admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '51f28ad3da'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_SA_CIM/default/transforms.conf

376 lines
10 KiB
Raw Blame History

###### Access Protection Transforms ######
[cim_access_action_lookup]
filename = cim_access_actions.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
###### Common Action Model Transforms ######
[force_index_cim_modactions]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = cim_modactions
[force_sourcetype_cim_modactions]
SOURCE_KEY = MetaData:Source
DEST_KEY = MetaData:Sourcetype
REGEX = ^.*[\\/](.+)_mod(?:alert|workflow).log$
FORMAT = sourcetype::modular_alerts:$1
[orig_action_name_for_stash_cam]
REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_action_name=\"([^"]+)
FORMAT = $0 orig_action_name::$1
DEST_KEY = _meta
[orig_sid_for_stash_cam]
REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_sid=\"([^"]+)
FORMAT = $0 orig_sid::$1
DEST_KEY = _meta
[orig_rid_for_stash_cam]
REGEX = \*{3}Common\sAction\sModel\*{3}.*orig_rid=\"([^"]+)
FORMAT = $0 orig_rid::$1
DEST_KEY = _meta
[sourcetype_for_stash_cam]
REGEX = \*{3}Common\sAction\sModel\*{3}.*sourcetype=\"([^"]+)
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype
[sinkhole_cam_header]
REGEX = (?s)^\*{3}Common\sAction\sModel\*{3}[^\n]+\n(.*)
FORMAT = $1
DEST_KEY = _raw
## Do not truncate _raw to 4096!
LOOKAHEAD = -1
[cam_action_mode_lookup]
filename = cam_action_modes.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cam_action_status_lookup]
filename = cam_action_statuses.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cam_category_lookup]
filename = cam_categories.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cam_task_lookup]
filename = cam_tasks.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cam_subject_lookup]
filename = cam_subjects.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cam_worker_lookup]
filename = cam_workers.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
###### Data Loss Prevention Transforms ######
[cim_dlp_action_lookup]
filename = cim_dlp_actions.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_dlp_object_category_lookup]
filename = cim_dlp_object_categories.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_dlp_type_lookup]
filename = cim_dlp_types.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
###### Endpoint Protection Transforms ######
[cim_malware_action_lookup]
filename = cim_malware_actions.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_update_status_lookup]
filename = cim_update_statii.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
## Endpoint Change Analysis
[cim_endpoint_action_lookup]
filename = cim_endpoint_actions.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_endpoint_object_category_lookup]
filename = cim_endpoint_object_categories.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_endpoint_severity_lookup]
filename = cim_endpoint_severities.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_endpoint_status_lookup]
filename = cim_endpoint_statuses.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_endpoint_user_type_lookup]
filename = cim_endpoint_user_types.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
###### Network Protection ######
[cim_traffic_action_lookup]
filename = cim_traffic_actions.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_transport_protocol_lookup]
filename = cim_transport_protocols.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
## Cloud
[cim_cloud_domain_lookup]
filename = cim_cloud_domains.csv
match_type = WILDCARD(domain)
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
## DNS
[cim_dns_reply_code_lookup]
filename = cim_dns_reply_codes2.csv
min_matches = 1
default_match = unknown
case_sensitive_match = false
reverse_lookup_honor_case_sensitive_match = false
## Email
[cim_email_protocol_lookup]
filename = cim_email_protocols.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_corporate_email_domain_lookup]
filename = cim_corporate_email_domains.csv
match_type = WILDCARD(domain)
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
[cim_src_user_domain]
SOURCE_KEY = src_user
REGEX = .*@(.+)
FORMAT = src_user_domain::$1
[cim_email_domain]
SOURCE_KEY = email
REGEX = .*@(.+)
FORMAT = email_domain::$1
[cim_recipient_domain]
SOURCE_KEY = recipient
REGEX = .*@(.+)
FORMAT = recipient_domain::$1
## IDS
[cim_ids_severity_lookup]
filename = cim_ids_severities.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_ids_type_lookup]
filename = cim_ids_types.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
## Proxy
[cim_http_method_lookup]
filename = cim_http_methods.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
[cim_http_status_lookup]
filename = cim_http_statuses.csv
min_matches = 1
default_match = unknown
match_type = WILDCARD(status)
reverse_lookup_honor_case_sensitive_match = false
[cim_http_tld_lookup]
filename = cim_http_tld.csv
case_sensitive_match = false
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
## SSL
## issuer - https://www.ietf.org/rfc/rfc2253.txt
[cim_ssl_issuer_common_name]
SOURCE_KEY = ssl_issuer
REGEX = CN\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_common_name::$1
[cim_ssl_issuer_country]
SOURCE_KEY = ssl_issuer
REGEX = C\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_country::$1
[cim_ssl_issuer_email]
SOURCE_KEY = ssl_issuer
REGEX = (?:E|emailAddress)\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_email::$1
[cim_ssl_issuer_locality]
SOURCE_KEY = ssl_issuer
REGEX = L\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_locality::$1
[cim_ssl_issuer_organization]
SOURCE_KEY = ssl_issuer
REGEX = O\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_organization::$1
[cim_ssl_issuer_state]
REGEX = ST\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_state::$1
[cim_ssl_issuer_street]
SOURCE_KEY = ssl_issuer
REGEX = STREET\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_street::$1
[cim_ssl_issuer_unit]
SOURCE_KEY = ssl_issuer
REGEX = OU\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_issuer_unit::$1
## subject - https://www.ietf.org/rfc/rfc2253.txt
[cim_ssl_subject_common_name]
SOURCE_KEY = ssl_subject
REGEX = CN\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_common_name::$1
[cim_ssl_subject_country]
SOURCE_KEY = ssl_subject
REGEX = C\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_country::$1
[cim_ssl_subject_email]
SOURCE_KEY = ssl_subject
REGEX = (?:E|emailAddress)\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_email::$1
[cim_ssl_subject_locality]
SOURCE_KEY = ssl_subject
REGEX = L\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_locality::$1
[cim_ssl_subject_organization]
SOURCE_KEY = ssl_subject
REGEX = O\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_organization::$1
[cim_ssl_subject_state]
SOURCE_KEY = ssl_subject
REGEX = ST\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_state::$1
[cim_ssl_subject_street]
SOURCE_KEY = ssl_subject
REGEX = STREET\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_street::$1
[cim_ssl_subject_unit]
SOURCE_KEY = ssl_subject
REGEX = OU\s*=(.*?)(?=[,;/]\s*(?:[A-Z]+|emailAddress)\s*=|$)
FORMAT = ssl_subject_unit::$1
## Vendor Product Tracker
[cim_vendor_product_tracker]
filename = cim_vendor_product_tracker.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
## Vuln
[cim_vuln_severity_lookup]
filename = cim_vuln_severities.csv
reverse_lookup_honor_case_sensitive_match = false
## max_matches=1 unneeded
## Web
[cim_corporate_web_domain_lookup]
filename = cim_corporate_web_domains.csv
match_type = WILDCARD(domain)
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
###### Splunk Internal Transforms ######
## search activity
## This transform has been deprecated
[datamodel_for_audittrail]
REGEX = (?:_ACCELERATE_|id=)DM_[^_]+_(.*?)(?:_ACCELERATE|\s)
FORMAT = datamodel::$1
## This transform has been deprecated
[savedsearch_name_for_audittrail]
REGEX = savedsearch_name=\"([^\"]+)
FORMAT = savedsearch_name::$1
## This transform has been deprecated
[user_for_audittrail]
REGEX = user\=([^,]+)
FORMAT = user::$1
## audittrail
[search_for_audittrail]
REGEX = (?s)\,\s*search=\'(.*?)\',\s*autojoin
FORMAT = search::$1
[splunk_action_lookup]
filename = splunk_actions.csv
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
[splunk_object_category_lookup]
filename = splunk_object_category.csv
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
[splunk_src_lookup]
filename = splunk_src.csv
max_matches = 1
reverse_lookup_honor_case_sensitive_match = false
# The next transform also sets status to "success" by default for
# fschange inputs (i.e., we assume "isdir=(0|1)" means a successful
# filesystem change.
[vendor_object_category-vendor_status-for_splunk_endpoint_change]
REGEX = isdir=(\d)
FORMAT = vendor_object_category::$1
[vendor_object-vendor_object_path-for_splunk_endpoint_change]
REGEX = path="(\S+)/(\S+)"
FORMAT = vendor_object_path::$1 vendor_object::$2
## splunkd
[signature_for_sendmodalert]
REGEX = sendmodalert.*(Alert\saction\sscript\scompleted|Invoking\smodular\salert\saction)
FORMAT = signature::$1
## splunk_web_access
[app-view_for_splunk_web_access]
REGEX = GET (?:/[^/]+){1,2}/app/([^/ ?]+)/([^/ ?]+)
FORMAT = app::$1 view::$2
Reference in new issue View Git Blame Copy Permalink