|
|
## windows system sub-sourcetyping
|
|
|
[source::WinEventLog:System]
|
|
|
TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog
|
|
|
|
|
|
###### All Windows Event Log ######
|
|
|
|
|
|
## Apply the following properties to all Windows events
|
|
|
[source::(WinEventLog|XmlWinEventLog|WMI:WinEventLog)...]
|
|
|
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString
|
|
|
FIELDALIAS-dvc_for_windows = host as dvc_nt_host,host as dvc
|
|
|
FIELDALIAS-event_id_for_windows = RecordNumber as event_id
|
|
|
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
|
|
|
|
|
|
## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
|
|
|
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature as name
|
|
|
|
|
|
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
|
|
|
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature as name
|
|
|
|
|
|
FIELDALIAS-signature_id_for_windows = EventCode as signature_id
|
|
|
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID as user_group_id
|
|
|
|
|
|
###### Add Windows Event Code Description Lookup Using LogName, EventCode ######
|
|
|
LOOKUP-EventCodeDescription_for_windows = windows_event_descriptions LogName,EventCode OUTPUTNEW EventCodeDescription
|
|
|
|
|
|
###### Add an Alias for TaskCategory and CategoryString from the Windows Events #####
|
|
|
#FIELDALIAS-CategoryString_for_windows = CategoryString as TaskCategory
|
|
|
|
|
|
###### Add Host value for Standard Windows Performance Counter Information ######
|
|
|
[source::(Perfmon|WMI:Perfmon)...]
|
|
|
FIELDALIAS-Host_for_windows_perfmon = host as Host
|
|
|
|
|
|
###### Windows Application Event Log ######
|
|
|
[source::WinEventLog:Application]
|
|
|
FIELDALIAS-dest_for_wineventlog_application = ComputerName as dest
|
|
|
FIELDALIAS-msgid = Message_ID AS message_id
|
|
|
|
|
|
###### Windows System Event Log ######
|
|
|
|
|
|
## All Windows System
|
|
|
[source::*:System]
|
|
|
REPORT-bestmatch_for_windows_system = ComputerName_as_dest,ComputerName_as_src
|
|
|
REPORT-package_for_windows_system_update = package_title_for_windows_system_update,package_for_windowsupdatelog
|
|
|
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
|
|
|
REPORT-user_for_windows_system = user_for_windows_system_ias
|
|
|
|
|
|
EVAL-vendor = "Microsoft"
|
|
|
EVAL-product = "Windows"
|
|
|
|
|
|
## IAS (Currently WinEventLog Support Only)
|
|
|
[source::WinEventLog:System:IAS]
|
|
|
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
|
|
|
|
|
|
EVAL-app = "ias"
|
|
|
|
|
|
###### WindowsUpdateLog ######
|
|
|
[source::*WindowsUpdateLog]
|
|
|
sourcetype = WindowsUpdateLog
|
|
|
|
|
|
[source::*WindowsUpdate.Log]
|
|
|
sourcetype = WindowsUpdateLog
|
|
|
|
|
|
[WindowsUpdateLog]
|
|
|
FIELDALIAS-dest_for_windowsupdatelog = host as dest
|
|
|
REPORT-0package_message_for_windowsupdatelog = package_message_for_windowsupdatelog
|
|
|
REPORT-1package_title_for_windowsupdatelog = package_title_for_windowsupdatelog,package_title_for_windowsupdatelog_restartrequired,package_title_for_windowsupdatelog_package_message
|
|
|
REPORT-package_for_windowsupdatelog = package_for_windowsupdatelog
|
|
|
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
|
|
|
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
|
|
|
|
|
|
###### WindowsFirewallLog ######
|
|
|
[Windows_FW]
|
|
|
pulldown_type = true
|
|
|
MAX_TIMESTAMP_LOOKAHEAD = 32
|
|
|
SHOULD_LINEMERGE = False
|
|
|
REPORT-Windows_FW = Transform_Windows_FW
|
|
|
|
|
|
[source::Splunk_Data_Collect]
|
|
|
EXTRACT-remote_data_host = host\=\"(?<host>[^\"]+)
|
|
|
|
|
|
[source::WinEventLog:Security]
|
|
|
EXTRACT-4625-fields = (?ms)EventCode=4625.*?Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<dst_user>.*?)\n.*?Account Domain:\s*(?<dst_nt_domain>.*?)\n.*?Logon ID:\s*(?<session_id>.*?)\n.*?\nLogon Type:.*?\n.*?Account For Which Logon Failed.*?\n.*?Security ID:(?<user_sid>.*?)\n.*?Account Name:(?<user>.*?)\n.*?Account Domain:(?<src_nt_domain>.*?)\n
|
|
|
EXTRACT-4624-srcip = (?ms)EventCode=4624\n.*?Source Network Address:\s+?(?<src_ip>[^\n]+)
|
|
|
EXTRACT-4624-user = (?ms)New Logon:\n*?.*?Security ID:\s*?(?<dest_nt_domain>[^\\]+)\\(?<src_host>.*?)\n.*?Account Name:(?<user>.*?)\s*\n.*?Account Domain:\s+(?<dst_nt_domain>[^\n]+).*?Logon ID:\s+(?<session_id>[^\n]+)
|
|
|
EXTRACT-group_changes = (?ms)EventCode=(4727|4730|4731|4734|4735|4737|4744|4745|4748|4749|4750|4753|4754|4755|4758|4759|4760|4763|4764).*Message=A (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled))\s(?<MSADGroupType>.*)\sgroup\swas\s(?<msad_action>[^\.]+).*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\s*\n.*Account Name:.*Group:.*Security ID:\s*(?<member_id>.*)\s*\n.*Group Name:.*Group Domain:(?<dest_nt_domain>[^(\r|\n)]+).*Attributes:
|
|
|
EXTRACT-group_change_4764 = (?ms)EventCode=(4764)(\n|\r).*Message\=A group’s type was (?<msad_action>[^\.]+)
|
|
|
EXTRACT-groupmembership_changes = (?ms)EventCode=(4728|4729|4732|4733|4746|4747|4751|4752|4756|4757|4761|4762).*Message=A member was (?<msad_action>.*) (to|from) a (?<MSADGroupClass>.*)\-(?<MSADGroupClassID>(enabled|disabled)) (?<MSADGroupType>.*) group.*Subject:.*Security ID:\s*(?<src_nt_domain>.*)\\(?<src_user>.*)\n.*Account Name:.*Account Domain:.*Member:.*Security ID:\s*.*\\(?<member>.*)\n.*Account Name:.*Group:.*
|
|
|
EXTRACT-dest_nt_domain_for_4756 = (?msi)EventCode=4756.*(?:Account Domain.*Account Domain|Account Domain(?!(Account Domain)))\:\s+(?<dest_nt_domain>[a-zA-Z0-9._[\S\-\S]+)$
|
|
|
EXTRACT-group_changes_event_4756 = (?ms)EventCode\=4756\s*\n.*Member\:.*CN\=(?<member_id>[^\,]+),CN.*Group\:.*Account\sName\:\s+(?<user_group>[^(\n|\r|\s)]+).*Account\sDomain\:\s+(?<member_nt_domain>[^(\n|\r|\s)]+).*
|
|
|
EXTRACT-group_change_groupname = (?ms)EventCode=(4756)(\n|\r).*Group:(\n|\r).*Security ID:(?<Group_Domain>.*)\\(?<Group_Name>[^(\n|\r)]+)(\r|\n).*Account Name:
|
|
|
EXTRACT-4662-fields = (?ms)EventCode=4662\s*\n.*Message=.*?\n.*?Subject\s*:.*?Account Name:\s*(?<src_user>.*?)\s*\n.*?Account Domain:\s*(?<src_nt_domain>.*?)\s*\n.*?Logon ID:\s*(?<session_id>.*?)\s*\n
|
|
|
EXTRACT-ObjectNameGuid = (?ms)EventCode=4662\s*\n.*Message=.*?Object\s*:.*?Object\sName:\s*(CN=|%)*{*(?<Object_Name_Guid>[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12})}*.*
|
|
|
LOOKUP-msadgroupclass = GroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
|
|
|
EXTRACT-gpo_changes = (?ms)Object Type\:\s+groupPolicyContainer(\n|\r).*Object\sName\:\s+CN(=|=\")(?<Object_Name_Guid>\{.*\})
|
|
|
EXTRACT-msad_changes_oldevents = (?ms)EventCode=(624|628)(\n|\r).*Message\=(?<MSADChanges>[^\:]+)
|
|
|
EXTRACT-msad_action_oldevents = (?ms)EventCode=(624|628|642)(\n|\r).*Message\=User\sAccount\s(?<msad_action>[^\:]+)
|
|
|
EXTRACT-unlocked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^\.]+)\.(\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Target\sAccount\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
|
|
|
EXTRACT-locked_accounts = (?msi)Message\=A\suser\saccount\swas\s(?<msad_action>[^(\.|\s)]+)(\.|\s+|\n+|\r+).*Subject\:(\s+|\n+|\r+).*Account\sName\:\s+(?<src_user>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*Logon\sID\:\s+(?<session_id>[^(\s+|\n+|\r+)]+)(\s+|\n+|\r+).*(Account\sThat\sWas\sLocked\sOut|Target\sAccount)\:(\s+|\n+|\r+).*?Account Name\:\s+(?<user>[^(\s+|\n+|\r+)]+)
|
|
|
EXTRACT-group_changes_srcuser = (?ms)Account Name\:\s+(?<src_user>[^\n\r\s]+)[\r\n\s].*Account\sDomain\:\s+(?<src_nt_domain>[^\n\r\s]+)[\r\n\s].*Logon\sID\:\s+(?<session_id>[^\n\r\s]+)(\r|\n|\s).*Group\:
|
|
|
EXTRACT-PSN=Process Name:.*Microsoft\.Exchange\.(?<ProtocolServiceName>[^\.]+)\.exe
|
|
|
|
|
|
|
