## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## DO NOT EDIT THIS FILE! ## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. ## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default ## into ../local and edit there. ## ########################### ## Active Directory ########################### [ActiveDirectory] LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag ########################### ## DHCP ########################### [DhcpSrvLog] SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 20 EVENT_BREAKER_ENABLE = true TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp REPORT_1microsoft_dhcp_dest_dns = microsoft_dhcp_dest_dns LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host FIELDALIAS-win-sign-id = msdhcp_id AS signature_id FIELDALIAS-dhcp-user = msdhcp_user AS user EVAL-vendor = "Microsoft" EVAL-product = "DHCP" EVAL-vendor_product = "Microsoft DHCP" EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12,}$"), replace(raw_mac, "^.*(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$", "\1:\2:\3:\4:\5:\6"), true(), replace(raw_mac, "-|\.|\s", ":"))) EVAL-dest = coalesce(if(nt_host!="BAD_ADDRESS", nt_host, null()), ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), true(), replace(raw_mac, "-|\.|\s", ":")))) EVAL-quarantine_info = case(qresult == 0, "NoQuarantine", qresult == 1, "Quarantine", qresult == 2, "Drop Packet", qresult == 3, "Probation", qresult == 6, "No Quarantine Information", true(), qresult) EVAL-action = case(msdhcp_id IN (13,15,12,16,18), "blocked", msdhcp_id IN (10,11), "added") EVAL-dest_nt_host = case(nt_host!="BAD_ADDRESS", nt_host) EVAL-reason = case(nt_host=="BAD_ADDRESS", nt_host) ########################### ## Splunk Windows Event Log ########################### ## Host override for WinEventLog events collected using WEF [host::WinEventLogForwardHost] TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride ## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog ## format source using sourcetype value, so we know whether its XML or not ## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype ## the mod input sets and new sources will be accommodated as well [(?::){0}WinEventLog:*] TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype [(?::){0}XmlWinEventLog:*] TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype ## Fields common to all WinEventLogs [WinEventLog] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ## Field Mapping for Endpoint Data Model ## For Services, Processes and Filesystem Datasets FIELDALIAS-service_id_for_windows = Service_ID AS service_id FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name FIELDALIAS-process_for_windows = Process AS process EVAL-process_name = if(EventCode==4688, New_Process_Name, Process_Name) FIELDALIAS-parent_process_for_windows = Creator_Process_Name AS parent_process FIELDALIAS-user_id_for_windows = User_ID AS user_id EVAL-vendor_product = "Microsoft Windows" [XmlWinEventLog] KV_MODE = none REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ## Field Mapping for Endpoint Data Model ## For Services, Processes and Filesystem Datasets FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name FIELDALIAS-service_id_for_windows = ServiceSid AS service_id EVAL-process_name = if(EventCode==4688, NewProcessName, ProcessName) FIELDALIAS-parent_process_for_windows = ParentProcessName AS parent_process FIELDALIAS-user_id_for_windows = UserID AS user_id EVAL-vendor_product = "Microsoft Windows" ##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System] ## windows system sub-sourcetyping [source::WinEventLog:System] TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog REPORT-bestmatch_for_windows_system = ComputerName_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body REPORT-1service_name_eventcode_7036 = service_name_eventcode_7036 REPORT-1service_name_eventcode_7040 = service_name_eventcode_7040 EVAL-status = case(EventCode=="7036" AND status=="running","started",EventCode=="7036" AND status=="stopped","stopped",EventCode=="104","success") LOOKUP-0start_mode_for_eventcode_7040_service_windows = windows_start_mode_lookup StartType AS start_type2 OUTPUTNEW start_mode LOOKUP-1start_mode_for_eventcode_7045_service_windows = windows_start_mode_lookup StartType AS Service_Start_Type OUTPUTNEW start_mode EVAL-vendor = "Microsoft" EVAL-product = "Windows" # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title ## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility # Extractions to add fields used by generic system extraction REPORT-signature_message_from_xml = updatelist_from_user_data REPORT-signature_from_xml = updatetitle_from_user_data FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status REPORT-bestmatch_for_windows_system_xml = Computer_as_dest ## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias EVAL-user = case(EventCode IN (7040,7045),case(user!="-",user),true(),user) EVAL-user_name = if(EventCode==104, User, user_name) EVAL-result = if(EventCode==104, "log file was cleared", result) EVAL-object_category = if(EventCode==104, "audit log", object_category) EVAL-action = if(EventCode==104, "cleared", action) EVAL-change_type = case(EventCode==104, "audit", true(), change_type) EVAL-app = if(SourceName="IAS","ias",null()) EXTRACT-object_for_windows_system = (?ms)EventCode=104(?:\n|\r).*(?:Message=The\s(?.+)\sfile) ##### Explanation for SEDCMD Extractions ##### ## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g ## Apply the following properties to all WinEventLog events ## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf [source::(WMI:WinEventLog|WinEventLog)...] ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv REPORT-MESSAGE = ########################### ## Windows XML Event Log ########################### ##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::XmlWinEventLog:System] # Extractions to add fields used by generic system extraction REPORT-signature_message_from_xml = updatelist_from_user_data REPORT-signature_from_xml = updatetitle_from_user_data FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status REPORT-bestmatch_for_windows_system_xml = Computer_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user EVAL-body = coalesce('signature_message','Message') EVAL-vendor = "Microsoft" EVAL-product = "Windows" # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_title_for_windows = signature AS package_title FIELDALIAS-package_for_windows = signature_id AS package REPORT-service_name = ServiceName_as_service_name EVAL-status = case(EventCode=="7036" AND param2=="running","started",EventCode=="7036" AND param2=="stopped","stopped", EventCode==104, "success") LOOKUP-0start_mode_for_eventcode_7045_service_windows_xml = windows_start_mode_lookup StartType OUTPUTNEW start_mode LOOKUP-1start_mode_for_eventcode_7040_service_windows_xml = windows_start_mode_lookup StartType AS param3 OUTPUTNEW start_mode EVAL-action = case(EventCode==104, "cleared") EVAL-object_category = case(EventCode==104, "audit log") EVAL-result = case(EventCode==104, "log file was cleared") EVAL-change_type = case(EventCode==104, "audit", true(), change_type) REPORT-channel_from_user_data = channel_from_user_data EVAL-object = case(EventCode==104, user_data_channel + " log") EXTRACT-user_from_SubjectUserName = 104<\/EventID>.*(?.*?)<\/SubjectUserName> EXTRACT-user_name_from_SubjectUserName = 104<\/EventID>.*(?.*?)<\/SubjectUserName> ##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::XmlWinEventLog:Security] REPORT-logfilecleared_block_extract = logfilecleared_xml_block REPORT-logfilecleareddata_for_xml = LogFileClearedData_from_user_data ## privilege REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege # Extractions to add fields used by generic security extraction REPORT-Source_Port_from_xml = IpPort_as_Source_Port REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-CategoryString_for_windows_xml_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString ## action, status ## Override action to allow audit log changes to correspond to Change Analysis data model LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status LOOKUP-object_for_windows3_security = xmlsecurity_change_audit_and_account_management_lookup EventCode OUTPUTNEW object_attrs,result ## privilege REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_security = Message AS body FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app ## Set the following fields based on order of operations REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user EVAL-user_group = coalesce(TargetUserName,New_Account_Name,Target_Account_Name) REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") REPORT-member_user_name = special_user_from_member_name LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity ##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-new_process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-parent_process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-new_process_id_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-process_id_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-process_command_line_for_xml = (?[^<]+)<\/Data> EVAL-authentication_method = case(EventCode IN (4624, 4625), AuthenticationPackageName, true(), authentication_method) ## XML Security-CIM Mappings REPORT-parent_process_name_windows_xml = extract_parent_process_name_for_windows_xml REPORT-new_process_name_windows_xml = extract_new_process_name_for_windows_xml REPORT-target_process_name_windows_xml = extract_target_process_name_for_windows_xml REPORT-caller_user_name_from_user_data_xml = SubjectUserName_from_user_data REPORT-file_name_and_path = object_file_name_and_path_from_ObjectName_for_xml,file_name_and_path_from_FileName_for_xml,file_name_and_path_from_KeyFilePath_for_xml REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments EVAL-object_attrs = if(EventCode IN (4720,4738), null(),if(EventCode=4717, AccessGranted, (if(EventCode==4718, AccessRemoved, (if(isnotnull(SamAccountName) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), SamAccountName, if(EventCode IN (4728,4729,4732,4733,4756,4757), TargetUserName, if(EventCode IN (4698,4700,4701), TaskContent, if(EventCode==4702, TaskContentNew, if(EventCode==4719, "Category="+CategoryId+",Subcategory="+SubcategoryId+",Subcategory GUID="+SubcategoryGuid+",Changes="+AuditPolicyChanges,object_attrs)))))))))) EVAL-registry_path = if(EventCode==4657,ObjectName,registry_path) EVAL-registry_value_name = if(EventCode==4657,ObjectValueName,registry_value_name) EVAL-registry_value_type = if(EventCode==4657,NewValueType,registry_value_type) EVAL-src = case(EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4799), dest, EventCode==4778, ClientAddress, EventCode == 4624, IpAddress, EventCode==4625, WorkstationName, 1=1, src) EVAL-file_name = coalesce(file_name,if(ObjectType=="File",object_file_name,null()),ShareName) EVAL-file_path = coalesce(file_path,if(ObjectType=="File",object_file_path,null()),ShareLocalPath) EVAL-src_port = if(EventCode=5158 OR EventCode=5156, SourcePort, src_port) EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(NewProcessName,"\s"), "\"" + NewProcessName + "\"", NewProcessName)) + " " + process_command_line_arguments), NewProcessName) , EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName)) EVAL-process_path = case(EventCode==4688, new_process, EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName)) EVAL-process_id = case(EventCode==4688, new_process_id, EventCode==4696, TargetProcessId, true(), process_id) EVAL-service = if(isnotnull(service),service, Service) EVAL-parent_process = case(EventCode==4696,ProcessName,true(),parent_process) EVAL-parent_process_id = case(EventCode==4688 OR EventCode==4696,ProcessId) EVAL-parent_process_name = case(EventCode==4696,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name) EVAL-parent_process_path = case(EventCode==4688,parent_process,EventCode==4696,ProcessName) EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1")) EVAL-process_name = case(EventCode=4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),ProcessName) EVAL-user = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (1102,4673,4674,4689,4697,4698,4700,4701,4702,4719,4799), case(SubjectUserName!="-",SubjectUserName),EventCode==4696,case(user!="-",user),EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user) EVAL-user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767,4800,4801), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (1102,4719,4698,4700,4701,4702,4799), SubjectUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user_name) EVAL-src_user = case(EventCode IN (4624,4625,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781), case(SubjectUserName!="-",SubjectUserName), EventCode IN (4634,4800,4801), TargetUserName, true(),src_user) EVAL-src_user_name = case(EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4754,4755,4756,4757,4758,4764,4767,4781), SubjectUserName, EventCode IN (4634,4800,4801), TargetUserName, true(),src_user_name) EVAL-src_nt_domain = case(EventCode IN (4634,4800,4801), TargetDomainName, EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764), SubjectDomainName, true(), src_nt_domain) EVAL-object = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4730,4731,4734,4735,4737,4738,4740,4754,4755,4758,4764,4767,4799), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"), -1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (4800,4801), Computer, EventCode IN (4698,4700,4701,4702),TaskName, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", true(), object) EVAL-object_id = case(EventCode IN (4704, 4705, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4730, 4731, 4734, 4735, 4737, 4738, 4754, 4755, 4758, 4764, 4767, 4781, 4799), TargetSid, EventCode IN (4634,4703), TargetUserSid, EventCode IN (4728,4729,4732,4733,4756,4757), MemberSid, true(), object_id) EVAL-action = case(EventCode=="4688" AND Keywords=="0x8020000000000000","allowed") ## Assigning Group_Name based on EventCodes as not all EventCodes have GroupName same as TargetUserName and GroupDomain same as TargetDomainName EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name) EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain) EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer") LOOKUP-start_mode_for_windows_xml = windows_endpoint_service_service_type_lookup Service_Start_Type AS ServiceStartType OUTPUTNEW start_mode LOOKUP-service_name = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service, service_name LOOKUP-transport_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status ##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*] [source::XmlWinEventLog:Application] EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest ###### All Windows Event Log ###### ###### Windows Application Event Log ###### ## All Windows Application ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::WinEventLog:Application] EVAL-dest = coalesce('ComputerName','Computer') ## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status ##Below fields extractions have been moved from [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::WinEventLog:Security] LOOKUP-CategoryString_for_windows_legacy_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity ## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject ## action, status ## Security-CIM Mappings LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status ## Override action to allow audit log changes to correspond to Change Analysis data model LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status ## privilege REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_security = Message AS body FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app ## Set the following fields based on order of operations REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,New_Security_ID_as_src_nt_domain,Security_ID_as_src_nt_domain REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Special_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") REPORT-subject_fields = subject_fields_extraction REPORT-target_fields = target_fields_extraction REPORT-group_fields = group_fields_extraction REPORT-new_account_fields = new_account_fields_extraction REPORT-member_fields = member_fields_extraction REPORT-account_locked_out_fields = account_locked_out_fields_extraction REPORT-task_fields = task_fields_extraction REPORT-new_task_fields = new_task_fields_extraction EVAL-user = case(EventCode==4799,Subject_Account_Name,EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (4689,4696,4673,4674,4697),case(user!="-",user), EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),user) EVAL-user_name = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (1102,4634,4698,4700,4701,4702,4719,4799,4800,4801), Subject_Account_Name, EventCode==104, User, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%")OR user=="-", null(), user)), true(),user_name) EVAL-src_user = case(EventCode IN (4634,4703,4704,4705,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781,4800,4801), Subject_Account_Name, true(),src_user) EVAL-src_user_name = case(EventCode IN (4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4728,4729,4733,4756,4757,4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801), Subject_Account_Name, true(),src_user_name) EVAL-object = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Name, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (4800,4801), ComputerName, EventCode==4634, Subject_Account_Name, EventCode IN (4698,4700,4701,4702), Task_Name, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode IN (4732,4729,4757,4756,4728,4733), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),object) EVAL-object_id = case(EventCode IN (4728,4729,4733,4756,4757),Member_Security_ID, EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Security_ID, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781), Target_Security_ID, EventCode==4720, New_Account_Security_ID, EventCode==4732, Member_Security_ID, EventCode==4740, Account_Locked_Out_Security_ID, EventCode==4634, Subject_Security_ID, true(), object_id) EVAL-authentication_method = case(EventCode IN (4624,4625), Authentication_Package, true(), authentication_method) EVAL-src_nt_domain = case(EventCode IN (4634,4720,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4740,4754,4755,4756,4757,4758,4764,4800,4801), Subject_Account_Domain, true(), src_nt_domain) EVAL-src = case(EventCode IN (4729,4799,4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4757,4756,4728,4733), ComputerName, true(), src) EXTRACT-dest_port_for_windows_security = (?s)Network Information:.*?Destination Port:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?[^$]+)$ EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?.*)\\(?[^(?:\n|\r)]+) ## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility ## privilege REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege # Extractions to add fields used by generic security extraction REPORT-Source_Port_from_xml = IpPort_as_Source_Port REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status EVAL-action = case(EventCode=="4688" AND Keywords=="Audit Success","allowed",EventCode=="4688" AND Keywords=="Audit Failure","blocked") REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-process_id_for_windows_security_from_xml = 0<\/Data> to <\/Data> in XmlWinEventLog:Security ## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security ##### SEDCMD Extractions ##### #SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g #SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g #SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ #SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g ## For XmlWinEventLog:Security #SEDCMD-cleanxmlsrcport = s/0<\/Data>/<\/Data>/ #SEDCMD-cleanxmlsrcip = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ ## Security-CIM Mappings REPORT-parent_process_name = extract_parent_process_name REPORT-new_process_name = extract_new_process_name REPORT-target_process_name = extract_target_process_name REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments REPORT-file_name_and_path = object_name_and_path_from_object_name,file_name_and_path_from_file_name,file_name_and_path_from_file_path EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(New_Process_Name,"\s"), "\"" + New_Process_Name + "\"", New_Process_Name)) + " " + process_command_line_arguments), New_Process_Name), EventCode==4696, Target_Process_Name , true(), coalesce(Process, process, Process_Name)) EVAL-registry_path = if(EventCode==4657 OR EventCode==4670,Object_Name,registry_path) EVAL-registry_value_name = if(EventCode==4657, Object_Value_Name, registry_value_name) EVAL-registry_value_type = if(EventCode==4657, New_Value_Type, registry_value_type) EVAL-object_attrs = if(EventCode==4717 OR EventCode==4718,Access_Right,if(isnotnull(Group_Name) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799),Group_Name,if(EventCode IN (4698,4700,4701),TaskContent,if(EventCode==4702,TaskNewContent,if(EventCode==4719, "Category="+Category+",Subcategory="+Subcategory+",Subcategory GUID="+Subcategory_GUID+",Changes="+Changes,object_attrs))))) EVAL-file_name = if(Object_Type=="File" AND isnotnull(object_file_name),object_file_name,if(isnotnull(Share_Name),Share_Name,file_name)) EVAL-file_path = if(Object_Type=="File" AND isnotnull(object_file_path),object_file_path,if(isnotnull(Share_Path),Share_Path,file_path)) EVAL-parent_process = case(EventCode==4696,Process_Name,true(),parent_process) EVAL-parent_process_id = case(EventCode==4688,Creator_Process_ID,EventCode==4696,Process_ID) EVAL-parent_process_name = case(EventCode==4696,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name) EVAL-process_path = case(EventCode==4688,New_Process_Name,EventCode==4696,Target_Process_Name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,Process_Name) EVAL-parent_process_path = case(EventCode==4688,Creator_Process_Name,EventCode==4696,Process_Name) EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1")) EVAL-process_name = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),Process_Name) EVAL-process_id = case(EventCode==4696,Target_Process_ID, EventCode==4689 OR EventCode==4673, Process_ID, true(), process_id) EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer") LOOKUP-service_name_for_endpoint_service = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service,service_name LOOKUP-service_type_for_endpoint_service = windows_endpoint_service_service_type_lookup Service_Start_Type OUTPUTNEW start_mode LOOKUP-transpot_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport LOOKUP-wineventlog-change-object-fields = windows_wineventlog_change_object_fields_lookup EventCode OUTPUTNEW change_type,object_attrs,object_category,result ## IAS (Currently WinEventLog Support Only) [source::WinEventLog:System:IAS] REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias EVAL-app = "ias" [source::WinEventLog:ForwardedEvents] ##### Explanation for SEDCMD Extractions ##### ## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues ## cleanxmlsrcport: This will replace all values like 0<\/Data> to <\/Data> in XmlWinEventLog:Security ## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security ## clean_rendering_info_block: This will eliminate the entire extra block from all the events that indexes when using WEF before indexing ##### SEDCMD Extractions ##### #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-cleansrcipxml = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ #SEDCMD-cleansrcportxml=s/0<\/Data>/<\/Data>/ #SEDCMD-clean_rendering_info_block = s/(?s)(.*)<\/RenderingInfo>// ###### WindowsUpdateLog ###### [source::...WindowsUpdate.Log] sourcetype = WindowsUpdateLog [WindowsUpdateLog] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true FIELDALIAS-dest_for_windowsupdatelog = host AS dest REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title [WinRegistry] ## Registry Extractions ## registry_path, registry_key_name, registry_value_name REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry REPORT-registry_value_data = registry_value_data_for_WinRegistry FIELDALIAS-registry_value_type = data_type AS registry_value_type ## Endpoint Change Extractions ## Required fields: action,dest,object,object_category,object_path,status,user ## Optional fields: object_id,object_attrs,user_type,msg,data,severity FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action FIELDALIAS-dest_for_WinRegistry = host AS dest REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status REPORT-user_for_WinRegistry = user_for_WinRegistry LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type FIELDALIAS-src_for_WinRegistry = host AS src ## Field Mapping for Endpoint Data Model ## For Registry Dataset FIELDALIAS-process_id_for_WinRegistry = pid AS process_id EVAL-vendor_product = "Microsoft Windows" ##################### ## Splunk Perfmon/WMI ##################### ## Apply the following properties to all WMI events [source::WMI...] ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv REPORT-MESSAGE = [wmi] LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+) ## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence ## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog" TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype TRANSFORMS-FIELDS = ###### ComputerSystem ###### [WMI:ComputerSystem] FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [Perfmon:Processor] EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-cpu_instance = instance AS cpu_instance EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Processor] FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) FIELDALIAS-cpu_instance = instance AS cpu_instance FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:Network_Interface] EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) EVAL-packets = if(counter=="Packets/sec",Value,null()) EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Network_Interface] FIELDALIAS-bytes = Bytes_Total/sec as bytes FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out FIELDALIAS-packets = Packets/sec as packets FIELDALIAS-packets_in = Packets_Received/sec as packets_in FIELDALIAS-packets_out = Packets_Sent/sec as packets_out FIELDALIAS-thruput = Bytes_Total/sec as thruput FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:DFS_Replicated_Folders] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:NTDS] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:DNS] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:CPU] EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-cpu_instance = instance AS cpu_instance EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:CPU] FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) FIELDALIAS-cpu_instance = instance AS cpu_instance FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:System] EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null()) EVAL-system_threads_count = if(counter=="Threads",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:System] FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count FIELDALIAS-system_threads_count = Threads as system_threads_count FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:ProcessorInformation] SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/ EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" ## Field Mapping for Endpoint Data Model ## For Processes Dataset EVAL-vendor_product = "Microsoft Windows" [PerfmonMk:ProcessorInformation] EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null()) EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Field Mapping for Endpoint Data Model ## For Processes Dataset EVAL-vendor_product = "Microsoft Windows" [WMI:CPUTime] REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent FIELDALIAS-cpu_instance = Name AS cpu_instance FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Disk ###### [Perfmon:LogicalDisk] EVAL-mount = if(instance=="_Total", null(), instance) # Keeping this field in ms EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null()) EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null()) EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null()) EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null()) EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null()) EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:LogicalDisk] EVAL-mount = if(instance=="_Total", null(), instance) # Keeping this field in ms EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000 FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent FIELDALIAS-read_ops = Disk_Reads/sec as read_ops FIELDALIAS-write_ops = Disk_Writes/sec as write_ops FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src FIELDALIAS-storage_free = Free_Megabytes as storage_free EVAL-storage=((100*Free_Megabytes)/storage_free_percent) EVAL-storage_used=(((100-storage_free_percent)*Free_Megabytes)/storage_free_percent) EVAL-storage_used_percent=(100-storage_free_percent) [Perfmon:PhysicalDisk] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:PhysicalDisk] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [WMI:FreeDiskSpace] REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null()) EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null()) FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null()) EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null()) FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [WMI:LogicalDisk] FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [WMI:LocalPhysicalDisk] REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-src_for_wmi = host AS src ###### Network ###### [WMI:LocalNetwork] FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Process ###### [Perfmon:Process] EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null()) EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null()) EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" ## Field Mapping for Endpoint Data Model ## For Processes Dataset EVAL-mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) EVAL-vendor_product = "Microsoft Windows" [PerfmonMk:Process] EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null()) EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null()) EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Field Mapping for Endpoint Data Model ## For Processes Dataset FIELDALIAS-process_id_for_perfmon = ID_Process AS process_id EVAL-mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) EVAL-vendor_product = "Microsoft Windows" ###### Installed Apps ###### [Script:InstalledApps] SHOULD_LINEMERGE = false TRUNCATE = 0 LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3} KV_MODE = none REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps ###### Installed Updates ###### [WMI:InstalledUpdates] REPORT-00Description_for_installedupdates = Description_for_installedupdates FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null()) LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Listening Ports ###### [Script:ListeningPorts] SHOULD_LINEMERGE = false KV_MODE = None REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports REPORT-1kv_for_listeningports = kv_for_listeningports FIELDALIAS-dest_for_listeningports = dest_ip AS dest FIELDALIAS-process_id_for_listeningports = pid AS process_id ## Field Mapping for Endpoint Data Model ## For Ports Dataset EVAL-transport_dest_port = transport."/".dest_port EVAL-vendor_product = "Microsoft Windows" ###### Local Processes ###### [WMI:LocalProcesses] REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes FIELDALIAS-process_for_wmi_localprocesses = windows_app AS Name, windows_app AS app, windows_app AS process FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ## Field Mapping for Endpoint Data Model ## For Processes Dataset EVAL-vendor_product = "Microsoft Windows" ###### Memory ###### ## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory ## Total memory available in WMI:ComputerSystem [Perfmon:Memory] EVAL-mem_committed = if(counter=="Committed Bytes",Value,null()) EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null()) EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null()) EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null()) EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null()) EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Memory] FIELDALIAS-mem_committed = Committed_Bytes as mem_committed FIELDALIAS-mem_free = Available_MBytes as mem_free FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:Network] EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) EVAL-packets = if(counter=="Packets/sec",Value,null()) EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Network] FIELDALIAS-bytes = Bytes_Total/sec as bytes FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out FIELDALIAS-packets = Packets/sec as packets FIELDALIAS-packets_in = Packets_Received/sec as packets_in FIELDALIAS-packets_out = Packets_Sent/sec as packets_out FIELDALIAS-thruput = Bytes_Total/sec as thruput FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [WMI:Memory] REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free FIELDALIAS-swap_used = PoolPagedBytes AS swap_used EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Service ###### [WMI:Service] REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname FIELDALIAS-file_path_for_wmi_service = service_path AS file_path FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode FIELDALIAS-status_for_wmi_service = State AS status FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ## Field Mapping for Endpoint Data Model ## For Services Dataset REPORT-report_field_extract_wmi_service_path_and_exec_name = field_extract_wmi_service_path, field_extract_wmi_service_exec FIELDALIAS-description_for_wmi = Description AS description FIELDALIAS-process_id_for_wmi = IDProcess AS process_id FIELDALIAS-service_name_for_wmi = Name AS service, Name AS service_name EVAL-vendor_product = "Microsoft Windows" ###### Time Configuration ###### [Script:TimesyncConfiguration] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+)Current time: KV_MODE = None REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync ###### Time Synchronization ###### [Script:TimesyncStatus] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+)Current time: KV_MODE = None REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action EVAL-last_sync_time = coalesce(strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S %p"),strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S"),strptime(Last_Successful_Sync_Time, "%d-%m-%Y %H:%M:%S")) FIELDALIAS-dest = host as dest EVAL-resource_type = "system" ###### Uptime ###### [WMI:Uptime] REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store EVAL-metric_type = "gauge" ###### User Accounts ###### [WMI:UserAccounts] REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain FIELDALIAS-status_for_wmi_useraccounts = Status AS status FIELDALIAS-user_for_wmi_useraccounts = Name AS user FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled FIELDALIAS-description_for_wmi_user_account_status = Description AS description FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Version ###### [WMI:Version] REPORT-0Caption_for_wmi_version = Caption_for_wmi_version LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null()) FIELDALIAS-description = Caption as description FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Scheduled Jobs ###### [WMI:ScheduledJobs] FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-src_for_wmi = host AS src ###### Host Inventory ###### [WinHostMon] EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null()) EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null()) EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null()) EVAL-os = if(Type=="OperatingSystem", OS, null()) EVAL-family = if(Type=="Processor", Architecture, null()) EVAL-version = if(Type=="OperatingSystem", Version, null()) EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null()) EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null()) EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null()) EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null()) EVAL-vendor_product = if(Type=="OperatingSystem", OS, null()) EVAL-mount = if (Type=="Disk", Name, null()) EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null()) EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null()) EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null()) EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null()) EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null()) EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null()) EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null()) EVAL-description = if(Type=="Processor", Name, null()) EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null()) EVAL-cpu_architecture = if(Type=="Processor", Architecture, null()) REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service FIELDALIAS-dest_for_winhostmon = host as dest EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?[^"}}\{\{]+)" EXTRACT-service_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" EVAL-start_mode = lower(StartMode) ## Field Mapping for Endpoint Data Model ## For Services Dataset REPORT-service_exec_for_WinHostMon_service_path_and_exec_name = service_exec_for_WinHostMon_service_path, service_exec_for_WinHostMon_service_exec FIELDALIAS-process_id_for_winhostmon = ProcessId AS process_id EXTRACT-service_name_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" ####WMI:WinEventLog#### ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System] [WMI:WinEventLog:System] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-pid_for_wmi = IDProcess AS pid REPORT-bestmatch_for_windows_system = ComputerName_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title ## Field Mapping for Endpoint Data Model ## For Filesystem Dataset FIELDALIAS-process_id_for_wmi = IDProcess AS process_id EVAL-vendor_product = "Microsoft Windows" ##### Explanation for SEDCMD Extractions ##### ## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security] [WMI:WinEventLog:Security] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?.*)(?:\n|\r).*Account Domain:\s*(?[^(?:\n|\r)]+) ## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid ## action, status ## Override action to allow audit log changes to correspond to Change Analysis data model LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status ## privilege REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_security = Message AS body FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app ## Set the following fields based on order of operations REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") ## Field Mapping for Endpoint Data Model ## For Ports, Services and Processes Datasets FIELDALIAS-dest_port_for_windows_security = Port AS dest_port FIELDALIAS-service_id_for_windows_security = Service_ID AS service_id FIELDALIAS-service_for_windows_security = Service_Name AS service, Service_Name AS service_name FIELDALIAS-process_name_for_windows_security = Process_Name AS process_name FIELDALIAS-user_id_for_windows_security = User_ID AS user_id EVAL-process_id = coalesce('IDProcess','Process_ID') EVAL-vendor_product = "Microsoft Windows" ##### Explanation for SEDCMD Extractions ##### ## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:" ## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:" ## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:" ## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:" ## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues ## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing ## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing ## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g #SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g #SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ #SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...] [WMI:WinEventLog:Application] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-dest_for_wmi = ComputerName AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid ## Field Mapping for Endpoint Data Model ## For Filesystem Dataset FIELDALIAS-process_id_for_wmi = IDProcess AS process_id FIELDALIAS-user_for_wmi = User AS user EVAL-vendor_product = "Microsoft Windows" ###### Backward Compatibility ###### ## Perfmon Disk Space # "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. [Perfmon:FreeDiskSpace] FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null()) EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null()) EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Perfmon CPUTime # "Perfmon:CPUTime" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0. [Perfmon:CPUTime] EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Perfmon LocalNetwork # "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. [Perfmon:LocalNetwork] EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## To provide backward compatibility for WinEventLog and XmlWinEventLog data ## These will be deprecated in future [WinEventLog:Security] rename = wineventlog [WinEventLog:Application] rename = wineventlog [WinEventLog:System] rename = wineventlog [WinEventLog:System:IAS] rename = wineventlog [WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL] rename = wineventlog [WinEventLog:Microsoft-Windows-AppLocker/MSI and Script] rename = wineventlog [WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment] rename = wineventlog [WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution] rename = wineventlog [WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-DNS-Client/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational] rename = wineventlog [WinEventLog:Setup] rename = wineventlog [WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] rename = wineventlog [WinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory] rename = wineventlog [WinEventLog:Microsoft-Windows-CAPI2/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-CodeIntegrity/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-Defender/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-LSA/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-NetworkProfile/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration] rename = wineventlog [WinEventLog:Microsoft-Windows-PowerShell/Operational] rename = wineventlog [WinEventLog:Windows PowerShell] rename = wineventlog [WinEventLog:Microsoft-Windows-PrintService/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-WinRM/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication] rename = wineventlog [WinEventLog:Microsoft-Windows-SMBClient/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-TaskScheduler/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin] rename = wineventlog [WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin] rename = wineventlog [WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational] rename = wineventlog [WinEventLog:Microsoft-Windows-Windows Defender/Operational] rename = wineventlog [XmlWinEventLog:Security] rename = xmlwineventlog [XmlWinEventLog:Application] rename = xmlwineventlog [XmlWinEventLog:System] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-DNS-Client/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational] rename = xmlwineventlog [XmlWinEventLog:Setup] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-CAPI2/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-CodeIntegrity/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-Defender/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-LSA/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-NetworkProfile/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] rename = xmlwineventlog [XmlWinEventLog:Windows PowerShell] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-PrintService/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-WinRM/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-SMBClient/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational] rename = xmlwineventlog [XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational] rename = xmlwineventlog ###### Rename stanzas for TA-AD WinEventLog sourcetypes ###### [WinEventLog:DFS-Replication] rename = wineventlog [WinEventLog:Directory-Service] rename = wineventlog [WinEventLog:File-Replication-Service] rename = wineventlog [WinEventLog:Key-Management-Service] rename = wineventlog ###### Rename stanzas for TA-DNS WinEventLog sourcetypes ###### [WinEventLog:DNS-Server] rename = wineventlog ## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0. ## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively. ## These will be deprecated in future [wineventlog] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ## Field Mapping for Endpoint Data Model ## For Services, Processes and Filesystem Datasets FIELDALIAS-service_id_for_windows = Service_ID AS service_id FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name FIELDALIAS-process_for_windows = Process AS process FIELDALIAS-process_name_for_windows = Process_Name AS process_name FIELDALIAS-user_id_for_windows = User_ID AS user_id EVAL-vendor_product = "Microsoft Windows" [xmlwineventlog] KV_MODE = none REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ## Field Mapping for Endpoint Data Model ## For Services, Processes and Filesystem Datasets FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name FIELDALIAS-service_id_for_windows = ServiceSid AS service_id FIELDALIAS-process_name_for_windows = ProcessName AS process_name FIELDALIAS-user_id_for_windows = UserID AS user_id EVAL-vendor_product = "Microsoft Windows" ## Scripted input for collecting local ip config [Script:NetworkConfiguration] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(Configuration for interface ) KV_MODE = none TRUNCATE = 0 EXTRACT-netshaddressif=Configuration for interface \"(?[^\"]+) EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?(Yes|No)) EXTRACT-netshaddressip=IP Address\:\s+(?[\d\.]+) EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?[^\s]+) EXTRACT-netshaddressmask=mask (?[^\)]+) EXTRACT-netshaddressgw=Gateway\:\s+(?[\d\.]+) EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?\d+) ###### Extractions moved from TA-AD ###### [MSAD:NT6:Health] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:SiteInfo] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets [MSAD:NT6:Replication] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:Netlogon] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[)) EXTRACT-subnetaffinity = \s(?[^:]+): (?NO_CLIENT_SITE): (?[^\s]+) (?[0-9A-Fa-f:\.]+) [MSAD:SubnetAffinity] EXTRACT-subnetaffinity = (?\w+): NO_CLIENT_SITE: (?\w+) (?[0-9\.]+) ###### Extractions moved from TA-DNS ###### [MSAD:NT6:DNS-Zone-Information] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:DNS-Health] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false TRUNCATE = 0 REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV [MSAD:NT6:DNS] KV_MODE = none LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) # Load balancing on UF EVENT_BREAKER_ENABLE = true EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false EXTRACT-singleLine = (?[0-9A-Fa-f]+)\s+(?PACKET)\s+(?[0-9A-Fa-f]*) (?UDP|TCP) (?\w+) (?[0-9A-Fa-f\.\:]+)\s+(?[0-9A-Fa-f]+)\s+(?[ R]) (?.) \[(?[0-9A-Fa-f]+) (?....) (?[^\]]+)\]\s+(?:QTYPE\s+)?(?\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?[^\n]*)\(0\) EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION) EVAL-query = replace(questionname,"(?:\(\d+\))",".") FIELDALIAS-record_type = questiontype AS record_type FIELDALIAS-query = questionname AS query FIELDALIAS-src = src_ip AS src FIELDALIAS-dest = host AS dest FIELDALIAS-transaction_id = packetid AS transaction_id FIELDALIAS-transport = protocol AS transport FIELDALIAS-vendor_query_type = opcode AS vendor_query_type EVAL-message_type = if(operation=="R","Response", "Query") EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]","")) EVAL-vendor_product = "Microsoft Windows" REPORT-Multi_answer = Answer_multi_value REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class