###### Access Protection Transforms ###### [cim_access_action_lookup] filename = cim_access_actions.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ###### Common Action Model Transforms ###### [force_index_cim_modactions] DEST_KEY = _MetaData:Index REGEX = . FORMAT = cim_modactions [force_sourcetype_cim_modactions] SOURCE_KEY = MetaData:Source DEST_KEY = MetaData:Sourcetype REGEX = ^.*[\\/](.+)_mod(?:alert|workflow).log$ FORMAT = sourcetype::modular_alerts:$1 [orig_action_name_for_stash_cam] REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_action_name=\"([^"]+) FORMAT = $0 orig_action_name::$1 DEST_KEY = _meta [orig_sid_for_stash_cam] REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_sid=\"([^"]+) FORMAT = $0 orig_sid::$1 DEST_KEY = _meta [orig_rid_for_stash_cam] REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_rid=\"([^"]+) FORMAT = $0 orig_rid::$1 DEST_KEY = _meta [sourcetype_for_stash_cam] REGEX = \*{3}Common\sAction\sModel\*{3}.*sourcetype=\"([^"]+) FORMAT = sourcetype::$1 DEST_KEY = MetaData:Sourcetype [sinkhole_cam_header] REGEX = (?s)^\*{3}Common\sAction\sModel\*{3}[^\n]+\n(.*) FORMAT = $1 DEST_KEY = _raw ## Do not truncate _raw to 4096! LOOKAHEAD = -1 [cam_action_mode_lookup] filename = cam_action_modes.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cam_action_status_lookup] filename = cam_action_statuses.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cam_category_lookup] filename = cam_categories.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cam_task_lookup] filename = cam_tasks.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cam_subject_lookup] filename = cam_subjects.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cam_worker_lookup] filename = cam_workers.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ###### Data Loss Prevention Transforms ###### [cim_dlp_action_lookup] filename = cim_dlp_actions.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_dlp_object_category_lookup] filename = cim_dlp_object_categories.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_dlp_type_lookup] filename = cim_dlp_types.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ###### Endpoint Protection Transforms ###### [cim_malware_action_lookup] filename = cim_malware_actions.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_update_status_lookup] filename = cim_update_statii.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ## Endpoint Change Analysis [cim_endpoint_action_lookup] filename = cim_endpoint_actions.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_endpoint_object_category_lookup] filename = cim_endpoint_object_categories.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_endpoint_severity_lookup] filename = cim_endpoint_severities.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_endpoint_status_lookup] filename = cim_endpoint_statuses.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_endpoint_user_type_lookup] filename = cim_endpoint_user_types.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ###### Network Protection ###### [cim_traffic_action_lookup] filename = cim_traffic_actions.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_transport_protocol_lookup] filename = cim_transport_protocols.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ## Cloud [cim_cloud_domain_lookup] filename = cim_cloud_domains.csv match_type = WILDCARD(domain) max_matches = 1 reverse_lookup_honor_case_sensitive_match = false ## DNS [cim_dns_reply_code_lookup] filename = cim_dns_reply_codes2.csv min_matches = 1 default_match = unknown case_sensitive_match = false reverse_lookup_honor_case_sensitive_match = false ## Email [cim_email_protocol_lookup] filename = cim_email_protocols.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_corporate_email_domain_lookup] filename = cim_corporate_email_domains.csv match_type = WILDCARD(domain) max_matches = 1 reverse_lookup_honor_case_sensitive_match = false [cim_src_user_domain] SOURCE_KEY = src_user REGEX = .*@(.+) FORMAT = src_user_domain::$1 [cim_email_domain] SOURCE_KEY = email REGEX = .*@(.+) FORMAT = email_domain::$1 [cim_recipient_domain] SOURCE_KEY = recipient REGEX = .*@(.+) FORMAT = recipient_domain::$1 ## IDS [cim_ids_severity_lookup] filename = cim_ids_severities.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_ids_type_lookup] filename = cim_ids_types.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ## Proxy [cim_http_method_lookup] filename = cim_http_methods.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded [cim_http_status_lookup] filename = cim_http_statuses.csv min_matches = 1 default_match = unknown match_type = WILDCARD(status) reverse_lookup_honor_case_sensitive_match = false [cim_http_tld_lookup] filename = cim_http_tld.csv case_sensitive_match = false max_matches = 1 reverse_lookup_honor_case_sensitive_match = false ## SSL ## issuer - https://www.ietf.org/rfc/rfc2253.txt [cim_ssl_issuer_common_name] SOURCE_KEY = ssl_issuer REGEX = CN\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_common_name::$1 [cim_ssl_issuer_country] SOURCE_KEY = ssl_issuer REGEX = C\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_country::$1 [cim_ssl_issuer_email] SOURCE_KEY = ssl_issuer REGEX = (?:E|emailAddress)\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_email::$1 [cim_ssl_issuer_locality] SOURCE_KEY = ssl_issuer REGEX = L\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_locality::$1 [cim_ssl_issuer_organization] SOURCE_KEY = ssl_issuer REGEX = O\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_organization::$1 [cim_ssl_issuer_state] REGEX = ST\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_state::$1 [cim_ssl_issuer_street] SOURCE_KEY = ssl_issuer REGEX = STREET\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_street::$1 [cim_ssl_issuer_unit] SOURCE_KEY = ssl_issuer REGEX = OU\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_issuer_unit::$1 ## subject - https://www.ietf.org/rfc/rfc2253.txt [cim_ssl_subject_common_name] SOURCE_KEY = ssl_subject REGEX = CN\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_common_name::$1 [cim_ssl_subject_country] SOURCE_KEY = ssl_subject REGEX = C\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_country::$1 [cim_ssl_subject_email] SOURCE_KEY = ssl_subject REGEX = (?:E|emailAddress)\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_email::$1 [cim_ssl_subject_locality] SOURCE_KEY = ssl_subject REGEX = L\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_locality::$1 [cim_ssl_subject_organization] SOURCE_KEY = ssl_subject REGEX = O\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_organization::$1 [cim_ssl_subject_state] SOURCE_KEY = ssl_subject REGEX = ST\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_state::$1 [cim_ssl_subject_street] SOURCE_KEY = ssl_subject REGEX = STREET\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_street::$1 [cim_ssl_subject_unit] SOURCE_KEY = ssl_subject REGEX = OU\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$) FORMAT = ssl_subject_unit::$1 ## Vendor Product Tracker [cim_vendor_product_tracker] filename = cim_vendor_product_tracker.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ## Vuln [cim_vuln_severity_lookup] filename = cim_vuln_severities.csv reverse_lookup_honor_case_sensitive_match = false ## max_matches=1 unneeded ## Web [cim_corporate_web_domain_lookup] filename = cim_corporate_web_domains.csv match_type = WILDCARD(domain) max_matches = 1 reverse_lookup_honor_case_sensitive_match = false ###### Splunk Internal Transforms ###### ## search activity ## This transform has been deprecated [datamodel_for_audittrail] REGEX = (?:_ACCELERATE_|id=)DM_[^_]+_(.*?)(?:_ACCELERATE|\s) FORMAT = datamodel::$1 ## This transform has been deprecated [savedsearch_name_for_audittrail] REGEX = savedsearch_name=\"([^\"]+) FORMAT = savedsearch_name::$1 ## This transform has been deprecated [user_for_audittrail] REGEX = user\=([^,]+) FORMAT = user::$1 ## audittrail [search_for_audittrail] REGEX = (?s)\,\s*search=\'(.*?)\',\s*autojoin FORMAT = search::$1 [splunk_action_lookup] filename = splunk_actions.csv max_matches = 1 reverse_lookup_honor_case_sensitive_match = false [splunk_object_category_lookup] filename = splunk_object_category.csv max_matches = 1 reverse_lookup_honor_case_sensitive_match = false [splunk_src_lookup] filename = splunk_src.csv max_matches = 1 reverse_lookup_honor_case_sensitive_match = false # The next transform also sets status to "success" by default for # fschange inputs (i.e., we assume "isdir=(0|1)" means a successful # filesystem change. [vendor_object_category-vendor_status-for_splunk_endpoint_change] REGEX = isdir=(\d) FORMAT = vendor_object_category::$1 [vendor_object-vendor_object_path-for_splunk_endpoint_change] REGEX = path="(\S+)/(\S+)" FORMAT = vendor_object_path::$1 vendor_object::$2 ## splunkd [signature_for_sendmodalert] REGEX = sendmodalert.*(Alert\saction\sscript\scompleted|Invoking\smodular\salert\saction) FORMAT = signature::$1 ## splunk_web_access [app-view_for_splunk_web_access] REGEX = GET (?:/[^/]+){1,2}/app/([^/ ?]+)/([^/ ?]+) FORMAT = app::$1 view::$2