admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2444c9a8a5'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-windows-dashboards/default/transforms.conf

286 lines
6.9 KiB
Raw Blame History

[ActiveDirectory_ComputerInfoLookup]
external_type = kvstore
collection = ActiveDirectory_Computers
fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate
[ActiveDirectory_GPOInfoLookup]
external_type = kvstore
collection = ActiveDirectory_GPOs
fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate
[ActiveDirectory_GroupInfoLookup]
external_type = kvstore
collection = ActiveDirectory_Groups
fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate
[ActiveDirectory_UserInfoLookup]
external_type = kvstore
collection = ActiveDirectory_Users
fields_list = src_nt_domain,distinguishedName,objectGUID,displayName,cn,deletedDate
[DomainSelector]
external_type = kvstore
collection = DomainSelector_collection
fields_list = host, DomainNetBIOSName, DomainDNSName, ForestName, Site
[EventCodes]
filename=EventCodes.csv
max_matches=1
[GroupType]
filename=group-type.csv
max_matches=1
[tHostInfo]
external_type = kvstore
time_field = _time
collection = tHostInfo_collection
fields_list = _time, src_ip, src_hostdomain, src_nt_domain, src_host
[HostToDomain]
external_type = kvstore
collection = DomainList_collection
fields_list = host, src_nt_domain
[KRBErrorCode]
filename=KRBErrorCode.csv
max_matches=1
[LogonTypeName]
filename=logon-type.csv
max_matches=1
[NTLMErrorCode]
filename=NTLMErrorCodes.csv
max_matches=1
[SchemaVersionName]
filename=schema-version.csv
max_matches=1
[SiteInfo]
external_type = kvstore
collection = SiteInfo_collection
fields_list = host, Site
[windows_actions]
filename=windows_actions.csv
max_matches=1
[windows_event_details]
external_type = kvstore
collection = windows_event_details_collection
fields_list = EventCode, EventCodeDescription, LogName, SourceName, TaskCategory, Type
[windows_event_system]
external_type = kvstore
collection = windows_event_system_collection
fields_list = Host
[windows_hostmon_system]
external_type = kvstore
collection = windows_hostmon_system_collection
fields_list = Host
[windows_netmon_details]
external_type = kvstore
collection = windows_netmon_details_collection
fields_list = Direction, LocalPort, PacketType, ProcessName, Protocol, RemoteHostName, RemotePort, UserName
[windows_netmon_system]
external_type = kvstore
collection = windows_netmon_system_collection
fields_list = Host
[windows_perfmon_details]
external_type = kvstore
collection = windows_perfmon_details_collection
fields_list = collection, counter, instance, object
[windows_perfmon_system]
external_type = kvstore
collection = windows_perfmon_system_collection
fields_list = Host
[windows_printmon]
external_type = kvstore
collection = windows_printmon_collection
fields_list = Host, printer, operation, user
[windows_privileges]
filename=windows_privileges.csv
max_matches=1
[windows_signatures_substatus]
filename=windows_signatures_substatus.csv
max_matches=1
[windows_signatures]
filename=windows_signatures.csv
max_matches=1
[windows_update_statii]
filename=windows_update_statii.csv
max_matches=1
## IAS (Currently WinEventLog Support Only)
[force_source_system_ias_for_wineventlog]
DEST_KEY = MetaData:Source
REGEX = SourceName\=IAS
FORMAT = source::WinEventLog:System:IAS
###### All Windows Event Log ######
## Lookups
[windows_signature_lookup]
filename = windows_signatures.csv
[windows_signature_lookup2]
filename = windows_signatures_substatus.csv
## Add EventCodeDescription ##
[windows_event_descriptions]
filename = windows_event_descriptions.csv
## REPORT
[file_path-file_name_for_windows]
SOURCE_KEY = Image_File_Name
REGEX = ^(.*[\\/]+)*(.*)$
FORMAT = file_path::$1 file_name::$2
####### Windows Security Event Log ######
## Lookups
[windows_action_lookup]
filename = windows_actions.csv
[windows_privilege_lookup]
filename = windows_privileges.csv
## REPORT
[vendor_privilege_sv_for_windows_security]
SOURCE_KEY = Message
REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:)
FORMAT = vendor_privilege::$1
[vendor_privilege_mv_for_windows_security]
SOURCE_KEY = Message
REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*)
FORMAT = vendor_privilege::$1
[privilege_id_for_windows_security]
SOURCE_KEY = vendor_privilege
REGEX = ^([^\r\n]+)
FORMAT = privilege_id::$1
MV_ADD = True
[Token_Elevation_Type_id_for_windows_security]
SOURCE_KEY = Token_Elevation_Type
REGEX = \((\d+)\)
FORMAT = Token_Elevation_Type_id::$1
## Aliases
[ComputerName_as_dest]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest::"$1"
[ComputerName_as_src]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"
###### Windows System Event Log ######
[package_title_for_windows_system_update]
REGEX = Windows successfully installed the following update:\s+(.*)
FORMAT = package_title::"$1"
[user_for_windows_system_ias]
REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was
FORMAT = user::"$1"
## IAS (Currently WinEventLog Support Only)
[auto_kv_for_windows_system_ias]
SOURCE_KEY = Message
REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*)
FORMAT = $1::$2
MV_ADD = TRUE
###### Update ######
[windows_update_status_lookup]
filename = windows_update_statii.csv
[package_message_for_windowsupdatelog]
REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*)
FORMAT = package_message::"$1" vendor_status::"$2"
[package_title_for_windowsupdatelog]
REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*)
FORMAT = vendor_status::"$1" package_title::"$2"
[package_title_for_windowsupdatelog_restartrequired]
REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*)
FORMAT = vendor_status::"$1" package_title::"$2"
[package_title_for_windowsupdatelog_package_message]
SOURCE_KEY = package_message
REGEX = \-\s+([^\)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?)
FORMAT = package_title::"$1"
MV_ADD = True
[package_for_windowsupdatelog]
SOURCE_KEY = package_title
REGEX = (KB\d+)
FORMAT = package::$1
MV_ADD = True
[pid-tid-component_for_windowsupdatelog]
REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = pid::$1 tid::$2 component::$3
###### Windows Firewall Log ######
[Transform_Windows_FW]
DELIMS = " "
FIELDS = "date" "time" "action" "protocol" "src-ip" "dst-ip" "src-port" "dst-port" "size" "tcpflags" "tcpsyn" "tcpack" "tcpwin" "icmptype" "icmpcode" "info" "path"
[windows_hostmon_machine_details]
external_type = kvstore
collection = windows_hostmon_machine_details_collection
fields_list = Architecture, Domain, Manufacturer, OS
[windows_hostmon_fs_details]
external_type = kvstore
collection = windows_hostmon_fs_details_collection
fields_list = DriveType, FileSystem, FreeSpacePct, TotalSpaceGB
[windows_hostmon_process_details]
external_type = kvstore
collection = windows_hostmon_process_details_collection
fields_list = Name
[windows_hostmon_services_details]
external_type = kvstore
collection = windows_hostmon_services_details_collection
fields_list = Name, StartMode, State
Reference in new issue View Git Blame Copy Permalink