You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
195 lines
8.5 KiB
195 lines
8.5 KiB
[hostInformation]
|
|
external_type = kvstore
|
|
collection = hostInformation_collection
|
|
fields_list = host, Cluster, Clustered, Site, HubTransport, CAS, EdgeTransport, Mailbox, UMServer, ProductVersion, WindowsVersion, time, ms_exchange_host
|
|
|
|
[ExchangeVersion]
|
|
filename = exchange-version.csv
|
|
max_matches = 1
|
|
|
|
[dbInformation]
|
|
external_type = kvstore
|
|
collection = dbInformation_collection
|
|
fields_list = host, Database, Active, MasterType
|
|
|
|
[event_id_to_action_lookup]
|
|
filename = event_id_to_action.csv
|
|
|
|
[useragent]
|
|
python.version = python3
|
|
external_cmd = useragent.py cs_user_agent os osvariant osversion browser browserversion
|
|
external_type = python
|
|
fields_list = cs_user_agent,os,osvariant,osversion,browser,browserversion
|
|
|
|
[ad_username]
|
|
python.version = python3
|
|
external_cmd = ad_username.py cs_username user_subject
|
|
external_type = python
|
|
fields_list = cs_username user_subject
|
|
|
|
[domain_alias]
|
|
external_type = kvstore
|
|
collection = ExchangeDomainAliasMappings
|
|
fields_list = _key, domain
|
|
|
|
[windows_severity_lookup]
|
|
filename = windows_severities.csv
|
|
case_sensitive_match = false
|
|
|
|
[windows_signature_lookup]
|
|
filename = windows_signatures.csv
|
|
|
|
[xmlsecurity_eventcode_errorcode_action_lookup]
|
|
filename = xmlsecurity_eventcode_errorcode_action.csv
|
|
case_sensitive_match = false
|
|
|
|
[mswin_2003_iis_fields]
|
|
FIELDS = "date","time","s_sitename","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","sc_status","sc_substatus","sc_win32_status"
|
|
DELIMS = " "
|
|
MV_ADD = false
|
|
|
|
[mswin_2008r2_iis_fields]
|
|
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","sc_status","sc_substatus","sc_win32_status","time_taken"
|
|
DELIMS = " "
|
|
MV_ADD = false
|
|
|
|
[mswin_2012_iis_fields]
|
|
FIELDS = "date","time","s_ip","cs_method","cs_uri_stem","cs_uri_query","s_port","cs_username","c_ip","cs_User_Agent","cs_Referer","sc_status","sc_substatus","sc_win32_status","time_taken"
|
|
DELIMS = " "
|
|
MV_ADD = false
|
|
|
|
[mswindows2010ews_fields]
|
|
FIELDS ="DateTime","AuthenticationType","IsAuthenticated","user_subject","Organization","cs_user_agent","c_ip","ServerHostName","SoapAction","HttpStatus","ErrorCode","ImpersonatedUser","Cookie","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","DCResource","DCHealth","DCHistoricalLoad","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","MailboxRPCRequests","TotalMBXRequestLatency","TotalRequestTime","GenericInfo","AuthenticationErrors","GenericErrors"
|
|
DELIMS = ,
|
|
|
|
[mswindows2013ews_fields]
|
|
FIELDS = "DateTime","RequestId","MajorVersion","MinorVersion","BuildVersion","RevisionVersion","Ring","ClientRequestId","AuthenticationType","IsAuthenticated","user_subject","Organization","cs_user_agent","VersionInfo","c_ip","ServerHostName","FrontEndServer","SoapAction","HttpStatus","RequestSize","ResponseSize","ErrorCode","ImpersonatedUser","ProxyAsUser","ActAsUser","Cookie","CorrelationGuid","PrimaryOrProxyServer","TaskType","RemoteBackendCount","LocalMailboxCount","RemoteMailboxCount","LocalIdCount","RemoteIdCount","BeginBudgetConnections","EndBudgetConnections","BeginBudgetHangingConnections","EndBudgetHangingConnections","BeginBudgetAD","EndBudgetAD","BeginBudgetCAS","EndBudgetCAS","BeginBudgetRPC","EndBudgetRPC","BeginBudgetFindCount","EndBudgetFindCount","BeginBudgetSubscriptions","EndBudgetSubscriptions","MDBResource","MDBHealth","MDBHistoricalLoad","ThrottlingPolicy","ThrottlingDelay","ThrottlingRequestType","TotalDCRequestCount","TotalDCRequestLatency","MailboxRPCRequests","TotalMBXRequestLatency","RecipientLookupLatency","ExchangePrincipalLatency","HttpPipelineLatency","CheckAccessCoreLatency","AuthModuleLatency","CallContextInitLatency","PreExecutionLatency","CoreExecutionLatency","TotalRequestTime","DetailedExchangePrincipalLatency","ClientStatistics","GenericInfo","AuthenticationErrors","GenericErrors","Puid","StartTime","ProcessId","TimeInGC","StartTotalMemory","EndTotalMemory","StartGCCounts","EndGCCounts","TokenBasedThrottlingPolicy","BudgetKey","CoinsCharged","CoinsChargedMethod","SidBudgetInfo","AppBudgetInfo","TenantBudgetInfo","ResourceAccessed","ResourceHealthBasedThreshold","ThrottledBy","BackoffHint","WorkClassification"
|
|
DELIMS = ,
|
|
|
|
[extract_webapp]
|
|
SOURCE_KEY = cs_uri_stem
|
|
REGEX = ^/(?<WebApplication>[^/]+)
|
|
|
|
[userSubjectInformation]
|
|
external_type = kvstore
|
|
collection = userSubjectInformation_collection
|
|
fields_list = user_subject, time, _key
|
|
|
|
[msexchange2007msgtrack-fields]
|
|
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info"
|
|
DELIMS = ,
|
|
|
|
[msexchange2010msgtrack-fields]
|
|
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
|
|
DELIMS = ,
|
|
|
|
[msexchange2013msgtrack-fields]
|
|
FIELDS = "date_time","cs_ip","client_hostname","ss_ip","server_hostname","source_context","connector_id","source_id","event_id","internal_message_id","message_id","network_message_id","recipients","recipient_status","total_bytes","recipient_count","related_recipient_address","reference","message_subject","sender","return_path","message_info","directionality","tenant_id","original_client_ip","original_server_ip","custom_data"
|
|
DELIMS = ,
|
|
|
|
[msgtrack-recipient]
|
|
SOURCE_KEY = recipient
|
|
REGEX = (?<recipient_username>[^@]+)@(?<recipient_domain>[^\s]*)
|
|
MV_ADD = true
|
|
|
|
[msgtrack-recipients]
|
|
SOURCE_KEY = recipients
|
|
REGEX=(?<recipient>[^;]+);*
|
|
MV_ADD = true
|
|
|
|
[msgtrack-sender]
|
|
SOURCE_KEY = sender
|
|
REGEX = (?<sender_username>[^@]+)@(?<sender_domain>[^\s]*)
|
|
|
|
[msgtrack-extract-psender]
|
|
REGEX = PurportedSender\=([^;]*)
|
|
SOURCE_KEY = custom_data
|
|
FORMAT = psender::$1
|
|
|
|
[msgtrack-psender]
|
|
SOURCE_KEY = psender
|
|
REGEX = (?<psender_username>[^@]+)@(?<psender_domain>[^\s]*)
|
|
|
|
[GroupType]
|
|
filename=group-type.csv
|
|
max_matches=1
|
|
|
|
[extract_client]
|
|
SOURCE_KEY = cs_User_Agent
|
|
REGEX = (?<raw_client>[^\(]+)
|
|
|
|
[windows_update_status_lookup]
|
|
filename = windows_update_statii.csv
|
|
|
|
[file_path-file_name_for_windows]
|
|
SOURCE_KEY = Image_File_Name
|
|
REGEX = ^(.*[\\/]+)*(.*)$
|
|
FORMAT = file_path::$1 file_name::$2
|
|
|
|
[AdminAudit_ExtractParam]
|
|
REGEX = Param="(?<CmdletParam>[^"].*?')"
|
|
MV_ADD = true
|
|
|
|
[AdminAudit_ExtractError]
|
|
REGEX = Error="(?<CmdletError>[^"]*)"
|
|
MV_ADD = true
|
|
|
|
[ComputerName_as_dest]
|
|
SOURCE_KEY = ComputerName
|
|
REGEX = (?:[\\]+)?([^-].*)
|
|
FORMAT = dest::"$1"
|
|
|
|
[ComputerName_as_src]
|
|
SOURCE_KEY = ComputerName
|
|
REGEX = (?:[\\]+)?([^-].*)
|
|
FORMAT = src::"$1"
|
|
|
|
[package_title_for_windows_system_update]
|
|
REGEX = Windows successfully installed the following update:\s+(.*)
|
|
FORMAT = package_title::"$1"
|
|
|
|
[package_title_for_windowsupdatelog]
|
|
REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*)
|
|
FORMAT = vendor_status::"$1" package_title::"$2"
|
|
|
|
[package_title_for_windowsupdatelog_restartrequired]
|
|
REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*)
|
|
FORMAT = vendor_status::"$1" package_title::"$2"
|
|
|
|
[package_title_for_windowsupdatelog_package_message]
|
|
SOURCE_KEY = package_message
|
|
REGEX = \-\s+([^\)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?)
|
|
FORMAT = package_title::"$1"
|
|
MV_ADD = True
|
|
|
|
[package_message_for_windowsupdatelog]
|
|
REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*)
|
|
FORMAT = package_message::"$1" vendor_status::"$2"
|
|
|
|
[user_for_windows_system_ias]
|
|
REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was
|
|
FORMAT = user::"$1"
|
|
|
|
[package_for_windowsupdatelog]
|
|
SOURCE_KEY = package_title
|
|
REGEX = (KB\d+)
|
|
FORMAT = package::$1
|
|
MV_ADD = True
|
|
|
|
[ignore_comments]
|
|
REGEX = ^#
|
|
DEST_KEY = queue
|
|
FORMAT = nullQueue
|
|
|
|
[ignore_header]
|
|
REGEX = ^DateTime.*
|
|
DEST_KEY = queue
|
|
FORMAT = nullQueue
|
|
|
|
[pid-tid-component_for_windowsupdatelog]
|
|
REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+)
|
|
FORMAT = pid::$1 tid::$2 component::$3
|
|
|
|
[exch_audit_user_extraction]
|
|
SOURCE_KEY = Accessing_User
|
|
REGEX = /cn=Recipients/cn=(?<User>.*) |