update] +search = eventtype=wineventlog_system "Windows Update Agent" +#tags = system update + +## EventCodes 17, 18, 19 +[windows_system_update_status] +search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19) +#tags = status + +[windows_updatelog] +search = sourcetype=WindowsUpdateLog +#tags = system update + +[windows_updatelog_status] +search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update" +#tags = status + +## WMI:Update +[wmi_installed_packages] +search = sourcetype=WMI:InstalledUpdates +#tags = system update status + + +###### Splunk WMI ###### + +## ComputerSystem +[wmi_computersystem] +search = sourcetype=WMI:ComputerSystem +#tags = performance memory + +## CPUTime +[perfmon_cputime] +search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) +#tags = performance cpu report + +[perfmon_cputime_anomalous] +search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90 +#tags = anomalous + +[wmi_cputime] +search = sourcetype=WMI:CPUTime +#tags = performance cpu report + +[wmi_cputime_anomalous] +search = sourcetype=WMI:CPUTime windows_percent_processor_time>90 +#tags = anomalous + +## System +[perfmon_system] +search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System +#tags = performance cpu report + +## Disk +[perfmon_freediskspace] +search = sourcetype=Perfmon:FreeDiskSpace +#tags = performance storage disk report + +[perfmon_freediskspace_anomalous] +search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10 +#tags = anomalous + +[perfmon_logicaldisk] +search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk +#tags = performance storage disk + +##ProcessorInformation +[perfmon_processorinformation] +search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation) +#tags = performance cpu report process + +[wmi_freediskspace] +search = sourcetype=WMI:FreeDiskSpace +#tags = performance storage disk report + +[wmi_freediskspace_anomalous] +search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10 +#tags = anomalous + +[wmi_logicaldisk] +search = sourcetype=WMI:LogicalDisk +#tags = performance storage disk + +## Listening Ports +[script_listeningports] +search = sourcetype=Script:ListeningPorts +#tags = port listening report + +## Local Processes +[wmi_localprocesses] +search = sourcetype=WMI:LocalProcesses +#tags = process report + +[wmi_localprocesses_anomalous] +search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total +#tags = anomalous + +## Memory +[perfmon_memory] +search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory +#tags = performance memory report + +[perfmon_memory_anomalous] +search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600 +#tags = anomalous + +[wmi_memory] +search = sourcetype=WMI:Memory +#tags = performance memory report + +[wmi_memory_anomalous] +search = sourcetype=WMI:Memory windows_mem_free<104857600 +#tags = anomalous + +## Service +[wmi_service] +search = sourcetype=WMI:Service +#tags = service report + +[wmi_service_status_anomalous] +search = sourcetype=WMI:Service Status=* NOT Status=OK +#tags = anomalous + +[wmi_service_state_anomalous] +search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running +#tags = anomalous + +## Network +[perfmon_network] +search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network +#tags = performance network + +[perfmon_network_throughput] +search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *) +#tags = performance network + +[perfmon_network_bandwidth] +search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*) +#tags = performance network + +[wmi_network_throughput] +search = sourcetype=WMI:LocalNetwork BytesTotalPersec=* +#tags = performance network + +[wmi_network_bandwidth] +search = sourcetype=WMI:LocalNetwork CurrentBandwidth=* +#tags = performance network + +## Process +[perfmon_process] +search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process +#tags = performance process report + +## Uptime +[wmi_uptime] +search = sourcetype=WMI:Uptime +#tags = performance uptime report + +[wmi_uptime_anomalous] +search = sourcetype=WMI:Uptime windows_uptime>2592000 +#tags = anomalous + +## User Accounts +[wmi_useraccounts] +search = sourcetype=WMI:UserAccounts +#tags = account report inventory user + +## Version +[wmi_version] +search = sourcetype=WMI:Version +#tags = system version report inventory + +[microsoft_windows_hostmon_process] +search = sourcetype=WinHostMon source=process +#tags = process report + +[microsoft_windows_hostmon_service] +search = sourcetype=WinHostMon source=service +#tags = service report + +[microsoft_windows_hostmon_service_time] +search = sourcetype=WinHostMon source=service Name=W32Time +#tags = time synchronize os performance + + +### AD/DNS eventtypes### + +[wineventlog-ds] +search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service" + +[powershell] +search = source=Powershell + +[msad-dc-health] +search = eventtype=powershell sourcetype="MSAD:*:Health" + +[msad-rep-health] +search = eventtype=powershell sourcetype="MSAD:*:Replication" + +[msad-site] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" + +[msad-subnetinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet" + +[msad-sitelinkinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink" + +[msad-siteinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site" + +[msad-subnet-affinity] +search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE + +[admon-gpo] +search = eventtype=admon objectCategory="*CN=Group-Policy-Container*" + +[admon-group] +search = eventtype=admon objectCategory="*CN=Group*" + +[admon-computer] +search = eventtype=admon objectCategory="*CN=Computer*" + +[admon-user] +search = eventtype=admon objectCategory="*CN=Person*" + +[admon] +search = sourcetype=ActiveDirectory + +[perfmon] +search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*" + +[ad-files] +search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS + +[perfmon-ntds] +search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS") + +[nt6-dns-events] +search = sourcetype=MSAD:NT6:DNS + +[wineventlog-dns] +search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server" + +[msad-dns-zoneinfo] +search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information" + +[msad-dns-health] +search = eventtype=powershell sourcetype="MSAD:*:DNS-Health" + +[msad-dns-debuglog] +search = eventtype=ad-files sourcetype="MSAD:*:DNS" + +[perfmon-dns] +search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS") + +[wineventlog-dfs] +search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication" + +[wineventlog-filereplication] +search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service" + +[wineventlog-keymanagement] +search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service" + +[endpoint_services_processes] +search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" + +## Endpoint Processes +[windows_endpoint_processes] +search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674) +#tags = process report + +## Endpoint Services +[windows_endpoint_services] +search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045) +#tags = service report + +## Security-CIM Mappings + +## Endpoint Registry +[windows_security_endpoint_registry] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry"))) +#tags = endpoint registry + +## Endpoint Port +[windows_security_endpoint_port] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158) +#tags = listening port + +## Change Audit +[windows_security_change_audit] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102) +#tags = change audit + +## Change +[windows_security_change] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799) +#tags = change + +## Authentication +[windows_security_authentication] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625) +#tags = authentication + +## Change Account - ADDON-42191 +[windows_security_change_account] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801) +#tags = change account + +## System-CIM Mapping + +# Change Audit - ADDON-48489 +[windows_system_change_audit] +search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104) +#tags = change audit