## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## DO NOT EDIT THIS FILE! ## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. ## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default ## into ../local and edit there. ## ###### Active Directory ###### [user_account_control_property] external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag external_type = python fields_list = userAccountControl,userAccountPropertyFlag python.version = python3 ###### DHCP ###### [dhcp_discard_headers] REGEX = ^(?:[^\d]+|\d+[^\d,]) DEST_KEY = queue FORMAT = nullQueue [auto_kv_for_microsoft_dhcp] DELIMS = "," FIELDS = msdhcp_id,date,time,description,ip,nt_host,mac,msdhcp_user,transaction_id,qresult,probation_time,correlation_id,dhc_id,vendorclass_hex,vendorclass_ascii,userclass_hex,userclass_ascii,relay_agent_information,dns_reg_error [microsoft_dhcp_dest_dns] SOURCE_KEY = nt_host REGEX = (?[^\.]+\.\w+)$ [msdhcp_signature_lookup] filename = msdhcp_signatures.csv ## IAS (Currently WinEventLog Support Only) [force_source_system_ias_for_wineventlog] DEST_KEY = MetaData:Source REGEX = SourceName\=IAS FORMAT = source::WinEventLog:System:IAS ###### All Windows Event Log ###### ## Lookups [windows_severity_lookup] filename = windows_severities.csv case_sensitive_match = false [windows_signature_lookup] filename = windows_signatures_860.csv [windows_signature_lookup2] filename = windows_signatures_substatus_850.csv [windows_eventtype_lookup] filename = windows_eventtypes.csv ## REPORT [file_path-file_name_for_windows] SOURCE_KEY = Image_File_Name REGEX = ^(.*[\\/]+)*(.*)$ FORMAT = file_path::$1 file_name::$2 ####### Windows Security Event Log ###### ## Lookups [windows_action_lookup] filename = windows_actions.csv [windows_app_lookup] filename = windows_apps.csv [windows_audit_changes_lookup] filename = windows_audit_changes_860.csv [windows_privilege_lookup] filename = windows_privileges.csv [MSADGroupType] filename=msad_group_type.csv max_matches=1 [xmlsecurity_eventcode_action_lookup] filename = xmlsecurity_eventcode_action.csv [xmlsecurity_eventcode_action_lookup_multiinput] filename = xmlsecurity_eventcode_action_multiinput.csv case_sensitive_match = false [xmlsecurity_eventcode_errorcode_action_lookup] filename = xmlsecurity_eventcode_errorcode_action.csv case_sensitive_match = false ## REPORT [vendor_privilege_sv_for_windows_security] SOURCE_KEY = Message REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:) FORMAT = vendor_privilege::$1 [vendor_privilege_mv_for_windows_security] SOURCE_KEY = Message REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*) FORMAT = vendor_privilege::$1 [privilege_id_for_windows_security] SOURCE_KEY = vendor_privilege REGEX = ^([^\r\n]+) FORMAT = privilege_id::$1 MV_ADD = True [Token_Elevation_Type_id_for_windows_security] SOURCE_KEY = Token_Elevation_Type REGEX = ^[^\d]+(\d+) FORMAT = Token_Elevation_Type_id::$1 ## Aliases [Logon_ID_as_session_id] SOURCE_KEY = Logon_ID REGEX = (?:(?:[^\n]+)\n)?(.*) FORMAT = session_id::"$1" [Client_Logon_ID_as_session_id] SOURCE_KEY = Client_Logon_ID REGEX = (.+) FORMAT = session_id::"$1" [Caller_Logon_ID_as_session_id] SOURCE_KEY = Caller_Logon_ID REGEX = (.+) FORMAT = session_id::"$1" [Target_Server_Name_as_dest] SOURCE_KEY = Target_Server_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = dest::"$1" [ComputerName_as_dest] SOURCE_KEY = ComputerName REGEX = (?:[\\]+)?([^-].*) FORMAT = dest::"$1" [Computer_as_dest] REGEX = ([^<]+)<\/Computer> FORMAT = dest::$1 [Computer_as_src] REGEX = ([^<]+)<\/Computer> FORMAT = src::$1 [Target_Server_Name_as_dest_nt_host] SOURCE_KEY = Target_Server_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = dest_nt_host::"$1" [ComputerName_as_dest_nt_host] SOURCE_KEY = ComputerName REGEX = (?:[\\]+)?([^-].*) FORMAT = dest_nt_host::"$1" [Target_Domain_as_dest_nt_domain] SOURCE_KEY = Target_Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [Primary_Domain_as_dest_nt_domain] SOURCE_KEY = Primary_Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [Group_Domain_as_dest_nt_domain] SOURCE_KEY = Group_Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [Account_Domain_as_dest_nt_domain] SOURCE_KEY = Account_Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [New_Domain_as_dest_nt_domain] SOURCE_KEY = New_Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [Domain_as_dest_nt_domain] SOURCE_KEY = Domain REGEX = (?:(?:[^\n]+)\n)?(.+) FORMAT = dest_nt_domain::"$1" [User_ID_as_dest_nt_domain] SOURCE_KEY = User_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1" [Security_ID_as_dest_nt_domain] SOURCE_KEY = Security_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1" [Supplied_Realm_Name_as_dest_nt_domain] SOURCE_KEY = Supplied_Realm_Name REGEX = (.+) FORMAT = dest_nt_domain::"$1" [Target_Account_ID_as_dest_nt_domain] SOURCE_KEY = Target_Account_ID REGEX = (.+)[\\] FORMAT = dest_nt_domain::"$1" [Workstation_Name_as_src] SOURCE_KEY = Workstation_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Caller_Machine_Name_as_src] SOURCE_KEY = Caller_Machine_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Client_Machine_Name_as_src] SOURCE_KEY = Client_Machine_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Source_Network_Address_as_src] SOURCE_KEY = Source_Network_Address REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Client_Address_as_src] SOURCE_KEY = Client_Address REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Source_Workstation_as_src] SOURCE_KEY = Source_Workstation REGEX = (?:[\\]+)?([^-].*) FORMAT = src::"$1" [Source_Network_Address_as_src_ip] SOURCE_KEY = Source_Network_Address REGEX = (?:[\\]+)?([^-].*) FORMAT = src_ip::"$1" [Client_Address_as_src_ip] SOURCE_KEY = Client_Address REGEX = (?:[\\]+)?([^-].*) FORMAT = src_ip::"$1" [Caller_Domain_as_src_nt_domain] SOURCE_KEY = Caller_Domain REGEX = (?!^-$)(.+) FORMAT = src_nt_domain::"$1" [Client_Domain_as_src_nt_domain] SOURCE_KEY = Client_Domain REGEX = (?!^-$)(.+) FORMAT = src_nt_domain::"$1" [Account_Domain_as_src_nt_domain] SOURCE_KEY = Account_Domain REGEX = (?!^-$)([^\n]+)\n FORMAT = src_nt_domain::"$1" [Domain_as_src_nt_domain] SOURCE_KEY = Domain REGEX = (?!^-$)(.+) FORMAT = src_nt_domain::"$1" [New_Security_ID_as_src_nt_domain] REGEX = (?s)(?:Subject|User|Account\sInformation)\s*:.*?Security\sID:[ \t]*(.*?)[\\|\n] FORMAT = src_nt_domain::"$1" [Security_ID_as_src_nt_domain] SOURCE_KEY = Security_ID REGEX = (?!^-$)(.+)[\\] FORMAT = src_nt_domain::"$1" [Workstation_Name_as_src_nt_host] SOURCE_KEY = Workstation_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src_nt_host::"$1" [Caller_Machine_Name_as_src_nt_host] SOURCE_KEY = Caller_Machine_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src_nt_host::"$1" [Client_Machine_Name_as_src_nt_host] SOURCE_KEY = Client_Machine_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src_nt_host::"$1" [Caller_Computer_Name_as_src_nt_host] SOURCE_KEY = Caller_Computer_Name REGEX = (?:[\\]+)?([^-].*) FORMAT = src_nt_host::"$1" [Source_Workstation_as_src_nt_host] SOURCE_KEY = Source_Workstation REGEX = (?:[\\]+)?([^-].*) FORMAT = src_nt_host::"$1" [Caller_User_Name_as_src_user] SOURCE_KEY = Caller_User_Name REGEX = (?!^-$)(.+) FORMAT = src_user::"$1" [Client_User_Name_as_src_user] SOURCE_KEY = Client_User_Name REGEX = (?!^-$)(.+) FORMAT = src_user::"$1" [Account_Name_as_src_user] SOURCE_KEY = Account_Name REGEX = (?!^-$)([^\n]+)\n FORMAT = src_user::"$1" [User_Name_as_src_user] SOURCE_KEY = User_Name REGEX = (?!^-$)(.+) FORMAT = src_user::"$1" [Target_User_Name_as_user] SOURCE_KEY = Target_User_Name REGEX = (.+) FORMAT = user::"$1" [Primary_User_Name_as_user] SOURCE_KEY = Primary_User_Name REGEX = (.+) FORMAT = user::"$1" [Target_Account_Name_as_user] SOURCE_KEY = Target_Account_Name REGEX = (.+) FORMAT = user::"$1" [New_Account_Name_as_user] SOURCE_KEY = New_Account_Name REGEX = (.+) FORMAT = user::"$1" [User_Name_as_user] SOURCE_KEY = User_Name REGEX = (.+) FORMAT = user::"$1" [Account_Name_as_user] SOURCE_KEY = Account_Name REGEX = (?:(?:[^\n]*)\n)?([^\n]*) FORMAT = user::"$1" ## Security-CIM Mappings [Special_Account_Name_as_user] SOURCE_KEY = Account_Name REGEX = (?:(?:[^\n]*)\n)?(?:(?:CN|cn)=)?([^\n]*?),.* FORMAT = user::"$1" ## End Security-CIM Mappings [User_as_user] SOURCE_KEY = User REGEX = (?:[^\\]+\\)?(.+) FORMAT = user::"$1" # Event Code 4776 (and possibly others) # See also: [Logon_account_as_user] [Logon_Account_as_user] SOURCE_KEY = Logon_Account REGEX = (?:[^\\]+\\)?(.+) FORMAT = user::"$1" # Event Code 680 (and possibly others) # See also: [Logon_Account_as_user] [Logon_account_as_user] SOURCE_KEY = Logon_account REGEX = (?:[^\\]+\\)?(.+) FORMAT = user::"$1" [Security_ID_as_user] SOURCE_KEY = Security_ID REGEX = (?:[^\\]+\\)?(.+) FORMAT = user::"$1" [Member_ID_as_member_id] SOURCE_KEY = Member_ID REGEX = (?:[^\\]+\\)?(.+) FORMAT = member_id::"$1" [Security_ID_as_member_id] SOURCE_KEY = Security_ID REGEX = (.+) FORMAT = member_id::"$1" [Member_Name_as_member_dn] SOURCE_KEY = Member_Name REGEX = (.+) FORMAT = member_dn::"$1" [Account_Name_as_member_dn] SOURCE_KEY = Account_Name REGEX = (.+) FORMAT = member_dn::"$1" [Member_ID_as_member_nt_domain] SOURCE_KEY = Member_ID REGEX = ([^\\]+\\)?(?:.+) FORMAT = member_nt_domain::"$1" [Security_ID_as_member_nt_domain] SOURCE_KEY = Security_ID REGEX = ([^\\]+\\)?(?:.+) FORMAT = member_nt_domain::"$1" [msad_action_from_Group_Type_Change] SOURCE_KEY = Group_Type_Change REGEX = Security (Enabled|Disabled) (\w+) Group (Changed) to Security (Enabled|Disabled) (\w+) Group[:\.] FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" MSADNewGroupClassID::"$4" MSADNewGroupType::"$5" [msad_action_from_Change_Type] SOURCE_KEY = Change_Type REGEX = Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group Changed to Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group[.:] FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" MSADNewGroupClassID::"$3" MSADNewGroupType::"$4" [msad_action_from_Description1] SOURCE_KEY = Description REGEX = Security (Enabled|Disabled) (\w+) Group (.*?)[:\.] FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" [msad_action_from_Description2] SOURCE_KEY = Description REGEX = Computer Account (.*?)[:\.] FORMAT = msad_action::"$1" [msad_action_from_Description3] SOURCE_KEY = Description REGEX = User Account (.*?)[:\.] FORMAT = msad_action::"$1" [msad_action_from_raw1] SOURCE_KEY = _raw REGEX = (?ms).*A computer account was (.*?)[:\.] FORMAT = msad_action::"$1" [msad_action_from_raw2] SOURCE_KEY = _raw REGEX = (?ms).*A user account was (.*?)[:\.] FORMAT = msad_action::"$1" [msad_action_from_raw3] SOURCE_KEY = _raw REGEX = (?ms).*An attempt was made to (.*?)[:\.] FORMAT = msad_action::"$1" [msad_action_from_raw4] SOURCE_KEY = _raw REGEX = (?ms)EventCode=(4781|4912)\s*\n.*Message=(?:.*?)[:\.] FORMAT = msad_action::"$1" [msad_attribute_changes_from_raw1] SOURCE_KEY = _raw REGEX = (?ms).*Changed Attributes:\s*\n(.*?)\s*\n\s*Additional Information: FORMAT = MSADChangedAttributes::"$1" [msad_attribute_changes_from_raw2] SOURCE_KEY = _raw REGEX = (?ms).*Attributes:\s*\n(.*?)\s*\n\s*Additional Information: FORMAT = MSADChangedAttributes::"$1" [msad_attribute_changes_from_raw3] SOURCE_KEY = _raw REGEX = (?ms).*Changed Attributes:\s*\n(.*) FORMAT = MSADChangedAttributes::"$1" [msad_attribute_changes_from_raw4] SOURCE_KEY = _raw REGEX = (?ms)EventCode=(?:624|645|4720|4741).*Attributes:\s*\n(.*) FORMAT = MSADChangedAttributes::"$1" [msad_attribute_changes_from_raw5] SOURCE_KEY = _raw REGEX = (?ms).*Category Settings:\s*\n(.*) FORMAT = MSADChangedAttributes::"$1" [msad_attribute_changes_from_raw6] SOURCE_KEY = _raw REGEX = (?ms).*Policy Change Details:\s*\n(.*) FORMAT = MSADChangedAttributes::"$1" ###### Windows System Event Log ###### [signature_for_windows_system_timesync] SOURCE_KEY = Message REGEX = ((?:The\s+time\s+provider\s+\w+\s+is\s+configured\s+to\s+acquire\s+time\s+from\s+one\s+or\s+more\s+time\s+sources\,\s+however\s+none\s+of\s+the\s+sources\s+are\s+currently\s+accessible)|(?:The\s+time\s+service\s+is\s+now\s+synchronizing\s+the\s+system\s+time\s+with\s+the\s+time\s+source)|(?:Time\s+Provider\s+\w+\:\s+An\s+error\s+occurred\s+during\s+DNS\s+lookup\s+of\s+the\s+manually\s+configured\s+peer)) FORMAT = signature::$1 [signature_message_for_windows_system_update] REGEX = Installation Ready: The following updates are downloaded and ready for installation.*?:\s+((?:.*[\r\n])*) FORMAT = signature_message::$1 [signature_for_windows_system_update] REGEX = Windows successfully installed the following update:\s+(.*) FORMAT = signature::"$1" [signature_for_windows_system_update2] SOURCE_KEY = signature_message REGEX = -\s+([^\r\n]+) FORMAT = signature::$1 MV_ADD = True [user_for_windows_system_ias] REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was FORMAT = user::"$1" [service_name_eventcode_7036] SOURCE_KEY = Message REGEX = ^The (.*) service entered the (.*) state\. FORMAT = Service_Name::"$1" status::"$2" [ServiceName_as_service_name] SOURCE_KEY = param1 REGEX = (.+) FORMAT = ServiceName::"$1" [service_name_eventcode_7040] SOURCE_KEY = Message REGEX = ^The start type of the (.*) service was changed from .* to (.*)\. FORMAT = Service_Name::"$1" start_type2::"$2" ## IAS (Currently WinEventLog Support Only) [auto_kv_for_windows_system_ias] SOURCE_KEY = Message REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*) FORMAT = $1::$2 MV_ADD = TRUE ###### Update ###### [windows_update_status_lookup] filename = windows_update_statii.csv [signature_message_for_windowsupdatelog] REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*) FORMAT = signature_message::"$1" vendor_status::"$2" [signature_for_windowsupdatelog] REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*) FORMAT = vendor_status::"$1" signature::"$2" [signature_for_windowsupdatelog_restartrequired] REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*) FORMAT = vendor_status::"$1" signature::"$2" [signature_for_windowsupdatelog_signature_message] SOURCE_KEY = signature_message REGEX = \-\s+([^)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?) FORMAT = signature::"$1" MV_ADD = True [signature_id_for_windowsupdatelog] SOURCE_KEY = signature REGEX = (KB\d+) FORMAT = signature_id::$1 MV_ADD = True [pid-tid-component_for_windowsupdatelog] REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+) FORMAT = pid::$1 tid::$2 component::$3 ###### Endpoint Changes ###### ## Endpoint Changes: lookups [endpoint_change_status_lookup] filename = status_850.csv default_match = failure min_matches = 1 max_matches = 1 [endpoint_change_object_category_lookup] filename = object_category_850.csv [endpoint_change_vendor_action_lookup] filename = vendor_actions.csv [endpoint_change_user_type_lookup] filename = user_types.csv ## WinRegistry ## Registry Extractions [registry_key_for_WinRegistry] REGEX = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\$[^"]+)) FORMAT = registry_path::$1 registry_key_name::$2 [registry_key-registry_value_for_WinRegistry] REGEX = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(.*?))\\([^"]+) FORMAT = registry_path::$1 registry_key_name::$2 registry_value_name::$3 [registry_value_data_for_WinRegistry] REGEX = data="([^"]+)" FORMAT = registry_value_data::$1 ## Endpoint Change Extractions [object_as_registry_key_for_WinRegistry] REGEX = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+)) FORMAT = object_path::$1 object::$2 [object_as_registry_value_for_WinRegistry] REGEX = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(?:.*?))\\([^"]+) FORMAT = object_path::$1 object::$2 [vendor_status_msg_for_WinRegistry] REGEX = event_status="\(([0-9-]+)$([^\"]+)" FORMAT = vendor_status::$1 msg::$2 # Note: user_path is not a CIM field, so we exclude it so as to avoid potential overlap. # The commented "FORMAT" is for reference only. [user_for_WinRegistry] REGEX = process_image=\"(?:[^\"]+)\\([^\"]+)\" FORMAT = user::$1 ##FORMAT = user_path::$1 user::$2 ###### Splunk WMI ###### [wmi-host] REGEX = (?m)ComputerName=(.+) DEST_KEY = MetaData:Host FORMAT = host::$1 [wmi-override-host] REGEX = (?m)wmi_hostname=(.+) DEST_KEY = MetaData:Host FORMAT = host::$1 [wmi-source] REGEX = (?m)wmi_type=([^\r\n]+) DEST_KEY = MetaData:Source FORMAT = source::WMI:$1 [wmi-sourcetype] REGEX = (?m)wmi_type=([^\r\n]+) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::WMI:$1 [wmi-wineventlog-source] REGEX = (?m)wmi_type=(WinEventLog:)(\S+) DEST_KEY = MetaData:Source FORMAT = source::$1$2 [wmi-wineventlog-sourcetype] REGEX = (?m)wmi_type=(WinEventLog:)(\S+) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::$1$2 ## Installed Apps [AuthorizedCDFPrefix_for_win_installed_apps] REGEX = ^AuthorizedCDFPrefix=([^\r\n]+) FORMAT = AuthorizedCDFPrefix::$1 [Comments_for_win_installed_apps] REGEX = ^Comments=([^\r\n]+) FORMAT = Comments::$1 [Contact_for_win_installed_apps] REGEX = ^Contact=([^\r\n]+) FORMAT = Contact::$1 [DisplayVersion_for_win_installed_apps] REGEX = ^DisplayVersion=([^\r\n]+) FORMAT = DisplayVersion::$1 [HelpLink_for_win_installed_apps] REGEX = ^HelpLink=([^\r\n]+) FORMAT = HelpLink::$1 [HelpTelephone_for_win_installed_apps] REGEX = ^HelpTelephone=([^\r\n]+) FORMAT = HelpTelephone::$1 [InstallDate_for_win_installed_apps] REGEX = ^InstallDate=([^\r\n]+) FORMAT = InstallDate::$1 [InstallLocation_for_win_installed_apps] REGEX = ^InstallLocation=([^\r\n]+) FORMAT = InstallLocation::$1 [InstallSource_for_win_installed_apps] REGEX = ^InstallSource=([^\r\n]+) FORMAT = InstallSource::$1 [ModifyPath_for_win_installed_apps] REGEX = ^ModifyPath=([^\r\n]+) FORMAT = ModifyPath::$1 [NoModify_for_win_installed_apps] REGEX = ^NoModify=([^\r\n]+) FORMAT = NoModify::$1 [NoRepair_for_win_installed_apps] REGEX = ^NoRepair=([^\r\n]+) FORMAT = NoRepair::$1 [Publisher_for_win_installed_apps] REGEX = ^Publisher=([^\r\n]+) FORMAT = Publisher::$1 [Readme_for_win_installed_apps] REGEX = ^Readme=([^\r\n]+) FORMAT = Readme::$1 [Size_for_win_installed_apps] REGEX = ^Size=([^\r\n]+) FORMAT = Size::$1 [EstimatedSize_for_win_installed_apps] REGEX = ^EstimatedSize=([^\r\n]+) FORMAT = EstimatedSize::$1 [UninstallString_for_win_installed_apps] REGEX = ^UninstallString=([^\r\n]+) FORMAT = UninstallString::$1 [URLInfoAbout_for_win_installed_apps] REGEX = ^URLInfoAbout=([^\r\n]+) FORMAT = URLInfoAbout::$1 [URLUpdateInfo_for_win_installed_apps] REGEX = ^URLUpdateInfo=([^\r\n]+) FORMAT = URLUpdateInfo::$1 [VersionMajor_for_win_installed_apps] REGEX = ^VersionMajor=([^\r\n]+) FORMAT = VersionMajor::$1 [VersionMinor_for_win_installed_apps] REGEX = ^VersionMinor=([^\r\n]+) FORMAT = VersionMinor::$1 [WindowsInstaller_for_win_installed_apps] REGEX = ^WindowsInstaller=([^\r\n]+) FORMAT = WindowsInstaller::$1 [Version_for_win_installed_apps] REGEX = ^Version=([^\r\n]+) FORMAT = Version::$1 [Language_for_win_installed_apps] REGEX = Language=([^\r\n]+) FORMAT = Language::$1 [DisplayName_for_win_installed_apps] REGEX = ^DisplayName=([^\r\n]+) FORMAT = DisplayName::$1 ## Installed Updates [Description_for_installedupdates] REGEX = ^Description=([^\r\n]+) FORMAT = Description::$1 ## Listening Ports [dest_ip_for_listeningports] REGEX = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) FORMAT = dest_ip::$1 [kv_for_listeningports] DELIMS = " ", "=" ## Time Configuration [Current_time_for_win_timesync] REGEX = ^Current\s*time:([^\r\n]+) FORMAT = Current_time::$1 [EventLogFlags_for_win_timesync_configuration] REGEX = ^EventLogFlags:([^\r\n]+) FORMAT = EventLogFlags::$1 [AnnounceFlags_for_win_timesync_configuration] REGEX = ^AnnounceFlags:([^\r\n]+) FORMAT = AnnounceFlags::$1 [TimeJumpAuditOffset_for_win_timesync_configuration] REGEX = ^TimeJumpAuditOffset:([^\r\n]+) FORMAT = TimeJumpAuditOffset::$1 [MinPollInterval_for_win_timesync_configuration] REGEX = ^MinPollInterval:([^\r\n]+) FORMAT = MinPollInterval::$1 [MaxPollInterval_for_win_timesync_configuration] REGEX = ^MaxPollInterval:([^\r\n]+) FORMAT = MaxPollInterval::$1 [MaxNegPhaseCorrection_for_win_timesync_configuration] REGEX = ^MaxNegPhaseCorrection:([^\r\n]+) FORMAT = MaxNegPhaseCorrection::$1 [MaxPosPhaseCorrection_for_win_timesync_configuration] REGEX = ^MaxPosPhaseCorrection:([^\r\n]+) FORMAT = MaxPosPhaseCorrection::$1 [MaxAllowedPhaseOffset_for_win_timesync_configuration] REGEX = ^MaxAllowedPhaseOffset:([^\r\n]+) FORMAT = MaxAllowedPhaseOffset::$1 [FrequencyCorrectRate_for_win_timesync_configuration] REGEX = ^FrequencyCorrectRate:([^\r\n]+) FORMAT = FrequencyCorrectRate::$1 [PollAdjustFactor_for_win_timesync_configuration] REGEX = ^PollAdjustFactor:([^\r\n]+) FORMAT = PollAdjustFactor::$1 [LargePhaseOffset_for_win_timesync_configuration] REGEX = ^LargePhaseOffset:([^\r\n]+) FORMAT = LargePhaseOffset::$1 [SpikeWatchPeriod_for_win_timesync_configuration] REGEX = ^SpikeWatchPeriod:([^\r\n]+) FORMAT = SpikeWatchPeriod::$1 [LocalClockDispersion_for_win_timesync_configuration] REGEX = ^LocalClockDispersion:([^\r\n]+) FORMAT = LocalClockDispersion::$1 [HoldPeriod_for_win_timesync_configuration] REGEX = ^HoldPeriod:([^\r\n]+) FORMAT = HoldPeriod::$1 [PhaseCorrectRate_for_win_timesync_configuration] REGEX = ^PhaseCorrectRate:([^\r\n]+) FORMAT = PhaseCorrectRate::$1 [UpdateInterval_for_win_timesync_configuration] REGEX = ^UpdateInterval:([^\r\n]+) FORMAT = UpdateInterval::$1 [FileLogName_for_win_timesync_configuration] REGEX = ^FileLogName:([^\r\n]+) FORMAT = FileLogName::$1 [FileLogEntries_for_win_timesync_configuration] REGEX = ^FileLogEntries:([^\r\n]+) FORMAT = FileLogEntries::$1 [FileLogSize_for_win_timesync_configuration] REGEX = ^FileLogSize:([^\r\n]+) FORMAT = FileLogSize::$1 [FileLogFlags_for_win_timesync_configuration] REGEX = ^FileLogFlags:([^\r\n]+) FORMAT = FileLogFlags::$1 [Time_zone_for_win_timesync] REGEX = ^Time\s*zone:([^\r\n]+) FORMAT = Time_zone::$1 ## Time Synchronization [windows_timesync_action_lookup] filename = windows_timesync_actions.csv match_type = WILDCARD(Last_Sync_Error) max_matches = 1 [Leap_Indicator_for_win_timesync_status] REGEX = ^Leap\s*Indicator:([^\r\n]+) FORMAT = Leap_Indicator::$1 [Stratum_for_win_timesync_status] REGEX = ^Stratum:([^\r\n]+) FORMAT = Stratum::$1 [Precision_for_win_timesync_status] REGEX = ^Precision:([^\r\n]+) FORMAT = Precision::$1 [Root_Delay_for_win_timesync_status] REGEX = ^Root\s*Delay:([^\r\n]+) FORMAT = Root_Delay::$1 [Root_Dispersion_for_win_timesync_status] REGEX = ^Root\s*Dispersion:([^\r\n]+) FORMAT = Root_Dispersion::$1 [ReferenceId_for_win_timesync_status] REGEX = ^ReferenceId:([^\r\n]+) FORMAT = ReferenceId::$1 [Last_Successful_Sync_Time_for_win_timesync_status] REGEX = ^Last\s*Successful\s*Sync\s*Time:([^\r\n]+) FORMAT = Last_Successful_Sync_Time::$1 [Source_for_win_timesync_status] REGEX = ^Source:([^\r\n]+) FORMAT = Source::$1 [Poll_Interval_for_win_timesync_status] REGEX = ^Poll\s*Interval:([^\r\n]+) FORMAT = Poll_Interval::$1 [Phase_Offset_for_win_timesync_status] REGEX = ^Phase\s*Offset:([^\r\n]+) FORMAT = Phase_Offset::$1 [ClockRate_for_win_timesync_status] REGEX = ^ClockRate:([^\r\n]+) FORMAT = ClockRate::$1 [State_Machine_for_win_timesync_status] REGEX = ^State\s*Machine:([^\r\n]+) FORMAT = State_Machine::$1 [Time_Source_Flags_for_win_timesync_status] REGEX = ^Time\s*Source\s*Flags:([^\r\n]+) FORMAT = Time_Source_Flags::$1 [Server_Role_for_win_timesync_status] REGEX = ^Server\s*Role:([^\r\n]+) FORMAT = Server_Role::$1 [Last_Sync_Error_for_win_timesync_status] REGEX = ^Last\s*Sync\s*Error:([^\r\n]+) FORMAT = Last_Sync_Error::$1 [Time_since_Last_Good_Sync_Time_for_win_timesync_status] REGEX = ^Time\s*since\s*Last\s*Good\s*Sync\s*Time:([^\r\n]+) FORMAT = Time_since_Last_Good_Sync_Time::$1 ## Version [wmi_version_range_lookup] filename = wmi_version_range.csv [wmi_user_account_status_lookup] filename = wmi_user_account_status.csv [Caption_for_wmi_version] REGEX = ^Caption=([^\r\n]+) FORMAT = Caption::$1 ## Setting generic sourcetype and unique source [ta-windows-fix-classic-source] DEST_KEY = MetaData:Source REGEX = (?m)^LogName=(.+?)\s*$ FORMAT = source::WinEventLog:$1 [ta-windows-fix-xml-source] DEST_KEY = MetaData:Source REGEX = (.+?)<\/Channel>.* FORMAT = source::XmlWinEventLog:$1 [ta-windows-fix-sourcetype] SOURCE_KEY = MetaData:Sourcetype DEST_KEY = MetaData:Sourcetype REGEX = sourcetype::([^:]*) FORMAT = sourcetype::$1 ## Overriding host to identify system from which events are generated [WinEventHostOverride] DEST_KEY = MetaData:Host REGEX = (?m)^ComputerName=([^.]+) FORMAT = host::$1 [WinEventXmlHostOverride] DEST_KEY = MetaData:Host REGEX = ([^.<]+).*?<\/Computer> FORMAT = host::$1 ###### Generic XML eventlog extraction ###### # Extract the XML into blocks [system_xml_block] REGEX = (?ms)]+)?>(.*?)<\/System> FORMAT = System_Props_Xml::$1 [eventdata_xml_block] REGEX = (?ms)]+)?>(.*?)<\/EventData> FORMAT = EventData_Xml::$1 MV_ADD = 1 [userdata_xml_block] REGEX = (?ms)]+)?>(.*?)<\/UserData> FORMAT = UserData_Xml::$1 [debugdata_xml_block] REGEX = (?ms)]+)?>(.*?)<\/DebugData> FORMAT = DebugData_Xml::$1 [renderinginfo_xml_block] REGEX = (?ms)]+)?>(.*?)<\/RenderingInfo> FORMAT = RenderingInfo_Xml::$1 [system_props_xml_kv] # Extracts anything in the form of value as tag::value SOURCE_KEY = System_Props_Xml REGEX = (?ms)<(\w*)>([^<]*)<\/\1> FORMAT = $1::$2 MV_ADD = 1 [windows_start_mode_lookup] filename = windows_start_mode_lookup.csv [system_props_xml_attributes] # Extracts values from following fields: # Provider: Name, Guid # TimeCreated: SystemTime, RawTime # Correlation: ActivityID, RelativeActivityID # Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime # Security: UserID SOURCE_KEY = System_Props_Xml REGEX = (?ms)\s([^\s=]+)\s*=\s*(\'[^<\']*\'|"[^<"]*") FORMAT = $1::$2 MV_ADD = 1 [eventdata_xml_data] # Extracts from value as name:value. Skips ComplexData tags SOURCE_KEY = EventData_Xml REGEX = <(?:\w+)\sName='([^>]*)'\/?>([^<]*)(?:<\/\1>)? FORMAT = $1::$2 MV_ADD = 1 [rendering_info_xml_data] # Extracts anything in the form of value as tag::value SOURCE_KEY = RenderingInfo_Xml REGEX = (?ms)<(\w*)>([^<]*)<\/\1> FORMAT = $1::$2 MV_ADD = 1 [updatelist_from_user_data] SOURCE_KEY = UserData_Xml REGEX = (?ms)]+)?>(.*?)<\/updatelist> FORMAT = signature_message::$1 [updatetitle_from_user_data] SOURCE_KEY = UserData_Xml REGEX = (?ms)]+)?>(.*?)<\/updatetitle> FORMAT = signature::$1 [EventID_as_EventCode] SOURCE_KEY = EventID REGEX = (.+) FORMAT = EventCode::$1 [EventID2_as_EventCode] REGEX = (.+?)<\/EventID>.* FORMAT = EventCode::$1 [EventRecordID_as_RecordNumber] SOURCE_KEY = EventRecordID REGEX = (.+) FORMAT = RecordNumber::$1 [PrivilegeList_as_vendor_privilege] SOURCE_KEY = PrivilegeList REGEX = (.+) FORMAT = vendor_privilege::$1 [IpPort_as_Source_Port] SOURCE_KEY = IpPort REGEX = (.+) FORMAT = Source_Port::$1 [TokenElevationType_as_Token_Elevation_Type] SOURCE_KEY = TokenElevationType REGEX = (.+) FORMAT = Token_Elevation_Type::$1 [TargetServerName_as_Target_Server_Name] SOURCE_KEY = TargetServerName REGEX = (.+) FORMAT = Target_Server_Name::$1 [LogonType_as_Logon_Type] SOURCE_KEY = LogonType REGEX = (.+) FORMAT = Logon_Type::$1 [SubjectLogonId_as_Logon_ID] SOURCE_KEY = SubjectLogonId REGEX = (.+) FORMAT = Logon_ID::$1 [SubjectDomainName_as_Caller_Domain] SOURCE_KEY = SubjectDomainName REGEX = (.+) FORMAT = Caller_Domain::$1 [TargetDomainName_as_Target_Domain] SOURCE_KEY = TargetDomainName REGEX = (.+) FORMAT = Target_Domain::$1 [SubjectUserName_as_Caller_User_Name] SOURCE_KEY = SubjectUserName REGEX = (.+) FORMAT = Caller_User_Name::$1 [TargetUserName_as_Target_User_Name] SOURCE_KEY = TargetUserName REGEX = (.+) FORMAT = Target_User_Name::$1 [SubStatus_as_Sub_Status] SOURCE_KEY = SubStatus REGEX = (.+) FORMAT = Sub_Status::$1 [Workstation_as_Source_Workstation] SOURCE_KEY = Workstation REGEX = (.+) FORMAT = Source_Workstation::$1 [WorkstationName_as_Source_Workstation] SOURCE_KEY = WorkstationName REGEX = (.+) FORMAT = Source_Workstation::$1 [IpAddress_as_Source_Workstation] SOURCE_KEY = IpAddress REGEX = (.+) FORMAT = Source_Workstation::$1 #Tag Expansion Regexs - ADDON10972 [field_extract_wmi_localprocesses_anomalous] REGEX = IDProcess=(?\d+)\s*Name=(?.+)\s*PercentProcessorTime=(?\d+)\s*PrivateBytes=(?\d+) [field_extract_wmi_freediskspace_anomalous] REGEX = FreeMegabytes=(?\d+)\s*Name=(?\S+)\s*PercentFreeSpace=(?\d*) [field_extract_wmi_memory_anomalous] REGEX = AvailableBytes=(?\d+)\s*CommittedBytes=(?\d+)\s*(?:PagesInputPersec=\d+(?:\.\d+)?\s*PagesOutputPersec=\d+(?:\.\d+)?)?\s*PagesPersec=(?\d+(?:\.\d+)?)\s*PercentCommittedBytesInUse=(?\d+(?:\.\d+)?)\s*PoolNonpagedBytes=(?\d+)\s*PoolPagedBytes=(?\d+) [field_extract_wmi_service_state_anomalous] REGEX = Caption=(?.+)\s*Description=(?.+)\s*Name=(?.+)\s*PathName=(?.*)\s*StartMode=(?\S*)\s*StartName=(?.*)\s*State=(?\S*)\s*Status=(?\S+) [field_extract_wmi_uptime_anomalous] REGEX = SystemUpTime=(?\d+) [field_extract_wmi_cputime_anomalous] REGEX = PercentProcessorTime=(?\d+)\s*PercentUserTime=(?\d+) [field_extract_wmi_useraccounts_caption_description_name] REGEX = Caption=(?.+)\s*Description=(?.+)\s*Domain=.*Name=(?.+)\s*SID= [field_extract_wmi_service_caption_description_pathname] REGEX = Caption=(?.+)\s*Description=(?.+)\s*Name=.*PathName=(?.+)\sStartMode= [field_extract_wmi_localphysicaldisk_name] REGEX = Name=(?.+)\s*PercentDiskReadTime [group_fields_extraction] REGEX = Group:[\r\n]+(?:\s+Security\sID:\s*(?[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sName:\s*(?[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sDomain:\s*(?[^\r\n]*)[\r\n]*)? [subject_fields_extraction] REGEX = Subject:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?[^\r\n]*)[\r\n]*)? [target_fields_extraction] REGEX = Target\sAccount:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)?(?:\s+Old\sAccount\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+New\sAccount\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?[^\r\n]*)[\r\n]*)? [new_account_fields_extraction] REGEX = New\sAccount:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)? [member_fields_extraction] REGEX = Member:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)? [account_locked_out_fields_extraction] REGEX = Account\sThat\sWas\sLocked\sOut:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)? [task_fields_extraction] REGEX = Task\sContent:(?[\w\W]*<\/Task>) [new_task_fields_extraction] REGEX = Task\sNew\sContent:(?[\w\W]*<\/Task>) [field_extract_wmi_service_path] REGEX = PathName=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+) FORMAT = service_path::$1 [field_extract_wmi_service_exec] SOURCE_KEY = service_path REGEX = (?:.*[\\\/](.*)) FORMAT = service_exec::$1 ## WinHostMon [System_Type_for_WinHostMon_computer] REGEX = ^System\sType="([^\r\n]+)" FORMAT = System_Type::$1 [Processor_Id_for_WinHostMon_processor] REGEX = ^Processor\sId="([^\r\n]+)" FORMAT = Processor_Id::$1 [Path_for_WinHostMon_service] REGEX = ^Path="([^\r\n]+)" FORMAT = Path::$1 [service_exec_for_WinHostMon_service_path] REGEX = Path=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+) FORMAT = service_path::$1 [service_exec_for_WinHostMon_service_exec] SOURCE_KEY = service_path REGEX = (?:.*[\\\/](.*)) FORMAT = service_exec::$1 ##Metric store transforms [value_for_perfmon_metrics_store] REGEX = Value=\"?([^\"\r\n]*[^\"\s]) FORMAT = _value::$1 WRITE_META = true [metric_name_for_perfmon_metrics_store] REGEX = counter=\"?([^\"\r\n]*[^\"\s]) FORMAT = metric_name::$1 WRITE_META = true [object_for_perfmon_metrics_store] REGEX = object=\"?([^\"\r\n]*[^\"\s]) FORMAT = object::$1 WRITE_META = true [instance_for_perfmon_metrics_store] REGEX = instance=\"?([^\"\r\n]*[^\"\s]) FORMAT = instance::$1 WRITE_META = true [collection_for_perfmon_metrics_store] REGEX = collection=\"?([^\"\r\n]*[^\"\s]) FORMAT = collection::$1 WRITE_META = true [value_for_wmi_uptime_metrics_store] REGEX = SystemUpTime=([^\s]+) FORMAT = _value::$1 WRITE_META = true [metric_name_for_wmi_uptime_metrics_store] REGEX = wmi_type=([^\s]+) FORMAT = metric_name::$1 WRITE_META = true ###### Transforms moved from TA-AD ###### [MSAD-Netlogon-Subnetaffinity] DEST_KEY=MetaData:Sourcetype REGEX=.*NO_CLIENT_SITE:.* FORMAT=sourcetype::MSAD:SubnetAffinity [MSAD-SiteInfo-AdjacentSites] REGEX=AdjacentSite="([^"]+) FORMAT=AdjacentSite::$1 MV_ADD=True [MSAD-SiteInfo-SiteLinks] REGEX=SiteLink="([^"]+) FORMAT=SiteLink::$1 MV_ADD=True [MSAD-SiteInfo-Sites] REGEX=Site="([^"]+) FORMAT=Site::$1 MV_ADD=True [MSAD-SiteInfo-Subnets] REGEX=Subnet="([^"]+) FORMAT=Subnet::$1 MV_ADD=True ###### Transforms moved from TA-DNS ###### [DNSHealth_ServerAddress_MV] REGEX = ServerAddress=\"?(?[^"]*)\"? MV_ADD = true [DNSHealth_ListenAddress_MV] REGEX = ListenAddress=\"?(?[^"]*)\"? MV_ADD = true [DNSHealth_Forwarder_MV] REGEX = Forwarder=\"?(?[^"]*)\"? MV_ADD = true [DNSHealth_LogIPFilterList_MV] REGEX = LogIPFilterList=\"?(?[^"]*)\"? MV_ADD = true [KV_for_port] REGEX = (?:port)\s*(\d{1,5}) FORMAT = src_port::$1 [KV_for_Domain] REGEX = ($\d$*[\w+$\d$-]{1,}) FORMAT = src_domain::$1 [KV_for_microsoftdns_action] REGEX = \[[\d\w]{1,4}\s*[A-Z]*\s*[D|DR]*\s([^.]+)\]\s(?:\w*) FORMAT = vendor_dns_action::$1 [KV_for_Record_type] REGEX = QTYPE\s+(\w+)\s+ FORMAT = record_type::$1 [KV_for_Record_Class] REGEX = QCLASS\s+(\w+)\s+ FORMAT = record_class_number::$1 [KV_for_Answer_Section_Count] REGEX = QCOUNT\s+(?\d+)[\n\s]+ACOUNT\s+(?\d+)[\n\s]+NSCOUNT\s+(?\d+)[\n\s]+ARCOUNT\s+(?\d+) [KV_for_Update_Section_Count] REGEX = UPCOUNT\s+(?\d+)[\n\s]+ARCOUNT\s+(?\d+) [Answer_multi_value] SOURCE_KEY = ANSWER_OR_UPDATE_SECTION REGEX = (?s)(?:Offset).*?DATA[ \t]*(?:$\d+$)?(?[\S]*?)(?:$(\d+|none)$)?(?:\n|$) MV_ADD = true [windows_dns_query_type_lookup] filename = windows_dns_query_type_lookup.csv [windows_dns_action_lookup] filename = windows_dns_action_lookup.csv [dns_recordclass_lookup] filename = dns_recordclass_lookup.csv ## Security-CIM Mappings [extract_parent_process_name] SOURCE_KEY = Creator_Process_Name REGEX = (?:.*\\)?(.*) FORMAT = parent_process_name::$1 [extract_new_process_name] SOURCE_KEY = New_Process_Name REGEX = (?:.*\\)?(.*) FORMAT = new_process_name::$1 [extract_target_process_name] SOURCE_KEY = Target_Process_Name REGEX = (?:.*\\)?(.*) FORMAT = target_process_name::$1 [object_name_and_path_from_object_name] SOURCE_KEY = Object_Name REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = object_file_path::$1 object_file_name::$2 [file_name_and_path_from_file_name] SOURCE_KEY = File_Name REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = file_path::$1 file_name::$2 [file_name_and_path_from_file_path] SOURCE_KEY = File_Path REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = file_path::$1 file_name::$2 [windows_endpoint_service_service_name_lookup] filename = windows_endpoint_service_service_name.csv [process_command_line_process_and_arguments] SOURCE_KEY = Process_Command_Line REGEX = (^\"[^\"]+\"|[^\s]+)\s*(.*) FORMAT = process_command_line_process::$1 process_command_line_arguments::$2 [extract_parent_process_name_for_windows_xml] SOURCE_KEY = parent_process REGEX = (?:.*\\)?(.*) FORMAT = parent_process_name::$1 [extract_new_process_name_for_windows_xml] SOURCE_KEY = new_process REGEX = (?:.*\\)?(.*) FORMAT = new_process_name::$1 [extract_target_process_name_for_windows_xml] SOURCE_KEY = TargetProcessName REGEX = (?:.*\\)?(.*) FORMAT = target_process_name::$1 [logfilecleared_xml_block] SOURCE_KEY = UserData_Xml REGEX = (?ms)]+)?>(.*?)<\/LogFileCleared> FORMAT = LogFileCleared_Xml::$1 [LogFileClearedData_from_user_data] SOURCE_KEY = LogFileCleared_Xml REGEX = (?ms)<(\w*)>([^<]*)<\/\1> FORMAT = $1::$2 [SubjectUserName_from_user_data] SOURCE_KEY = UserData_Xml REGEX = (?ms)]+)?>(.*?)<\/SubjectUserName> FORMAT = Caller_User_Name::$1 [object_file_name_and_path_from_ObjectName_for_xml] SOURCE_KEY = ObjectName REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = object_file_path::$1 object_file_name::$2 [file_name_and_path_from_FileName_for_xml] SOURCE_KEY = FileName REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = file_path::$1 file_name::$2 [file_name_and_path_from_KeyFilePath_for_xml] SOURCE_KEY = KeyFilePath REGEX = ^((?:.*[\\/]+)*([^-].*))$ FORMAT = file_path::$1 file_name::$2 [windows_endpoint_service_service_type_lookup] filename = windows_endpoint_service_service_type.csv [windows_endpoint_port_transport_lookup] filename = windows_endpoint_port_transport.csv [windows_wineventlog_change_object_fields_lookup] filename = windows_wineventlog_change_object_fields_860.csv [windows_wineventlog_change_action_lookup] filename = windows_wineventlog_change_action_860.csv [xmlsecurity_change_audit_and_account_management_lookup] filename = xmlsecurity_change_audit_and_account_management_860.csv [channel_from_user_data] SOURCE_KEY = UserData_Xml REGEX = (.*?)<\/Channel> FORMAT = user_data_channel::$1 [special_user_from_member_name] SOURCE_KEY = MemberName REGEX = (?:CN|cn)=(.*?),.* FORMAT = member_user_name::$1