[ActiveDirectory_ComputerInfoLookup] external_type = kvstore collection = ActiveDirectory_Computers fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate [ActiveDirectory_GPOInfoLookup] external_type = kvstore collection = ActiveDirectory_GPOs fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate [ActiveDirectory_GroupInfoLookup] external_type = kvstore collection = ActiveDirectory_Groups fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate [ActiveDirectory_UserInfoLookup] external_type = kvstore collection = ActiveDirectory_Users fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate [DomainSelector] external_type = kvstore collection = DomainSelector_collection fields_list = host, DomainNetBIOSName, DomainDNSName, ForestName, Site [EventCodes] filename=EventCodes.csv max_matches=1 [GroupType] filename=group-type.csv max_matches=1 [tHostInfo] external_type = kvstore time_field = _time collection = tHostInfo_collection fields_list = _time, src_ip, src_hostdomain, src_nt_domain, src_host [HostToDomain] external_type = kvstore collection = DomainList_collection fields_list = host, src_nt_domain [KRBErrorCode] filename=KRBErrorCode.csv max_matches=1 [LogonTypeName] filename=logon-type.csv max_matches=1 [NTLMErrorCode] filename=NTLMErrorCodes.csv max_matches=1 [SchemaVersionName] filename=schema-version.csv max_matches=1 [SiteInfo] external_type = kvstore collection = SiteInfo_collection fields_list = host, Site [windows_actions] filename=windows_actions.csv max_matches=1 [windows_event_details] external_type = kvstore collection = windows_event_details_collection fields_list = EventCode, EventCodeDescription, LogName, SourceName, TaskCategory, Type [windows_event_system] external_type = kvstore collection = windows_event_system_collection fields_list = Host [windows_hostmon_system] external_type = kvstore collection = windows_hostmon_system_collection fields_list = Host [windows_netmon_details] external_type = kvstore collection = windows_netmon_details_collection fields_list = Direction, LocalPort, PacketType, ProcessName, Protocol, RemoteHostName, RemotePort, UserName [windows_netmon_system] external_type = kvstore collection = windows_netmon_system_collection fields_list = Host [windows_perfmon_details] external_type = kvstore collection = windows_perfmon_details_collection fields_list = collection, counter, instance, object [windows_perfmon_system] external_type = kvstore collection = windows_perfmon_system_collection fields_list = Host [windows_printmon] external_type = kvstore collection = windows_printmon_collection fields_list = Host, printer, operation, user [windows_privileges] filename=windows_privileges.csv max_matches=1 [windows_signatures_substatus] filename=windows_signatures_substatus.csv max_matches=1 [windows_signatures] filename=windows_signatures.csv max_matches=1 [windows_update_statii] filename=windows_update_statii.csv max_matches=1 ## IAS (Currently WinEventLog Support Only) [force_source_system_ias_for_wineventlog] DEST_KEY = MetaData:Source REGEX = SourceName\=IAS FORMAT = source::WinEventLog:System:IAS ###### All Windows Event Log ###### ## Lookups [windows_signature_lookup] filename = windows_signatures.csv [windows_signature_lookup2] filename = windows_signatures_substatus.csv ## Add EventCodeDescription ## [windows_event_descriptions] filename = windows_event_descriptions.csv ## REPORT [file_path-file_name_for_windows] SOURCE_KEY = Image_File_Name REGEX = ^(.*[\\/]+)*(.*)$ FORMAT = file_path::$1 file_name::$2 ####### Windows Security Event Log ###### ## Lookups [windows_action_lookup] filename = windows_actions.csv [windows_privilege_lookup] filename = windows_privileges.csv ## REPORT [vendor_privilege_sv_for_windows_security] SOURCE_KEY = Message REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:) FORMAT = vendor_privilege::$1 [vendor_privilege_mv_for_windows_security] SOURCE_KEY = Message REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*) FORMAT = vendor_privilege::$1 [privilege_id_for_windows_security] SOURCE_KEY = vendor_privilege REGEX = ^([^\r\n]+) FORMAT = privilege_id::$1 MV_ADD = True [Token_Elevation_Type_id_for_windows_security] SOURCE_KEY = Token_Elevation_Type REGEX = \((\d+)\) FORMAT = Token_Elevation_Type_id::$1 ## Aliases [ComputerName_as_dest] SOURCE_KEY = ComputerName REGEX = (?:[\\]+)?([^-].*) FORMAT = dest::"$1" [ComputerName_as_src] SOURCE_KEY = ComputerName REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" ###### Windows System Event Log ###### [package_title_for_windows_system_update] REGEX = Windows successfully installed the following update:\s+(.*) FORMAT = package_title::"$1" [user_for_windows_system_ias] REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was FORMAT = user::"$1" ## IAS (Currently WinEventLog Support Only) [auto_kv_for_windows_system_ias] SOURCE_KEY = Message REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*) FORMAT = $1::$2 MV_ADD = TRUE ###### Update ###### [windows_update_status_lookup] filename = windows_update_statii.csv [package_message_for_windowsupdatelog] REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*) FORMAT = package_message::"$1" vendor_status::"$2" [package_title_for_windowsupdatelog] REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*) FORMAT = vendor_status::"$1" package_title::"$2" [package_title_for_windowsupdatelog_restartrequired] REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*) FORMAT = vendor_status::"$1" package_title::"$2" [package_title_for_windowsupdatelog_package_message] SOURCE_KEY = package_message REGEX = \-\s+([^\)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?) FORMAT = package_title::"$1" MV_ADD = True [package_for_windowsupdatelog] SOURCE_KEY = package_title REGEX = (KB\d+) FORMAT = package::$1 MV_ADD = True [pid-tid-component_for_windowsupdatelog] REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+) FORMAT = pid::$1 tid::$2 component::$3 ###### Windows Firewall Log ###### [Transform_Windows_FW] DELIMS = " " FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path" [windows_hostmon_machine_details] external_type = kvstore collection = windows_hostmon_machine_details_collection fields_list = Architecture, Domain, Manufacturer, OS [windows_hostmon_fs_details] external_type = kvstore collection = windows_hostmon_fs_details_collection fields_list = DriveType, FileSystem, FreeSpacePct, TotalSpaceGB [windows_hostmon_process_details] external_type = kvstore collection = windows_hostmon_process_details_collection fields_list = Name [windows_hostmon_services_details] external_type = kvstore collection = windows_hostmon_services_details_collection fields_list = Name, StartMode, State