###### Common Action Model Properties ###### [source::..._mod(alert|workflow).log] TRANSFORMS-force_index-sourcetype_for_modactions = force_index_cim_modactions,force_sourcetype_cim_modactions [source::...modaction_adhoc_rest_handler.log] sourcetype = modaction:adhoc_rest_handler [source::...modaction_invocations_rest_handler.log] sourcetype = modaction:invocations_rest_handler [source::...modaction_queue_handler.log] sourcetype = modaction:queue_handler [source::...relaymodaction.log] sourcetype = relaymodaction [stash_common_action_model] TRUNCATE = 0 # only look for ***SPLUNK*** on the first line HEADER_MODE = firstline # we can summary index past data, but rarely future data MAX_DAYS_HENCE = 2 MAX_DAYS_AGO = 10000 # 5 years difference between two events MAX_DIFF_SECS_AGO = 155520000 MAX_DIFF_SECS_HENCE = 155520000 TIME_PREFIX = (?m)^\*{3}Common\sAction\sModel\*{3}.*$ MAX_TIMESTAMP_LOOKAHEAD = 25 LEARN_MODEL = false # break .stash_new custom format into events SHOULD_LINEMERGE = false BREAK_ONLY_BEFORE_DATE = false LINE_BREAKER = (\r?\n==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==\r?\n) TRANSFORMS-0parse_cam_header = orig_action_name_for_stash_cam,orig_sid_for_stash_cam,orig_rid_for_stash_cam,sourcetype_for_stash_cam TRANSFORMS-1sinkhole_cam_header = sinkhole_cam_header ###### Data Model Properties ###### [source::...datamodelsimple.log] sourcetype = datamodelsimple ###### Splunk Internal Properties ###### [audittrail] EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action) EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app) FIELDALIAS-dest_for_splunk_access = host as dest ## eventtype: splunk_endpoint_change ## Required fields: action,dest,object,object_category,status,user REPORT-1vendor_object_category-vendor_status_for_splunk_endpoint_change = vendor_object_category-vendor_status-for_splunk_endpoint_change REPORT-2vendor_object-vendor_object_path_for_splunk_endpoint_change = vendor_object-vendor_object_path-for_splunk_endpoint_change EVAL-vendor_status = if(isdir==0 OR isdir==1, "success", vendor_status) # CIM-940: map hash to file_hash EVAL-file_hash=if(isnull(file_hash),hash,file_hash) LOOKUP-object_category_for_splunk_access = splunk_object_category_lookup vendor_object_category OUTPUT object_category LOOKUP-src_for_splunk_access = splunk_src_lookup app OUTPUTNEW src FIELDALIAS-object_for_splunk_endpoint_change = vendor_object as object FIELDALIAS-object_path_for_splunk_endpoint_change = vendor_object_path as object_path FIELDALIAS-object_attrs_for_splunk_endpoint_change = chgs as object_attrs # CIM-680: alias uid->user_id FIELDALIAS-user_id_for_splunk_endpoint_change = uid as user_id # CIM-680: calculate user based on user_id if user is weak EVAL-user = if(isnull(user) OR user="n/a" OR user="",user_id,user) FIELDALIAS-status_for_splunk_endpoint_change = vendor_status as status # Field aliases for conformance to Change_Analysis::Filesystem_Changes object FIELDALIAS-file_acl_for_splunk_filesystem_change = mode as file_acl FIELDALIAS-file_size_for_splunk_filesystem_change = size as file_size EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y") FIELDALIAS-file_name_for_splunk_filesystem_change = vendor_object as file_name FIELDALIAS-file_path_for_splunk_filesystem_change = vendor_object_path as file_path REPORT-search_for_audittrail = search_for_audittrail [splunkd] REPORT-signature_for_sendmodalert = signature_for_sendmodalert [splunk_web_access] REPORT-app-view_for_splunk_web_access = app-view_for_splunk_web_access