You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1947 lines
115 KiB
1947 lines
115 KiB
##
|
|
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
## DO NOT EDIT THIS FILE!
|
|
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
## into ../local and edit there.
|
|
##
|
|
###########################
|
|
## Active Directory
|
|
###########################
|
|
|
|
[ActiveDirectory]
|
|
LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag
|
|
|
|
|
|
###########################
|
|
## DHCP
|
|
###########################
|
|
|
|
[DhcpSrvLog]
|
|
SHOULD_LINEMERGE = false
|
|
MAX_TIMESTAMP_LOOKAHEAD = 20
|
|
EVENT_BREAKER_ENABLE = true
|
|
TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
|
|
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
|
|
REPORT_1microsoft_dhcp_dest_dns = microsoft_dhcp_dest_dns
|
|
LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
|
|
FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
|
|
FIELDALIAS-win-sign-id = msdhcp_id AS signature_id
|
|
FIELDALIAS-dhcp-user = msdhcp_user AS user
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "DHCP"
|
|
EVAL-vendor_product = "Microsoft DHCP"
|
|
EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12,}$"), replace(raw_mac, "^.*(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$", "\1:\2:\3:\4:\5:\6"), true(), replace(raw_mac, "-|\.|\s", ":")))
|
|
EVAL-dest = coalesce(if(nt_host!="BAD_ADDRESS", nt_host, null()), ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), true(), replace(raw_mac, "-|\.|\s", ":"))))
|
|
EVAL-quarantine_info = case(qresult == 0, "NoQuarantine", qresult == 1, "Quarantine", qresult == 2, "Drop Packet", qresult == 3, "Probation", qresult == 6, "No Quarantine Information", true(), qresult)
|
|
EVAL-action = case(msdhcp_id IN (13,15,12,16,18), "blocked", msdhcp_id IN (10,11), "added")
|
|
EVAL-dest_nt_host = case(nt_host!="BAD_ADDRESS", nt_host)
|
|
EVAL-reason = case(nt_host=="BAD_ADDRESS", nt_host)
|
|
|
|
|
|
###########################
|
|
## Splunk Windows Event Log
|
|
###########################
|
|
|
|
## Host override for WinEventLog events collected using WEF
|
|
[host::WinEventLogForwardHost]
|
|
TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride
|
|
TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride
|
|
|
|
## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog
|
|
## format source using sourcetype value, so we know whether its XML or not
|
|
## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype
|
|
## the mod input sets and new sources will be accommodated as well
|
|
[(?::){0}WinEventLog:*]
|
|
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype
|
|
|
|
[(?::){0}XmlWinEventLog:*]
|
|
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype
|
|
|
|
|
|
## Fields common to all WinEventLogs
|
|
[WinEventLog]
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services, Processes and Filesystem Datasets
|
|
FIELDALIAS-service_id_for_windows = Service_ID AS service_id
|
|
FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
|
|
FIELDALIAS-process_for_windows = Process AS process
|
|
EVAL-process_name = if(EventCode==4688, New_Process_Name, Process_Name)
|
|
FIELDALIAS-parent_process_for_windows = Creator_Process_Name AS parent_process
|
|
FIELDALIAS-user_id_for_windows = User_ID AS user_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
[XmlWinEventLog]
|
|
KV_MODE = none
|
|
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
|
|
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
|
|
|
|
REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
|
|
REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
|
|
REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
|
|
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services, Processes and Filesystem Datasets
|
|
FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
|
|
FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
|
|
EVAL-process_name = if(EventCode==4688, NewProcessName, ProcessName)
|
|
FIELDALIAS-parent_process_for_windows = ParentProcessName AS parent_process
|
|
FIELDALIAS-user_id_for_windows = UserID AS user_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System]
|
|
## windows system sub-sourcetyping
|
|
[source::WinEventLog:System]
|
|
TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog
|
|
|
|
REPORT-bestmatch_for_windows_system = ComputerName_as_dest
|
|
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
|
|
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
|
|
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
|
|
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
|
|
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
|
|
FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
|
|
|
|
REPORT-1service_name_eventcode_7036 = service_name_eventcode_7036
|
|
REPORT-1service_name_eventcode_7040 = service_name_eventcode_7040
|
|
EVAL-status = case(EventCode=="7036" AND status=="running","started",EventCode=="7036" AND status=="stopped","stopped",EventCode=="104","success")
|
|
|
|
LOOKUP-0start_mode_for_eventcode_7040_service_windows = windows_start_mode_lookup StartType AS start_type2 OUTPUTNEW start_mode
|
|
LOOKUP-1start_mode_for_eventcode_7045_service_windows = windows_start_mode_lookup StartType AS Service_Start_Type OUTPUTNEW start_mode
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
# Legacy field aliases to support ES 2.0.2, Winfra
|
|
FIELDALIAS-package_for_windows = signature_id AS package
|
|
FIELDALIAS-package_title_for_windows = signature AS package_title
|
|
|
|
|
|
## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility
|
|
# Extractions to add fields used by generic system extraction
|
|
REPORT-signature_message_from_xml = updatelist_from_user_data
|
|
REPORT-signature_from_xml = updatetitle_from_user_data
|
|
FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature
|
|
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
|
|
REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
|
|
|
|
|
|
## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility
|
|
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
|
|
|
|
EVAL-user = case(EventCode IN (7040,7045),case(user!="-",user),true(),user)
|
|
EVAL-user_name = if(EventCode==104, User, user_name)
|
|
EVAL-result = if(EventCode==104, "log file was cleared", result)
|
|
EVAL-object_category = if(EventCode==104, "audit log", object_category)
|
|
EVAL-action = if(EventCode==104, "cleared", action)
|
|
EVAL-change_type = case(EventCode==104, "audit", true(), change_type)
|
|
EVAL-app = if(SourceName="IAS","ias",null())
|
|
|
|
EXTRACT-object_for_windows_system = (?ms)EventCode=104(?:\n|\r).*(?:Message=The\s(?<object>.+)\sfile)
|
|
|
|
##### Explanation for SEDCMD Extractions #####
|
|
## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
|
|
|
|
|
|
##### SEDCMD Extractions #####
|
|
#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
|
|
|
|
## Apply the following properties to all WinEventLog events
|
|
## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf
|
|
[source::(WMI:WinEventLog|WinEventLog)...]
|
|
|
|
## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
|
|
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
|
|
REPORT-MESSAGE =
|
|
|
|
###########################
|
|
## Windows XML Event Log
|
|
###########################
|
|
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
|
|
[source::XmlWinEventLog:System]
|
|
|
|
# Extractions to add fields used by generic system extraction
|
|
REPORT-signature_message_from_xml = updatelist_from_user_data
|
|
REPORT-signature_from_xml = updatetitle_from_user_data
|
|
FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature
|
|
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
|
|
|
|
REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
|
|
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
|
|
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
|
|
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
|
|
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
|
|
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
|
|
EVAL-body = coalesce('signature_message','Message')
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
# Legacy field aliases to support ES 2.0.2, Winfra
|
|
FIELDALIAS-package_title_for_windows = signature AS package_title
|
|
FIELDALIAS-package_for_windows = signature_id AS package
|
|
|
|
REPORT-service_name = ServiceName_as_service_name
|
|
EVAL-status = case(EventCode=="7036" AND param2=="running","started",EventCode=="7036" AND param2=="stopped","stopped", EventCode==104, "success")
|
|
|
|
LOOKUP-0start_mode_for_eventcode_7045_service_windows_xml = windows_start_mode_lookup StartType OUTPUTNEW start_mode
|
|
LOOKUP-1start_mode_for_eventcode_7040_service_windows_xml = windows_start_mode_lookup StartType AS param3 OUTPUTNEW start_mode
|
|
|
|
EVAL-action = case(EventCode==104, "cleared")
|
|
EVAL-object_category = case(EventCode==104, "audit log")
|
|
EVAL-result = case(EventCode==104, "log file was cleared")
|
|
EVAL-change_type = case(EventCode==104, "audit", true(), change_type)
|
|
|
|
REPORT-channel_from_user_data = channel_from_user_data
|
|
EVAL-object = case(EventCode==104, user_data_channel + " log")
|
|
|
|
EXTRACT-user_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user>.*?)<\/SubjectUserName>
|
|
EXTRACT-user_name_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user_name>.*?)<\/SubjectUserName>
|
|
|
|
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
|
|
[source::XmlWinEventLog:Security]
|
|
|
|
REPORT-logfilecleared_block_extract = logfilecleared_xml_block
|
|
REPORT-logfilecleareddata_for_xml = LogFileClearedData_from_user_data
|
|
|
|
## privilege
|
|
REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
|
|
|
|
# Extractions to add fields used by generic security extraction
|
|
REPORT-Source_Port_from_xml = IpPort_as_Source_Port
|
|
REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
|
|
REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
|
|
REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
|
|
REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
|
|
REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
|
|
REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
|
|
REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
|
|
REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
|
|
REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
|
|
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-CategoryString_for_windows_xml_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
|
|
|
|
## action, status
|
|
## Override action to allow audit log changes to correspond to Change Analysis data model
|
|
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
|
|
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
|
|
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
|
|
LOOKUP-object_for_windows3_security = xmlsecurity_change_audit_and_account_management_lookup EventCode OUTPUTNEW object_attrs,result
|
|
|
|
## privilege
|
|
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
|
|
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
|
|
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
|
|
|
|
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
|
|
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-body_for_windows_security = Message AS body
|
|
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
|
|
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
|
|
|
|
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
|
|
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
|
|
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
|
|
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
|
|
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
|
|
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
|
|
|
|
## Set the following fields based on order of operations
|
|
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
|
|
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest
|
|
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
|
|
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
|
|
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
|
|
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
|
|
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
|
|
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
|
|
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
|
|
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
|
|
EVAL-user_group = coalesce(TargetUserName,New_Account_Name,Target_Account_Name)
|
|
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
|
|
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
|
|
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
|
|
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
|
|
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
|
|
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
|
|
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
|
|
REPORT-member_user_name = special_user_from_member_name
|
|
|
|
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
|
|
|
|
##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
|
|
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
|
|
|
|
EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
|
|
EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
|
|
EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
|
|
EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
|
|
EXTRACT-new_process_for_windows_security_from_xml = <Data Name='NewProcessName'>(?<new_process>[^<]+)<\/Data>
|
|
EXTRACT-parent_process_for_windows_security_from_xml = <Data Name='ParentProcessName'>(?<parent_process>[^<]+)<\/Data>
|
|
EXTRACT-new_process_id_for_windows_security_from_xml = <Data Name='NewProcessId'>(?<new_process_id>[^<]+)<\/Data>
|
|
EXTRACT-process_id_for_windows_security_from_xml = <Data Name='ProcessId'>(?<process_id>[^<]+)<\/Data>
|
|
EXTRACT-process_command_line_for_xml = <Data Name='CommandLine'>(?<Process_Command_Line>[^<]+)<\/Data>
|
|
|
|
EVAL-authentication_method = case(EventCode IN (4624, 4625), AuthenticationPackageName, true(), authentication_method)
|
|
|
|
## XML Security-CIM Mappings
|
|
REPORT-parent_process_name_windows_xml = extract_parent_process_name_for_windows_xml
|
|
REPORT-new_process_name_windows_xml = extract_new_process_name_for_windows_xml
|
|
REPORT-target_process_name_windows_xml = extract_target_process_name_for_windows_xml
|
|
REPORT-caller_user_name_from_user_data_xml = SubjectUserName_from_user_data
|
|
REPORT-file_name_and_path = object_file_name_and_path_from_ObjectName_for_xml,file_name_and_path_from_FileName_for_xml,file_name_and_path_from_KeyFilePath_for_xml
|
|
REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
|
|
|
|
EVAL-object_attrs = if(EventCode IN (4720,4738), null(),if(EventCode=4717, AccessGranted, (if(EventCode==4718, AccessRemoved, (if(isnotnull(SamAccountName) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), SamAccountName, if(EventCode IN (4728,4729,4732,4733,4756,4757), TargetUserName, if(EventCode IN (4698,4700,4701), TaskContent, if(EventCode==4702, TaskContentNew, if(EventCode==4719, "Category="+CategoryId+",Subcategory="+SubcategoryId+",Subcategory GUID="+SubcategoryGuid+",Changes="+AuditPolicyChanges,object_attrs))))))))))
|
|
EVAL-registry_path = if(EventCode==4657,ObjectName,registry_path)
|
|
EVAL-registry_value_name = if(EventCode==4657,ObjectValueName,registry_value_name)
|
|
EVAL-registry_value_type = if(EventCode==4657,NewValueType,registry_value_type)
|
|
EVAL-src = case(EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4799), dest, EventCode==4778, ClientAddress, EventCode == 4624, IpAddress, EventCode==4625, WorkstationName, 1=1, src)
|
|
EVAL-file_name = coalesce(file_name,if(ObjectType=="File",object_file_name,null()),ShareName)
|
|
EVAL-file_path = coalesce(file_path,if(ObjectType=="File",object_file_path,null()),ShareLocalPath)
|
|
EVAL-src_port = if(EventCode=5158 OR EventCode=5156, SourcePort, src_port)
|
|
EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(NewProcessName,"\s"), "\"" + NewProcessName + "\"", NewProcessName)) + " " + process_command_line_arguments), NewProcessName) , EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName))
|
|
EVAL-process_path = case(EventCode==4688, new_process, EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName))
|
|
EVAL-process_id = case(EventCode==4688, new_process_id, EventCode==4696, TargetProcessId, true(), process_id)
|
|
EVAL-service = if(isnotnull(service),service, Service)
|
|
|
|
EVAL-parent_process = case(EventCode==4696,ProcessName,true(),parent_process)
|
|
EVAL-parent_process_id = case(EventCode==4688 OR EventCode==4696,ProcessId)
|
|
EVAL-parent_process_name = case(EventCode==4696,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name)
|
|
EVAL-parent_process_path = case(EventCode==4688,parent_process,EventCode==4696,ProcessName)
|
|
EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"))
|
|
EVAL-process_name = case(EventCode=4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),ProcessName)
|
|
|
|
EVAL-user = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (1102,4673,4674,4689,4697,4698,4700,4701,4702,4719,4799), case(SubjectUserName!="-",SubjectUserName),EventCode==4696,case(user!="-",user),EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user)
|
|
EVAL-user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767,4800,4801), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (1102,4719,4698,4700,4701,4702,4799), SubjectUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user_name)
|
|
EVAL-src_user = case(EventCode IN (4624,4625,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781), case(SubjectUserName!="-",SubjectUserName), EventCode IN (4634,4800,4801), TargetUserName, true(),src_user)
|
|
EVAL-src_user_name = case(EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4754,4755,4756,4757,4758,4764,4767,4781), SubjectUserName, EventCode IN (4634,4800,4801), TargetUserName, true(),src_user_name)
|
|
EVAL-src_nt_domain = case(EventCode IN (4634,4800,4801), TargetDomainName, EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764), SubjectDomainName, true(), src_nt_domain)
|
|
EVAL-object = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4730,4731,4734,4735,4737,4738,4740,4754,4755,4758,4764,4767,4799), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"), -1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (4800,4801), Computer, EventCode IN (4698,4700,4701,4702),TaskName, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", true(), object)
|
|
EVAL-object_id = case(EventCode IN (4704, 4705, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4730, 4731, 4734, 4735, 4737, 4738, 4754, 4755, 4758, 4764, 4767, 4781, 4799), TargetSid, EventCode IN (4634,4703), TargetUserSid, EventCode IN (4728,4729,4732,4733,4756,4757), MemberSid, true(), object_id)
|
|
|
|
EVAL-action = case(EventCode=="4688" AND Keywords=="0x8020000000000000","allowed")
|
|
|
|
## Assigning Group_Name based on EventCodes as not all EventCodes have GroupName same as TargetUserName and GroupDomain same as TargetDomainName
|
|
EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name)
|
|
EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain)
|
|
|
|
EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
|
|
|
|
LOOKUP-start_mode_for_windows_xml = windows_endpoint_service_service_type_lookup Service_Start_Type AS ServiceStartType OUTPUTNEW start_mode
|
|
LOOKUP-service_name = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service, service_name
|
|
LOOKUP-transport_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
|
|
LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
|
|
|
|
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*]
|
|
[source::XmlWinEventLog:Application]
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
|
|
FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest
|
|
|
|
###### All Windows Event Log ######
|
|
|
|
###### Windows Application Event Log ######
|
|
|
|
## All Windows Application
|
|
|
|
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
|
|
[source::WinEventLog:Application]
|
|
EVAL-dest = coalesce('ComputerName','Computer')
|
|
|
|
## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
|
|
|
|
|
|
##Below fields extractions have been moved from [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
|
|
[source::WinEventLog:Security]
|
|
|
|
LOOKUP-CategoryString_for_windows_legacy_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
|
|
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
|
|
|
|
## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
|
|
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
|
|
|
|
|
|
## action, status
|
|
|
|
## Security-CIM Mappings
|
|
LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
|
|
|
|
## Override action to allow audit log changes to correspond to Change Analysis data model
|
|
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
|
|
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
|
|
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
|
|
|
|
## privilege
|
|
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
|
|
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
|
|
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
|
|
|
|
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
|
|
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-body_for_windows_security = Message AS body
|
|
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
|
|
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
|
|
|
|
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
|
|
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
|
|
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
|
|
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
|
|
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
|
|
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
|
|
|
|
## Set the following fields based on order of operations
|
|
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
|
|
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
|
|
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
|
|
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
|
|
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
|
|
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
|
|
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,New_Security_ID_as_src_nt_domain,Security_ID_as_src_nt_domain
|
|
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
|
|
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
|
|
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Special_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
|
|
EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
|
|
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
|
|
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
|
|
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
|
|
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
|
|
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
|
|
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
|
|
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
|
|
|
|
REPORT-subject_fields = subject_fields_extraction
|
|
REPORT-target_fields = target_fields_extraction
|
|
REPORT-group_fields = group_fields_extraction
|
|
REPORT-new_account_fields = new_account_fields_extraction
|
|
REPORT-member_fields = member_fields_extraction
|
|
REPORT-account_locked_out_fields = account_locked_out_fields_extraction
|
|
REPORT-task_fields = task_fields_extraction
|
|
REPORT-new_task_fields = new_task_fields_extraction
|
|
|
|
EVAL-user = case(EventCode==4799,Subject_Account_Name,EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (4689,4696,4673,4674,4697),case(user!="-",user), EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),user)
|
|
EVAL-user_name = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (1102,4634,4698,4700,4701,4702,4719,4799,4800,4801), Subject_Account_Name, EventCode==104, User, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%")OR user=="-", null(), user)), true(),user_name)
|
|
EVAL-src_user = case(EventCode IN (4634,4703,4704,4705,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781,4800,4801), Subject_Account_Name, true(),src_user)
|
|
EVAL-src_user_name = case(EventCode IN (4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4728,4729,4733,4756,4757,4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801), Subject_Account_Name, true(),src_user_name)
|
|
EVAL-object = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Name, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (4800,4801), ComputerName, EventCode==4634, Subject_Account_Name, EventCode IN (4698,4700,4701,4702), Task_Name, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode IN (4732,4729,4757,4756,4728,4733), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),object)
|
|
EVAL-object_id = case(EventCode IN (4728,4729,4733,4756,4757),Member_Security_ID, EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Security_ID, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781), Target_Security_ID, EventCode==4720, New_Account_Security_ID, EventCode==4732, Member_Security_ID, EventCode==4740, Account_Locked_Out_Security_ID, EventCode==4634, Subject_Security_ID, true(), object_id)
|
|
EVAL-authentication_method = case(EventCode IN (4624,4625), Authentication_Package, true(), authentication_method)
|
|
EVAL-src_nt_domain = case(EventCode IN (4634,4720,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4740,4754,4755,4756,4757,4758,4764,4800,4801), Subject_Account_Domain, true(), src_nt_domain)
|
|
EVAL-src = case(EventCode IN (4729,4799,4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4757,4756,4728,4733), ComputerName, true(), src)
|
|
|
|
EXTRACT-dest_port_for_windows_security = (?s)Network Information:.*?Destination Port:\s+(?<dest_port>\S+).*?(?:(?:\r*\n){2})
|
|
EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?<object_attrs>[^$]+)$
|
|
EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?<process>\S+).*?(?:(?:\r*\n){2})
|
|
EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
|
|
EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
|
|
EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?<Group_Domain>.*)\\(?<Group_Name>[^(?:\n|\r)]+)
|
|
|
|
## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility
|
|
## privilege
|
|
REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
|
|
|
|
# Extractions to add fields used by generic security extraction
|
|
REPORT-Source_Port_from_xml = IpPort_as_Source_Port
|
|
REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
|
|
REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
|
|
REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
|
|
REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
|
|
REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
|
|
REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
|
|
REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
|
|
REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
|
|
REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
|
|
|
|
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
|
|
|
|
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
|
|
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
|
|
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
|
|
EVAL-action = case(EventCode=="4688" AND Keywords=="Audit Success","allowed",EventCode=="4688" AND Keywords=="Audit Failure","blocked")
|
|
|
|
REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest
|
|
|
|
EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
|
|
EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
|
|
EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
|
|
EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
|
|
EXTRACT-process_id_for_windows_security_from_xml = <Execution ProcessID='(?<process_id>\d+)'
|
|
|
|
|
|
##### Explanation for SEDCMD Extractions #####
|
|
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
|
|
## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
|
|
## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
|
|
## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
|
|
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
|
|
## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
|
|
## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
|
|
## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
|
|
## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
|
|
## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
|
|
|
|
|
|
##### SEDCMD Extractions #####
|
|
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
|
|
#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
|
|
#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
|
|
#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
|
|
#SEDCMD-remove_ffff = s/::ffff://g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
|
|
|
|
## For XmlWinEventLog:Security
|
|
#SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
|
|
#SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
|
|
|
|
## Security-CIM Mappings
|
|
REPORT-parent_process_name = extract_parent_process_name
|
|
REPORT-new_process_name = extract_new_process_name
|
|
REPORT-target_process_name = extract_target_process_name
|
|
REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
|
|
REPORT-file_name_and_path = object_name_and_path_from_object_name,file_name_and_path_from_file_name,file_name_and_path_from_file_path
|
|
|
|
EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(New_Process_Name,"\s"), "\"" + New_Process_Name + "\"", New_Process_Name)) + " " + process_command_line_arguments), New_Process_Name), EventCode==4696, Target_Process_Name , true(), coalesce(Process, process, Process_Name))
|
|
EVAL-registry_path = if(EventCode==4657 OR EventCode==4670,Object_Name,registry_path)
|
|
EVAL-registry_value_name = if(EventCode==4657, Object_Value_Name, registry_value_name)
|
|
EVAL-registry_value_type = if(EventCode==4657, New_Value_Type, registry_value_type)
|
|
EVAL-object_attrs = if(EventCode==4717 OR EventCode==4718,Access_Right,if(isnotnull(Group_Name) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799),Group_Name,if(EventCode IN (4698,4700,4701),TaskContent,if(EventCode==4702,TaskNewContent,if(EventCode==4719, "Category="+Category+",Subcategory="+Subcategory+",Subcategory GUID="+Subcategory_GUID+",Changes="+Changes,object_attrs)))))
|
|
EVAL-file_name = if(Object_Type=="File" AND isnotnull(object_file_name),object_file_name,if(isnotnull(Share_Name),Share_Name,file_name))
|
|
EVAL-file_path = if(Object_Type=="File" AND isnotnull(object_file_path),object_file_path,if(isnotnull(Share_Path),Share_Path,file_path))
|
|
|
|
EVAL-parent_process = case(EventCode==4696,Process_Name,true(),parent_process)
|
|
EVAL-parent_process_id = case(EventCode==4688,Creator_Process_ID,EventCode==4696,Process_ID)
|
|
EVAL-parent_process_name = case(EventCode==4696,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name)
|
|
EVAL-process_path = case(EventCode==4688,New_Process_Name,EventCode==4696,Target_Process_Name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,Process_Name)
|
|
EVAL-parent_process_path = case(EventCode==4688,Creator_Process_Name,EventCode==4696,Process_Name)
|
|
EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"))
|
|
EVAL-process_name = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),Process_Name)
|
|
EVAL-process_id = case(EventCode==4696,Target_Process_ID, EventCode==4689 OR EventCode==4673, Process_ID, true(), process_id)
|
|
|
|
EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
|
|
|
|
LOOKUP-service_name_for_endpoint_service = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service,service_name
|
|
LOOKUP-service_type_for_endpoint_service = windows_endpoint_service_service_type_lookup Service_Start_Type OUTPUTNEW start_mode
|
|
LOOKUP-transpot_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
|
|
LOOKUP-wineventlog-change-object-fields = windows_wineventlog_change_object_fields_lookup EventCode OUTPUTNEW change_type,object_attrs,object_category,result
|
|
|
|
|
|
## IAS (Currently WinEventLog Support Only)
|
|
[source::WinEventLog:System:IAS]
|
|
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
|
|
|
|
EVAL-app = "ias"
|
|
|
|
|
|
[source::WinEventLog:ForwardedEvents]
|
|
##### Explanation for SEDCMD Extractions #####
|
|
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
|
|
## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
|
|
## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
|
|
## clean_rendering_info_block: This will eliminate the entire extra <RenderingInfo> block from all the events that indexes when using WEF before indexing
|
|
|
|
|
|
##### SEDCMD Extractions #####
|
|
#SEDCMD-remove_ffff = s/::ffff://g
|
|
#SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
|
|
#SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
|
|
#SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//
|
|
|
|
|
|
###### WindowsUpdateLog ######
|
|
[source::...WindowsUpdate.Log]
|
|
sourcetype = WindowsUpdateLog
|
|
|
|
[WindowsUpdateLog]
|
|
SHOULD_LINEMERGE = false
|
|
EVENT_BREAKER_ENABLE = true
|
|
FIELDALIAS-dest_for_windowsupdatelog = host AS dest
|
|
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
|
|
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
|
|
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
|
|
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
|
|
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id
|
|
|
|
# Legacy field aliases to support ES 2.0.2, Winfra
|
|
FIELDALIAS-package_for_windows = signature_id AS package
|
|
FIELDALIAS-package_title_for_windows = signature AS package_title
|
|
|
|
[WinRegistry]
|
|
|
|
## Registry Extractions
|
|
|
|
## registry_path, registry_key_name, registry_value_name
|
|
REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry
|
|
REPORT-registry_value_data = registry_value_data_for_WinRegistry
|
|
FIELDALIAS-registry_value_type = data_type AS registry_value_type
|
|
|
|
## Endpoint Change Extractions
|
|
## Required fields: action,dest,object,object_category,object_path,status,user
|
|
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
|
|
FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action
|
|
LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
|
|
FIELDALIAS-dest_for_WinRegistry = host AS dest
|
|
REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry
|
|
LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category
|
|
REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
|
|
LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status
|
|
REPORT-user_for_WinRegistry = user_for_WinRegistry
|
|
LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type
|
|
FIELDALIAS-src_for_WinRegistry = host AS src
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Registry Dataset
|
|
FIELDALIAS-process_id_for_WinRegistry = pid AS process_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
#####################
|
|
## Splunk Perfmon/WMI
|
|
#####################
|
|
|
|
## Apply the following properties to all WMI events
|
|
[source::WMI...]
|
|
## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
|
|
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
|
|
REPORT-MESSAGE =
|
|
|
|
[wmi]
|
|
LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+)
|
|
## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence
|
|
## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog"
|
|
TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
|
|
TRANSFORMS-FIELDS =
|
|
|
|
###### ComputerSystem ######
|
|
[WMI:ComputerSystem]
|
|
FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
|
|
[Perfmon:Processor]
|
|
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
|
|
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
FIELDALIAS-cpu_instance = instance AS cpu_instance
|
|
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:Processor]
|
|
FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
|
|
EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
|
|
FIELDALIAS-cpu_instance = instance AS cpu_instance
|
|
FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[Perfmon:Network_Interface]
|
|
EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
|
|
EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
|
|
EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
|
|
EVAL-packets = if(counter=="Packets/sec",Value,null())
|
|
EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
|
|
EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
|
|
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
|
|
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:Network_Interface]
|
|
FIELDALIAS-bytes = Bytes_Total/sec as bytes
|
|
FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
|
|
FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
|
|
FIELDALIAS-packets = Packets/sec as packets
|
|
FIELDALIAS-packets_in = Packets_Received/sec as packets_in
|
|
FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
|
|
FIELDALIAS-thruput = Bytes_Total/sec as thruput
|
|
FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[Perfmon:DFS_Replicated_Folders]
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[Perfmon:NTDS]
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[Perfmon:DNS]
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[Perfmon:CPU]
|
|
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
|
|
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
FIELDALIAS-cpu_instance = instance AS cpu_instance
|
|
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:CPU]
|
|
FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
|
|
EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
|
|
FIELDALIAS-cpu_instance = instance AS cpu_instance
|
|
FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[Perfmon:System]
|
|
EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null())
|
|
EVAL-system_threads_count = if(counter=="Threads",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:System]
|
|
FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count
|
|
FIELDALIAS-system_threads_count = Threads as system_threads_count
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[Perfmon:ProcessorInformation]
|
|
SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/
|
|
EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null())
|
|
EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Processes Dataset
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
[PerfmonMk:ProcessorInformation]
|
|
EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null())
|
|
EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Processes Dataset
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
[WMI:CPUTime]
|
|
REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous
|
|
|
|
FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent
|
|
FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent
|
|
FIELDALIAS-cpu_instance = Name AS cpu_instance
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Disk ######
|
|
[Perfmon:LogicalDisk]
|
|
EVAL-mount = if(instance=="_Total", null(), instance)
|
|
# Keeping this field in ms
|
|
EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
|
|
EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null())
|
|
EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null())
|
|
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
|
|
EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null())
|
|
EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null())
|
|
EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:LogicalDisk]
|
|
EVAL-mount = if(instance=="_Total", null(), instance)
|
|
# Keeping this field in ms
|
|
EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000
|
|
FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency
|
|
FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency
|
|
FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent
|
|
FIELDALIAS-read_ops = Disk_Reads/sec as read_ops
|
|
FIELDALIAS-write_ops = Disk_Writes/sec as write_ops
|
|
FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
FIELDALIAS-storage_free = Free_Megabytes as storage_free
|
|
EVAL-storage=((100*Free_Megabytes)/storage_free_percent)
|
|
EVAL-storage_used=(((100-storage_free_percent)*Free_Megabytes)/storage_free_percent)
|
|
EVAL-storage_used_percent=(100-storage_free_percent)
|
|
|
|
[Perfmon:PhysicalDisk]
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:PhysicalDisk]
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[WMI:FreeDiskSpace]
|
|
REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous
|
|
|
|
FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount
|
|
EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null())
|
|
EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null())
|
|
FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent
|
|
EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null())
|
|
EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null())
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
|
|
[WMI:LogicalDisk]
|
|
FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency
|
|
FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency
|
|
FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency
|
|
FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops
|
|
FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
[WMI:LocalPhysicalDisk]
|
|
REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Network ######
|
|
[WMI:LocalNetwork]
|
|
FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput
|
|
FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Process ######
|
|
[Perfmon:Process]
|
|
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
|
|
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
|
|
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Processes Dataset
|
|
EVAL-mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
[PerfmonMk:Process]
|
|
EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null())
|
|
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null())
|
|
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Processes Dataset
|
|
FIELDALIAS-process_id_for_perfmon = ID_Process AS process_id
|
|
EVAL-mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
###### Installed Apps ######
|
|
[Script:InstalledApps]
|
|
SHOULD_LINEMERGE = false
|
|
TRUNCATE = 0
|
|
LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3}
|
|
|
|
KV_MODE = none
|
|
|
|
REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps
|
|
REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps
|
|
REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps
|
|
REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps
|
|
REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps
|
|
REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps
|
|
REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps
|
|
REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps
|
|
REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps
|
|
REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps
|
|
REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps
|
|
REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps
|
|
REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps
|
|
REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps
|
|
REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps
|
|
REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps
|
|
REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps
|
|
REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps
|
|
REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps
|
|
REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps
|
|
REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps
|
|
REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps
|
|
REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps
|
|
REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps
|
|
REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps
|
|
|
|
###### Installed Updates ######
|
|
[WMI:InstalledUpdates]
|
|
REPORT-00Description_for_installedupdates = Description_for_installedupdates
|
|
FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id
|
|
EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null())
|
|
LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Listening Ports ######
|
|
[Script:ListeningPorts]
|
|
SHOULD_LINEMERGE = false
|
|
|
|
KV_MODE = None
|
|
REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports
|
|
REPORT-1kv_for_listeningports = kv_for_listeningports
|
|
FIELDALIAS-dest_for_listeningports = dest_ip AS dest
|
|
FIELDALIAS-process_id_for_listeningports = pid AS process_id
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Ports Dataset
|
|
EVAL-transport_dest_port = transport."/".dest_port
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
###### Local Processes ######
|
|
[WMI:LocalProcesses]
|
|
REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous
|
|
|
|
FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent
|
|
FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes
|
|
FIELDALIAS-process_for_wmi_localprocesses = windows_app AS Name, windows_app AS app, windows_app AS process
|
|
FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Processes Dataset
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
###### Memory ######
|
|
## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory
|
|
## Total memory available in WMI:ComputerSystem
|
|
[Perfmon:Memory]
|
|
EVAL-mem_committed = if(counter=="Committed Bytes",Value,null())
|
|
EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
|
|
EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null())
|
|
EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null())
|
|
EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null())
|
|
EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null())
|
|
EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null())
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:Memory]
|
|
FIELDALIAS-mem_committed = Committed_Bytes as mem_committed
|
|
FIELDALIAS-mem_free = Available_MBytes as mem_free
|
|
FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free
|
|
FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used
|
|
FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops
|
|
EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free
|
|
|
|
FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in
|
|
FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[Perfmon:Network]
|
|
EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
|
|
EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
|
|
EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
|
|
EVAL-packets = if(counter=="Packets/sec",Value,null())
|
|
EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
|
|
EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
|
|
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
|
|
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
|
|
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
|
|
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
|
|
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
|
|
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
[PerfmonMk:Network]
|
|
FIELDALIAS-bytes = Bytes_Total/sec as bytes
|
|
FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
|
|
FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
|
|
FIELDALIAS-packets = Packets/sec as packets
|
|
FIELDALIAS-packets_in = Packets_Received/sec as packets_in
|
|
FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
|
|
FIELDALIAS-thruput = Bytes_Total/sec as thruput
|
|
FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
[WMI:Memory]
|
|
REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous
|
|
|
|
FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed
|
|
FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free
|
|
FIELDALIAS-swap_used = PoolPagedBytes AS swap_used
|
|
EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
|
|
FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in
|
|
FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out
|
|
FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops
|
|
|
|
|
|
EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Service ######
|
|
[WMI:Service]
|
|
REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous
|
|
REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname
|
|
|
|
FIELDALIAS-file_path_for_wmi_service = service_path AS file_path
|
|
FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service
|
|
FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode
|
|
FIELDALIAS-status_for_wmi_service = State AS status
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services Dataset
|
|
REPORT-report_field_extract_wmi_service_path_and_exec_name = field_extract_wmi_service_path, field_extract_wmi_service_exec
|
|
FIELDALIAS-description_for_wmi = Description AS description
|
|
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
|
|
FIELDALIAS-service_name_for_wmi = Name AS service, Name AS service_name
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
###### Time Configuration ######
|
|
[Script:TimesyncConfiguration]
|
|
DATETIME_CONFIG = CURRENT
|
|
LINE_BREAKER = ([\r\n]+)Current time:
|
|
|
|
KV_MODE = None
|
|
|
|
REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync
|
|
REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration
|
|
REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration
|
|
REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration
|
|
REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration
|
|
REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration
|
|
REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration
|
|
REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration
|
|
REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration
|
|
REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration
|
|
REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration
|
|
REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration
|
|
REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration
|
|
REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration
|
|
REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration
|
|
REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration
|
|
REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration
|
|
REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration
|
|
REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration
|
|
REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration
|
|
REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration
|
|
REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync
|
|
|
|
###### Time Synchronization ######
|
|
[Script:TimesyncStatus]
|
|
DATETIME_CONFIG = CURRENT
|
|
LINE_BREAKER = ([\r\n]+)Current time:
|
|
|
|
KV_MODE = None
|
|
|
|
REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync
|
|
REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status
|
|
REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status
|
|
REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status
|
|
REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status
|
|
REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status
|
|
REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status
|
|
REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status
|
|
REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status
|
|
REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status
|
|
REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status
|
|
REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status
|
|
REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status
|
|
REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status
|
|
REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status
|
|
REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status
|
|
REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status
|
|
REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync
|
|
|
|
LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action
|
|
EVAL-last_sync_time = coalesce(strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S %p"),strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S"),strptime(Last_Successful_Sync_Time, "%d-%m-%Y %H:%M:%S"))
|
|
|
|
FIELDALIAS-dest = host as dest
|
|
EVAL-resource_type = "system"
|
|
|
|
###### Uptime ######
|
|
[WMI:Uptime]
|
|
REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous
|
|
|
|
FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store
|
|
TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store
|
|
EVAL-metric_type = "gauge"
|
|
|
|
###### User Accounts ######
|
|
[WMI:UserAccounts]
|
|
REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name
|
|
FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain
|
|
FIELDALIAS-status_for_wmi_useraccounts = Status AS status
|
|
FIELDALIAS-user_for_wmi_useraccounts = Name AS user
|
|
FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id
|
|
LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled
|
|
FIELDALIAS-description_for_wmi_user_account_status = Description AS description
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Version ######
|
|
[WMI:Version]
|
|
REPORT-0Caption_for_wmi_version = Caption_for_wmi_version
|
|
LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range
|
|
FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family
|
|
FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version
|
|
EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null())
|
|
FIELDALIAS-description = Caption as description
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Scheduled Jobs ######
|
|
[WMI:ScheduledJobs]
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-src_for_wmi = host AS src
|
|
|
|
###### Host Inventory ######
|
|
[WinHostMon]
|
|
EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null())
|
|
EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null())
|
|
EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null())
|
|
EVAL-os = if(Type=="OperatingSystem", OS, null())
|
|
EVAL-family = if(Type=="Processor", Architecture, null())
|
|
EVAL-version = if(Type=="OperatingSystem", Version, null())
|
|
EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null())
|
|
EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null())
|
|
EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null())
|
|
EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null())
|
|
EVAL-vendor_product = if(Type=="OperatingSystem", OS, null())
|
|
EVAL-mount = if (Type=="Disk", Name, null())
|
|
EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null())
|
|
EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null())
|
|
EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
|
|
EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null())
|
|
EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null())
|
|
EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null())
|
|
EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null())
|
|
EVAL-description = if(Type=="Processor", Name, null())
|
|
EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null())
|
|
EVAL-cpu_architecture = if(Type=="Processor", Architecture, null())
|
|
REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer
|
|
REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor
|
|
REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service
|
|
|
|
FIELDALIAS-dest_for_winhostmon = host as dest
|
|
EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?<process>[^"}}\{\{]+)"
|
|
EXTRACT-service_for_winhostmon = DisplayName="(?<service>[^"}}\{\{]+)"
|
|
EVAL-start_mode = lower(StartMode)
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services Dataset
|
|
REPORT-service_exec_for_WinHostMon_service_path_and_exec_name = service_exec_for_WinHostMon_service_path, service_exec_for_WinHostMon_service_exec
|
|
FIELDALIAS-process_id_for_winhostmon = ProcessId AS process_id
|
|
EXTRACT-service_name_for_winhostmon = DisplayName="(?<service_name>[^"}}\{\{]+)"
|
|
|
|
####WMI:WinEventLog####
|
|
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System]
|
|
[WMI:WinEventLog:System]
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
|
|
REPORT-bestmatch_for_windows_system = ComputerName_as_dest
|
|
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
|
|
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
|
|
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
|
|
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
|
|
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
|
|
|
|
# Legacy field aliases to support ES 2.0.2, Winfra
|
|
FIELDALIAS-package_for_windows = signature_id AS package
|
|
FIELDALIAS-package_title_for_windows = signature AS package_title
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Filesystem Dataset
|
|
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
##### Explanation for SEDCMD Extractions #####
|
|
## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
|
|
|
|
|
|
##### SEDCMD Extractions #####
|
|
#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
|
|
|
|
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security]
|
|
[WMI:WinEventLog:Security]
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?<Group_Name>.*)(?:\n|\r).*Account Domain:\s*(?<Group_Domain>[^(?:\n|\r)]+)
|
|
|
|
## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
|
|
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
FIELDALIAS-dest_for_wmi = host AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
|
|
## action, status
|
|
## Override action to allow audit log changes to correspond to Change Analysis data model
|
|
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
|
|
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
|
|
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
|
|
|
|
## privilege
|
|
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
|
|
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
|
|
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
|
|
|
|
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
|
|
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
EVAL-product = "Windows"
|
|
|
|
FIELDALIAS-body_for_windows_security = Message AS body
|
|
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
|
|
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
|
|
|
|
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
|
|
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
|
|
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
|
|
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
|
|
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
|
|
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
|
|
|
|
## Set the following fields based on order of operations
|
|
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
|
|
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
|
|
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
|
|
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
|
|
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
|
|
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
|
|
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
|
|
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
|
|
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
|
|
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
|
|
EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
|
|
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
|
|
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
|
|
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
|
|
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
|
|
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
|
|
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
|
|
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Ports, Services and Processes Datasets
|
|
FIELDALIAS-dest_port_for_windows_security = Port AS dest_port
|
|
FIELDALIAS-service_id_for_windows_security = Service_ID AS service_id
|
|
FIELDALIAS-service_for_windows_security = Service_Name AS service, Service_Name AS service_name
|
|
FIELDALIAS-process_name_for_windows_security = Process_Name AS process_name
|
|
FIELDALIAS-user_id_for_windows_security = User_ID AS user_id
|
|
EVAL-process_id = coalesce('IDProcess','Process_ID')
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
##### Explanation for SEDCMD Extractions #####
|
|
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
|
|
## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
|
|
## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
|
|
## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
|
|
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
|
|
## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
|
|
## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
|
|
## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
|
|
|
|
|
|
##### SEDCMD Extractions #####
|
|
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
|
|
#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
|
|
#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
|
|
#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
|
|
#SEDCMD-remove_ffff = s/::ffff://g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
|
|
#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
|
|
|
|
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...]
|
|
[WMI:WinEventLog:Application]
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
FIELDALIAS-dest_for_wmi = ComputerName AS dest
|
|
FIELDALIAS-pid_for_wmi = IDProcess AS pid
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Filesystem Dataset
|
|
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
|
|
FIELDALIAS-user_for_wmi = User AS user
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
###### Backward Compatibility ######
|
|
|
|
## Perfmon Disk Space
|
|
# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf.
|
|
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
|
|
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
|
|
[Perfmon:FreeDiskSpace]
|
|
FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount
|
|
EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
|
|
EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
|
|
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
## Perfmon CPUTime
|
|
# "Perfmon:CPUTime" sourcetype is created from perfmon.conf.
|
|
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
|
|
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0.
|
|
[Perfmon:CPUTime]
|
|
EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
|
|
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
|
|
EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null())
|
|
|
|
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
|
|
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
|
|
## Perfmon LocalNetwork
|
|
# "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf.
|
|
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
|
|
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
|
|
[Perfmon:LocalNetwork]
|
|
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
|
|
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
|
|
|
|
FIELDALIAS-dest_for_perfmon = host AS dest
|
|
FIELDALIAS-src_for_perfmon = host AS src
|
|
|
|
|
|
## To provide backward compatibility for WinEventLog and XmlWinEventLog data
|
|
## These will be deprecated in future
|
|
[WinEventLog:Security]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Application]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:System]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:System:IAS]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-DNS-Client/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Setup]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-CAPI2/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-Defender/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-LSA/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-NetworkProfile/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-PowerShell/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Windows PowerShell]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-PrintService/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-WinRM/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-SMBClient/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TaskScheduler/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
|
|
rename = wineventlog
|
|
|
|
[XmlWinEventLog:Security]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Application]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:System]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-DNS-Client/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Setup]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-CAPI2/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-Defender/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-LSA/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-NetworkProfile/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-PowerShell/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Windows PowerShell]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-PrintService/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-WinRM/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-SMBClient/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
|
|
rename = xmlwineventlog
|
|
|
|
|
|
###### Rename stanzas for TA-AD WinEventLog sourcetypes ######
|
|
[WinEventLog:DFS-Replication]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Directory-Service]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:File-Replication-Service]
|
|
rename = wineventlog
|
|
|
|
[WinEventLog:Key-Management-Service]
|
|
rename = wineventlog
|
|
|
|
|
|
###### Rename stanzas for TA-DNS WinEventLog sourcetypes ######
|
|
[WinEventLog:DNS-Server]
|
|
rename = wineventlog
|
|
|
|
|
|
## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0.
|
|
## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively.
|
|
## These will be deprecated in future
|
|
[wineventlog]
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services, Processes and Filesystem Datasets
|
|
FIELDALIAS-service_id_for_windows = Service_ID AS service_id
|
|
FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
|
|
FIELDALIAS-process_for_windows = Process AS process
|
|
FIELDALIAS-process_name_for_windows = Process_Name AS process_name
|
|
FIELDALIAS-user_id_for_windows = User_ID AS user_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
[xmlwineventlog]
|
|
KV_MODE = none
|
|
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
|
|
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
|
|
|
|
REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
|
|
REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
|
|
REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
|
|
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
|
|
FIELDALIAS-category_for_windows = TaskCategory as category
|
|
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
|
|
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
|
|
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
|
|
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
|
|
FIELDALIAS-id_for_windows = RecordNumber AS id
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
|
|
|
|
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
|
|
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
|
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
|
|
|
|
## Field Mapping for Endpoint Data Model
|
|
## For Services, Processes and Filesystem Datasets
|
|
FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
|
|
FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
|
|
FIELDALIAS-process_name_for_windows = ProcessName AS process_name
|
|
FIELDALIAS-user_id_for_windows = UserID AS user_id
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
|
|
## Scripted input for collecting local ip config
|
|
[Script:NetworkConfiguration]
|
|
SHOULD_LINEMERGE = false
|
|
LINE_BREAKER = ([\r\n]+)(Configuration for interface )
|
|
KV_MODE = none
|
|
TRUNCATE = 0
|
|
|
|
EXTRACT-netshaddressif=Configuration for interface \"(?<if>[^\"]+)
|
|
EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?<dhcp>(Yes|No))
|
|
EXTRACT-netshaddressip=IP Address\:\s+(?<ip>[\d\.]+)
|
|
EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?<cidr>[^\s]+)
|
|
EXTRACT-netshaddressmask=mask (?<mask>[^\)]+)
|
|
EXTRACT-netshaddressgw=Gateway\:\s+(?<gw>[\d\.]+)
|
|
EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?<metric>\d+)
|
|
|
|
|
|
###### Extractions moved from TA-AD ######
|
|
[MSAD:NT6:Health]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
|
|
[MSAD:NT6:SiteInfo]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets
|
|
|
|
[MSAD:NT6:Replication]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
|
|
[MSAD:NT6:Netlogon]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[))
|
|
EXTRACT-subnetaffinity = \s(?<src_domain>[^:]+): (?<msad_affinity>NO_CLIENT_SITE): (?<src_host>[^\s]+) (?<src_ip>[0-9A-Fa-f:\.]+)
|
|
|
|
[MSAD:SubnetAffinity]
|
|
EXTRACT-subnetaffinity = (?<src_nt_domain>\w+): NO_CLIENT_SITE: (?<src_host>\w+) (?<src_ip>[0-9\.]+)
|
|
|
|
|
|
###### Extractions moved from TA-DNS ######
|
|
[MSAD:NT6:DNS-Zone-Information]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
|
|
[MSAD:NT6:DNS-Health]
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
TRUNCATE = 0
|
|
REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV
|
|
|
|
[MSAD:NT6:DNS]
|
|
KV_MODE = none
|
|
LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
|
|
# Load balancing on UF
|
|
EVENT_BREAKER_ENABLE = true
|
|
EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
|
|
SHOULD_LINEMERGE = false
|
|
CHECK_FOR_HEADER = false
|
|
EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\)
|
|
EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION)
|
|
EVAL-query = replace(questionname,"(?:\(\d+\))",".")
|
|
FIELDALIAS-record_type = questiontype AS record_type
|
|
FIELDALIAS-query = questionname AS query
|
|
FIELDALIAS-src = src_ip AS src
|
|
FIELDALIAS-dest = host AS dest
|
|
FIELDALIAS-transaction_id = packetid AS transaction_id
|
|
FIELDALIAS-transport = protocol AS transport
|
|
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
|
|
EVAL-message_type = if(operation=="R","Response", "Query")
|
|
EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype
|
|
EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]",""))
|
|
EVAL-vendor_product = "Microsoft Windows"
|
|
REPORT-Multi_answer = Answer_multi_value
|
|
REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count
|
|
LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type
|
|
LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id
|
|
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class
|