Deploiement_Server/deployment-apps/Splunk_TA_windows_dc/default/transforms.conf

# Copyright (C) 2020 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#

###### Active Directory ######
[user_account_control_property]
external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag
external_type = python
fields_list = userAccountControl,userAccountPropertyFlag
python.version = python3




###### DHCP ######
[dhcp_discard_headers]
REGEX = ^(?:[^\d]+|\d+[^\d,])
DEST_KEY = queue
FORMAT = nullQueue

[auto_kv_for_microsoft_dhcp]
DELIMS = ","
FIELDS = msdhcp_id,date,time,description,ip,nt_host,mac

[msdhcp_signature_lookup]
filename = msdhcp_signatures.csv

## IAS (Currently WinEventLog Support Only)
[force_source_system_ias_for_wineventlog]
DEST_KEY = MetaData:Source
REGEX = SourceName\=IAS
FORMAT = source::WinEventLog:System:IAS


###### All Windows Event Log ######

## Lookups
[windows_severity_lookup]
filename = windows_severities.csv
case_sensitive_match = false 

[windows_signature_lookup]
filename = windows_signatures.csv

[windows_signature_lookup2]
filename = windows_signatures_substatus.csv

[windows_eventtype_lookup]
filename = windows_eventtypes.csv

## REPORT
[file_path-file_name_for_windows]
SOURCE_KEY = Image_File_Name
REGEX = ^(.*[\\/]+)*(.*)$
FORMAT = file_path::$1 file_name::$2


####### Windows Security Event Log ######

## Lookups
[windows_action_lookup]
filename = windows_actions.csv

[windows_app_lookup]
filename = windows_apps.csv

[windows_audit_changes_lookup]
filename = windows_audit_changes.csv

[windows_privilege_lookup]
filename = windows_privileges.csv

[MSADGroupType]
filename=msad_group_type.csv
max_matches=1

[xmlsecurity_eventcode_action_lookup]
filename = xmlsecurity_eventcode_action.csv

[xmlsecurity_eventcode_action_lookup_multiinput]
filename = xmlsecurity_eventcode_action_multiinput.csv
case_sensitive_match = false 

[xmlsecurity_eventcode_errorcode_action_lookup]
filename = xmlsecurity_eventcode_errorcode_action.csv
case_sensitive_match = false

## REPORT
[vendor_privilege_sv_for_windows_security]
SOURCE_KEY = Message
REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:)
FORMAT = vendor_privilege::$1

[vendor_privilege_mv_for_windows_security]
SOURCE_KEY = Message
REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*)
FORMAT = vendor_privilege::$1

[privilege_id_for_windows_security]
SOURCE_KEY = vendor_privilege
REGEX = ^([^\r\n]+)
FORMAT = privilege_id::$1
MV_ADD = True

[Token_Elevation_Type_id_for_windows_security]
SOURCE_KEY = Token_Elevation_Type
REGEX = ^[^\d]+(\d+)
FORMAT = Token_Elevation_Type_id::$1

## Aliases
[Logon_ID_as_session_id]
SOURCE_KEY = Logon_ID
REGEX = (?:(?:[^\n]+)\n)?(.*)
FORMAT = session_id::"$1"

[Client_Logon_ID_as_session_id]
SOURCE_KEY = Client_Logon_ID
REGEX = (.+)
FORMAT = session_id::"$1"

[Caller_Logon_ID_as_session_id]
SOURCE_KEY = Caller_Logon_ID
REGEX = (.+)
FORMAT = session_id::"$1"

[Target_Server_Name_as_dest]
SOURCE_KEY = Target_Server_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest::"$1"

[ComputerName_as_dest]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest::"$1"

[Computer_as_dest]
REGEX = <Computer>([^<]+)<\/Computer>
FORMAT = dest::$1

[Computer_as_src]
REGEX = <Computer>([^<]+)<\/Computer>
FORMAT = src::$1

[Target_Server_Name_as_dest_nt_host]
SOURCE_KEY = Target_Server_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest_nt_host::"$1"

[ComputerName_as_dest_nt_host]
SOURCE_KEY = ComputerName
REGEX = (?:[\\]+)?([^-].*)
FORMAT = dest_nt_host::"$1"

[Target_Domain_as_dest_nt_domain]
SOURCE_KEY = Target_Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[Primary_Domain_as_dest_nt_domain]
SOURCE_KEY = Primary_Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[Group_Domain_as_dest_nt_domain]
SOURCE_KEY = Group_Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[Account_Domain_as_dest_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[Domain_as_dest_nt_domain]
SOURCE_KEY = Domain
REGEX = (?:(?:[^\n]+)\n)?(.+)
FORMAT = dest_nt_domain::"$1"

[User_ID_as_dest_nt_domain]
SOURCE_KEY = User_ID
REGEX = (.+)[\\]
FORMAT = dest_nt_domain::"$1"

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (.+)[\\]
FORMAT = dest_nt_domain::"$1"

[Supplied_Realm_Name_as_dest_nt_domain]
SOURCE_KEY = Supplied_Realm_Name
REGEX = (.+)
FORMAT = dest_nt_domain::"$1"

[Target_Account_ID_as_dest_nt_domain]
SOURCE_KEY = Target_Account_ID
REGEX = (.+)[\\]
FORMAT = dest_nt_domain::"$1"

[Workstation_Name_as_src]
SOURCE_KEY = Workstation_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Caller_Machine_Name_as_src]
SOURCE_KEY = Caller_Machine_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Client_Machine_Name_as_src]
SOURCE_KEY = Client_Machine_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Source_Network_Address_as_src]
SOURCE_KEY = Source_Network_Address
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Client_Address_as_src]
SOURCE_KEY = Client_Address
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Source_Workstation_as_src]
SOURCE_KEY = Source_Workstation
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src::"$1"

[Source_Network_Address_as_src_ip]
SOURCE_KEY = Source_Network_Address
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_ip::"$1"

[Client_Address_as_src_ip]
SOURCE_KEY = Client_Address
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_ip::"$1"

[Caller_Domain_as_src_nt_domain]
SOURCE_KEY = Caller_Domain
REGEX = (?!^-$)(.+)
FORMAT = src_nt_domain::"$1"

[Client_Domain_as_src_nt_domain]
SOURCE_KEY = Client_Domain
REGEX = (?!^-$)(.+)
FORMAT = src_nt_domain::"$1"

[Account_Domain_as_src_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = (?!^-$)([^\n]+)\n
FORMAT = src_nt_domain::"$1"

[Domain_as_src_nt_domain]
SOURCE_KEY = Domain
REGEX = (?!^-$)(.+)
FORMAT = src_nt_domain::"$1"

[Security_ID_as_src_nt_domain]
SOURCE_KEY = Security_ID
REGEX = (?!^-$)(.+)[\\]
FORMAT = src_nt_domain::"$1"

[Workstation_Name_as_src_nt_host]
SOURCE_KEY = Workstation_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_nt_host::"$1"

[Caller_Machine_Name_as_src_nt_host]
SOURCE_KEY = Caller_Machine_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_nt_host::"$1"

[Client_Machine_Name_as_src_nt_host]
SOURCE_KEY = Client_Machine_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_nt_host::"$1"

[Caller_Computer_Name_as_src_nt_host]
SOURCE_KEY = Caller_Computer_Name
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_nt_host::"$1"

[Source_Workstation_as_src_nt_host]
SOURCE_KEY = Source_Workstation
REGEX = (?:[\\]+)?([^-].*)
FORMAT = src_nt_host::"$1"

[Caller_User_Name_as_src_user]
SOURCE_KEY = Caller_User_Name
REGEX = (?!^-$)(.+)
FORMAT = src_user::"$1"

[Client_User_Name_as_src_user]
SOURCE_KEY = Client_User_Name
REGEX = (?!^-$)(.+)
FORMAT = src_user::"$1"

[Account_Name_as_src_user]
SOURCE_KEY = Account_Name
REGEX = (?!^-$)([^\n]+)\n
FORMAT = src_user::"$1"

[User_Name_as_src_user]
SOURCE_KEY = User_Name
REGEX = (?!^-$)(.+)
FORMAT = src_user::"$1"

[Target_User_Name_as_user]
SOURCE_KEY = Target_User_Name
REGEX = (.+)
FORMAT = user::"$1"

[Primary_User_Name_as_user]
SOURCE_KEY = Primary_User_Name
REGEX = (.+)
FORMAT = user::"$1"

[Target_Account_Name_as_user]
SOURCE_KEY = Target_Account_Name
REGEX = (.+)
FORMAT = user::"$1"

[New_Account_Name_as_user]
SOURCE_KEY = New_Account_Name
REGEX = (.+)
FORMAT = user::"$1"

[User_Name_as_user]
SOURCE_KEY = User_Name
REGEX = (.+)
FORMAT = user::"$1"

[Account_Name_as_user]
SOURCE_KEY = Account_Name
REGEX = (?:(?:[^\n]*)\n)?([^\n]*)
FORMAT = user::"$1"

[User_as_user]
SOURCE_KEY = User
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

# Event Code 4776 (and possibly others)
# See also: [Logon_account_as_user]
[Logon_Account_as_user]
SOURCE_KEY = Logon_Account
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

# Event Code 680 (and possibly others)
# See also: [Logon_Account_as_user]
[Logon_account_as_user]
SOURCE_KEY = Logon_account
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

[Security_ID_as_user]
SOURCE_KEY = Security_ID
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = user::"$1"

[Member_ID_as_member_id]
SOURCE_KEY = Member_ID
REGEX = (?:[^\\]+\\)?(.+)
FORMAT = member_id::"$1"

[Security_ID_as_member_id]
SOURCE_KEY = Security_ID
REGEX = (.+)
FORMAT = member_id::"$1"

[Member_Name_as_member_dn]
SOURCE_KEY = Member_Name
REGEX = (.+)
FORMAT = member_dn::"$1"

[Account_Name_as_member_dn]
SOURCE_KEY = Account_Name
REGEX = (.+)
FORMAT = member_dn::"$1"

[Member_ID_as_member_nt_domain]
SOURCE_KEY = Member_ID
REGEX = ([^\\]+\\)?(?:.+)
FORMAT = member_nt_domain::"$1"

[Security_ID_as_member_nt_domain]
SOURCE_KEY = Security_ID
REGEX = ([^\\]+\\)?(?:.+)
FORMAT = member_nt_domain::"$1"

[msad_action_from_Group_Type_Change]
SOURCE_KEY = Group_Type_Change
REGEX = Security (Enabled|Disabled) (\w+) Group (Changed) to Security (Enabled|Disabled) (\w+) Group[:\.]
FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" MSADNewGroupClassID::"$4" MSADNewGroupType::"$5"

[msad_action_from_Change_Type]
SOURCE_KEY = Change_Type
REGEX = Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group Changed to Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group[.:]
FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" MSADNewGroupClassID::"$3" MSADNewGroupType::"$4"

[msad_action_from_Description1]
SOURCE_KEY = Description
REGEX = Security (Enabled|Disabled) (\w+) Group (.*?)[:\.]
FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3"

[msad_action_from_Description2]
SOURCE_KEY = Description
REGEX = Computer Account (.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_action_from_Description3]
SOURCE_KEY = Description
REGEX = User Account (.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_action_from_raw1]
SOURCE_KEY = _raw
REGEX = (?ms).*A computer account was (.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_action_from_raw2]
SOURCE_KEY = _raw
REGEX = (?ms).*A user account was (.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_action_from_raw3]
SOURCE_KEY = _raw
REGEX = (?ms).*An attempt was made to (.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_action_from_raw4]
SOURCE_KEY = _raw
REGEX = (?ms)EventCode=(4781|4912)\s*\n.*Message=(?:.*?)[:\.]
FORMAT = msad_action::"$1"

[msad_attribute_changes_from_raw1]
SOURCE_KEY = _raw
REGEX = (?ms).*Changed Attributes:\s*\n(.*?)\s*\n\s*Additional Information:
FORMAT = MSADChangedAttributes::"$1"

[msad_attribute_changes_from_raw2]
SOURCE_KEY = _raw
REGEX = (?ms).*Attributes:\s*\n(.*?)\s*\n\s*Additional Information:
FORMAT = MSADChangedAttributes::"$1"

[msad_attribute_changes_from_raw3]
SOURCE_KEY = _raw
REGEX = (?ms).*Changed Attributes:\s*\n(.*)
FORMAT = MSADChangedAttributes::"$1"

[msad_attribute_changes_from_raw4]
SOURCE_KEY = _raw
REGEX = (?ms)EventCode=(?:624|645|4720|4741).*Attributes:\s*\n(.*)
FORMAT = MSADChangedAttributes::"$1"

[msad_attribute_changes_from_raw5]
SOURCE_KEY = _raw
REGEX = (?ms).*Category Settings:\s*\n(.*)
FORMAT = MSADChangedAttributes::"$1"

[msad_attribute_changes_from_raw6]
SOURCE_KEY = _raw
REGEX = (?ms).*Policy Change Details:\s*\n(.*)
FORMAT = MSADChangedAttributes::"$1"

###### Windows System Event Log ######
[signature_for_windows_system_timesync]
SOURCE_KEY = Message
REGEX = ((?:The\s+time\s+provider\s+\w+\s+is\s+configured\s+to\s+acquire\s+time\s+from\s+one\s+or\s+more\s+time\s+sources\,\s+however\s+none\s+of\s+the\s+sources\s+are\s+currently\s+accessible)|(?:The\s+time\s+service\s+is\s+now\s+synchronizing\s+the\s+system\s+time\s+with\s+the\s+time\s+source)|(?:Time\s+Provider\s+\w+\:\s+An\s+error\s+occurred\s+during\s+DNS\s+lookup\s+of\s+the\s+manually\s+configured\s+peer)) 
FORMAT = signature::$1

[signature_message_for_windows_system_update]
REGEX = Installation Ready: The following updates are downloaded and ready for installation.*?:\s+((?:.*[\r\n])*)
FORMAT = signature_message::$1

[signature_for_windows_system_update]
REGEX = Windows successfully installed the following update:\s+(.*)
FORMAT = signature::"$1"

[signature_for_windows_system_update2]
SOURCE_KEY = signature_message
REGEX = -\s+([^\r\n]+)
FORMAT = signature::$1
MV_ADD = True

[user_for_windows_system_ias]
REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was
FORMAT = user::"$1"

## IAS (Currently WinEventLog Support Only)
[auto_kv_for_windows_system_ias]
SOURCE_KEY = Message
REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*)
FORMAT = $1::$2
MV_ADD = TRUE


###### Update ######
[windows_update_status_lookup]
filename = windows_update_statii.csv

[signature_message_for_windowsupdatelog]
REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*)
FORMAT = signature_message::"$1" vendor_status::"$2"

[signature_for_windowsupdatelog]
REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*)
FORMAT = vendor_status::"$1" signature::"$2"

[signature_for_windowsupdatelog_restartrequired]
REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*)
FORMAT = vendor_status::"$1" signature::"$2"

[signature_for_windowsupdatelog_signature_message]
SOURCE_KEY = signature_message
REGEX = \-\s+([^)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?)
FORMAT = signature::"$1"
MV_ADD = True

[signature_id_for_windowsupdatelog]
SOURCE_KEY = signature
REGEX = (KB\d+)
FORMAT = signature_id::$1
MV_ADD = True

[pid-tid-component_for_windowsupdatelog]
REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+)
FORMAT = pid::$1 tid::$2 component::$3


###### Endpoint Changes ######

## Endpoint Changes: lookups
[endpoint_change_status_lookup]
filename = status.csv
default_match = failure
min_matches = 1
max_matches = 1

[endpoint_change_object_category_lookup]
filename = object_category.csv

[endpoint_change_vendor_action_lookup]
filename = vendor_actions.csv

[endpoint_change_user_type_lookup]
filename = user_types.csv

## Endpoint Changes: fs_notification legacy lookups
[fs_notification_change_type_lookup]
filename = fs_notification_change_type.csv

## Endpoint Changes: fs_notification transforms
[object_object_path_for_fs_notification]
REGEX  = path[=:]\s*\"([^\"]+)(?:\\|\/)([^\"]+)
FORMAT = object_path::$1 object::$2

[vendor_object_category_for_fs_notification]
REGEX  = isdir=(\d)
FORMAT = vendor_object_category::$1

## WinRegistry

## Registry Extractions
[registry_key_for_WinRegistry]
REGEX  = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+))
FORMAT = registry_path::$1 registry_key_name::$2

[registry_key-registry_value_for_WinRegistry]
REGEX  = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(.*?))\\([^"]+)
FORMAT = registry_path::$1 registry_key_name::$2 registry_value_name::$3

[registry_value_data_for_WinRegistry]
REGEX  = data="([^"]+)"
FORMAT = registry_value_data::$1

## Endpoint Change Extractions
[object_as_registry_key_for_WinRegistry]
REGEX  = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+))
FORMAT = object_path::$1 object::$2

[object_as_registry_value_for_WinRegistry]
REGEX  = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(?:.*?))\\([^"]+)
FORMAT = object_path::$1 object::$2

[vendor_status_msg_for_WinRegistry]
REGEX  = event_status="\(([0-9-]+)\)([^\"]+)"
FORMAT = vendor_status::$1 msg::$2

# Note: user_path is not a CIM field, so we exclude it so as to avoid potential overlap.
# The commented "FORMAT" is for reference only.
[user_for_WinRegistry]
REGEX  = process_image=\"(?:[^\"]+)\\([^\"]+)\"
FORMAT = user::$1
##FORMAT = user_path::$1 user::$2


###### Splunk WMI ######
[wmi-host]
REGEX = (?m)ComputerName=(.+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

[wmi-override-host]
REGEX = (?m)wmi_hostname=(.+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

[wmi-source]
REGEX = (?m)wmi_type=([^\r\n]+)
DEST_KEY = MetaData:Source
FORMAT = source::WMI:$1

[wmi-sourcetype]
REGEX = (?m)wmi_type=([^\r\n]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::WMI:$1

[wmi-wineventlog-source]
REGEX = (?m)wmi_type=(WinEventLog:)(\S+)
DEST_KEY = MetaData:Source
FORMAT = source::$1$2

[wmi-wineventlog-sourcetype]
REGEX = (?m)wmi_type=(WinEventLog:)(\S+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::$1$2

## Installed Apps
[AuthorizedCDFPrefix_for_win_installed_apps]
REGEX  = ^AuthorizedCDFPrefix=([^\r\n]+)
FORMAT = AuthorizedCDFPrefix::$1

[Comments_for_win_installed_apps]
REGEX  = ^Comments=([^\r\n]+)
FORMAT = Comments::$1

[Contact_for_win_installed_apps]
REGEX  = ^Contact=([^\r\n]+)
FORMAT = Contact::$1

[DisplayVersion_for_win_installed_apps]
REGEX  = ^DisplayVersion=([^\r\n]+)
FORMAT = DisplayVersion::$1

[HelpLink_for_win_installed_apps]
REGEX  = ^HelpLink=([^\r\n]+)
FORMAT = HelpLink::$1

[HelpTelephone_for_win_installed_apps]
REGEX  = ^HelpTelephone=([^\r\n]+)
FORMAT = HelpTelephone::$1

[InstallDate_for_win_installed_apps]
REGEX  = ^InstallDate=([^\r\n]+)
FORMAT = InstallDate::$1

[InstallLocation_for_win_installed_apps]
REGEX  = ^InstallLocation=([^\r\n]+)
FORMAT = InstallLocation::$1

[InstallSource_for_win_installed_apps]
REGEX  = ^InstallSource=([^\r\n]+)
FORMAT = InstallSource::$1

[ModifyPath_for_win_installed_apps]
REGEX  = ^ModifyPath=([^\r\n]+)
FORMAT = ModifyPath::$1

[NoModify_for_win_installed_apps]
REGEX  = ^NoModify=([^\r\n]+)
FORMAT = NoModify::$1

[NoRepair_for_win_installed_apps]
REGEX  = ^NoRepair=([^\r\n]+)
FORMAT = NoRepair::$1

[Publisher_for_win_installed_apps]
REGEX  = ^Publisher=([^\r\n]+)
FORMAT = Publisher::$1

[Readme_for_win_installed_apps]
REGEX  = ^Readme=([^\r\n]+)
FORMAT = Readme::$1

[Size_for_win_installed_apps]
REGEX  = ^Size=([^\r\n]+)
FORMAT = Size::$1

[EstimatedSize_for_win_installed_apps]
REGEX  = ^EstimatedSize=([^\r\n]+)
FORMAT = EstimatedSize::$1

[UninstallString_for_win_installed_apps]
REGEX  = ^UninstallString=([^\r\n]+)
FORMAT = UninstallString::$1

[URLInfoAbout_for_win_installed_apps]
REGEX  = ^URLInfoAbout=([^\r\n]+)
FORMAT = URLInfoAbout::$1

[URLUpdateInfo_for_win_installed_apps]
REGEX  = ^URLUpdateInfo=([^\r\n]+)
FORMAT = URLUpdateInfo::$1

[VersionMajor_for_win_installed_apps]
REGEX  = ^VersionMajor=([^\r\n]+)
FORMAT = VersionMajor::$1

[VersionMinor_for_win_installed_apps]
REGEX  = ^VersionMinor=([^\r\n]+)
FORMAT = VersionMinor::$1

[WindowsInstaller_for_win_installed_apps]
REGEX  = ^WindowsInstaller=([^\r\n]+)
FORMAT = WindowsInstaller::$1

[Version_for_win_installed_apps]
REGEX  = ^Version=([^\r\n]+)
FORMAT = Version::$1

[Language_for_win_installed_apps]
REGEX  = Language=([^\r\n]+)
FORMAT = Language::$1

[DisplayName_for_win_installed_apps]
REGEX  = ^DisplayName=([^\r\n]+)
FORMAT = DisplayName::$1

## Installed Updates
[Description_for_installedupdates]
REGEX = ^Description=([^\r\n]+)
FORMAT = Description::$1

## Listening Ports
[dest_ip_for_listeningports]
REGEX = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
FORMAT = dest_ip::$1

[kv_for_listeningports]
DELIMS = " ", "="

## Time Configuration
[Current_time_for_win_timesync]
REGEX = ^Current\s*time:([^\r\n]+)
FORMAT = Current_time::$1

[EventLogFlags_for_win_timesync_configuration]
REGEX = ^EventLogFlags:([^\r\n]+)
FORMAT = EventLogFlags::$1

[AnnounceFlags_for_win_timesync_configuration]
REGEX = ^AnnounceFlags:([^\r\n]+)
FORMAT = AnnounceFlags::$1

[TimeJumpAuditOffset_for_win_timesync_configuration]
REGEX = ^TimeJumpAuditOffset:([^\r\n]+)
FORMAT = TimeJumpAuditOffset::$1

[MinPollInterval_for_win_timesync_configuration]
REGEX = ^MinPollInterval:([^\r\n]+)
FORMAT = MinPollInterval::$1

[MaxPollInterval_for_win_timesync_configuration]
REGEX = ^MaxPollInterval:([^\r\n]+)
FORMAT = MaxPollInterval::$1

[MaxNegPhaseCorrection_for_win_timesync_configuration]
REGEX = ^MaxNegPhaseCorrection:([^\r\n]+)
FORMAT = MaxNegPhaseCorrection::$1

[MaxPosPhaseCorrection_for_win_timesync_configuration]
REGEX = ^MaxPosPhaseCorrection:([^\r\n]+)
FORMAT = MaxPosPhaseCorrection::$1

[MaxAllowedPhaseOffset_for_win_timesync_configuration]
REGEX = ^MaxAllowedPhaseOffset:([^\r\n]+)
FORMAT = MaxAllowedPhaseOffset::$1

[FrequencyCorrectRate_for_win_timesync_configuration]
REGEX = ^FrequencyCorrectRate:([^\r\n]+)
FORMAT = FrequencyCorrectRate::$1

[PollAdjustFactor_for_win_timesync_configuration]
REGEX = ^PollAdjustFactor:([^\r\n]+)
FORMAT = PollAdjustFactor::$1

[LargePhaseOffset_for_win_timesync_configuration]
REGEX = ^LargePhaseOffset:([^\r\n]+)
FORMAT = LargePhaseOffset::$1

[SpikeWatchPeriod_for_win_timesync_configuration]
REGEX = ^SpikeWatchPeriod:([^\r\n]+)
FORMAT = SpikeWatchPeriod::$1

[LocalClockDispersion_for_win_timesync_configuration]
REGEX = ^LocalClockDispersion:([^\r\n]+)
FORMAT = LocalClockDispersion::$1

[HoldPeriod_for_win_timesync_configuration]
REGEX = ^HoldPeriod:([^\r\n]+)
FORMAT = HoldPeriod::$1

[PhaseCorrectRate_for_win_timesync_configuration]
REGEX = ^PhaseCorrectRate:([^\r\n]+)
FORMAT = PhaseCorrectRate::$1

[UpdateInterval_for_win_timesync_configuration]
REGEX = ^UpdateInterval:([^\r\n]+)
FORMAT = UpdateInterval::$1

[FileLogName_for_win_timesync_configuration]
REGEX = ^FileLogName:([^\r\n]+)
FORMAT = FileLogName::$1

[FileLogEntries_for_win_timesync_configuration]
REGEX = ^FileLogEntries:([^\r\n]+)
FORMAT = FileLogEntries::$1

[FileLogSize_for_win_timesync_configuration]
REGEX = ^FileLogSize:([^\r\n]+)
FORMAT = FileLogSize::$1

[FileLogFlags_for_win_timesync_configuration]
REGEX = ^FileLogFlags:([^\r\n]+)
FORMAT = FileLogFlags::$1

[Time_zone_for_win_timesync]
REGEX = ^Time\s*zone:([^\r\n]+)
FORMAT = Time_zone::$1

## Time Synchronization
[windows_timesync_action_lookup]
filename    = windows_timesync_actions.csv
match_type  = WILDCARD(Last_Sync_Error)
max_matches = 1

[Leap_Indicator_for_win_timesync_status]
REGEX = ^Leap\s*Indicator:([^\r\n]+)
FORMAT = Leap_Indicator::$1

[Stratum_for_win_timesync_status]
REGEX = ^Stratum:([^\r\n]+)
FORMAT = Stratum::$1

[Precision_for_win_timesync_status]
REGEX = ^Precision:([^\r\n]+)
FORMAT = Precision::$1

[Root_Delay_for_win_timesync_status]
REGEX = ^Root\s*Delay:([^\r\n]+)
FORMAT = Root_Delay::$1

[Root_Dispersion_for_win_timesync_status]
REGEX = ^Root\s*Dispersion:([^\r\n]+)
FORMAT = Root_Dispersion::$1

[ReferenceId_for_win_timesync_status]
REGEX = ^ReferenceId:([^\r\n]+)
FORMAT = ReferenceId::$1

[Last_Successful_Sync_Time_for_win_timesync_status]
REGEX = ^Last\s*Successful\s*Sync\s*Time:([^\r\n]+)
FORMAT = Last_Successful_Sync_Time::$1

[Source_for_win_timesync_status]
REGEX = ^Source:([^\r\n]+)
FORMAT = Source::$1

[Poll_Interval_for_win_timesync_status]
REGEX = ^Poll\s*Interval:([^\r\n]+)
FORMAT = Poll_Interval::$1

[Phase_Offset_for_win_timesync_status]
REGEX = ^Phase\s*Offset:([^\r\n]+)
FORMAT = Phase_Offset::$1

[ClockRate_for_win_timesync_status]
REGEX = ^ClockRate:([^\r\n]+)
FORMAT = ClockRate::$1

[State_Machine_for_win_timesync_status]
REGEX = ^State\s*Machine:([^\r\n]+)
FORMAT = State_Machine::$1

[Time_Source_Flags_for_win_timesync_status]
REGEX = ^Time\s*Source\s*Flags:([^\r\n]+)
FORMAT = Time_Source_Flags::$1

[Server_Role_for_win_timesync_status]
REGEX = ^Server\s*Role:([^\r\n]+)
FORMAT = Server_Role::$1

[Last_Sync_Error_for_win_timesync_status]
REGEX = ^Last\s*Sync\s*Error:([^\r\n]+)
FORMAT = Last_Sync_Error::$1

[Time_since_Last_Good_Sync_Time_for_win_timesync_status]
REGEX = ^Time\s*since\s*Last\s*Good\s*Sync\s*Time:([^\r\n]+)
FORMAT = Time_since_Last_Good_Sync_Time::$1

## Version
[wmi_version_range_lookup]
filename = wmi_version_range.csv

[wmi_user_account_status_lookup]
filename = wmi_user_account_status.csv

[Caption_for_wmi_version]
REGEX = ^Caption=([^\r\n]+)
FORMAT = Caption::$1


## Setting generic sourcetype and unique source
[ta-windows-fix-classic-source]
DEST_KEY = MetaData:Source
REGEX = (?m)^LogName=(.+?)\s*$
FORMAT = source::WinEventLog:$1

[ta-windows-fix-xml-source]
DEST_KEY = MetaData:Source
REGEX = <Channel>(.+?)<\/Channel>.*
FORMAT = source::XmlWinEventLog:$1

[ta-windows-fix-sourcetype]
SOURCE_KEY = MetaData:Sourcetype
DEST_KEY = MetaData:Sourcetype
REGEX = sourcetype::([^:]*)
FORMAT = sourcetype::$1


## Overriding host to identify system from which events are generated
[WinEventHostOverride]
DEST_KEY = MetaData:Host
REGEX = (?m)^ComputerName=([^.]+)
FORMAT = host::$1

[WinEventXmlHostOverride]
DEST_KEY = MetaData:Host
REGEX = <Computer>([^.<]+).*?<\/Computer>
FORMAT = host::$1


###### Generic XML eventlog extraction ######

# Extract the XML into blocks
[system_xml_block]
REGEX = (?ms)<System(?:\s+[^>]+)?>(.*?)<\/System>
FORMAT = System_Props_Xml::$1

[eventdata_xml_block]
REGEX = (?ms)<EventData(?:\s+[^>]+)?>(.*?)<\/EventData>
FORMAT = EventData_Xml::$1
MV_ADD = 1

[userdata_xml_block]
REGEX = (?ms)<UserData(?:\s+[^>]+)?>(.*?)<\/UserData>
FORMAT = UserData_Xml::$1

[debugdata_xml_block]
REGEX = (?ms)<DebugData(?:\s+[^>]+)?>(.*?)<\/DebugData>
FORMAT = DebugData_Xml::$1

[renderinginfo_xml_block]
REGEX = (?ms)<RenderingInfo(?:\s+[^>]+)?>(.*?)<\/RenderingInfo>
FORMAT = RenderingInfo_Xml::$1

[system_props_xml_kv]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = System_Props_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1

[system_props_xml_attributes]
# Extracts values from following fields:
# Provider: Name, Guid
# TimeCreated: SystemTime, RawTime
# Correlation: ActivityID, RelativeActivityID
# Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime
# Security: UserID
SOURCE_KEY = System_Props_Xml
REGEX = (?ms)([^\s=]+)\s*=\s*(\'[^<\']*\'|"[^<"]*")
FORMAT = $1::$2
MV_ADD = 1

[eventdata_xml_data]
# Extracts from <Data Name='name'>value</Data> as name:value. Skips ComplexData tags
SOURCE_KEY = EventData_Xml
REGEX = <(?:\w+)\sName='([^>]*)'\/?>([^<]*)(?:<\/\1>)?
FORMAT = $1::$2
MV_ADD = 1

[rendering_info_xml_data]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = RenderingInfo_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1

[updatelist_from_user_data]
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<updatelist(?:\s+[^>]+)?>(.*?)<\/updatelist>
FORMAT = signature_message::$1

[updatetitle_from_user_data]
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<updatetitle(?:\s+[^>]+)?>(.*?)<\/updatetitle>
FORMAT = signature::$1

[EventID_as_EventCode]
SOURCE_KEY = EventID
REGEX = (.+)
FORMAT = EventCode::$1

[EventID2_as_EventCode]
REGEX = <EventID.*?>(.+?)<\/EventID>.*
FORMAT = EventCode::$1

[EventRecordID_as_RecordNumber]
SOURCE_KEY = EventRecordID
REGEX = (.+)
FORMAT = RecordNumber::$1

[PrivilegeList_as_vendor_privilege]
SOURCE_KEY = PrivilegeList
REGEX = (.+)
FORMAT = vendor_privilege::$1

[IpPort_as_Source_Port]
SOURCE_KEY = IpPort
REGEX = (.+)
FORMAT = Source_Port::$1

[TokenElevationType_as_Token_Elevation_Type]
SOURCE_KEY = TokenElevationType
REGEX = (.+)
FORMAT = Token_Elevation_Type::$1

[TargetServerName_as_Target_Server_Name]
SOURCE_KEY = TargetServerName
REGEX = (.+)
FORMAT = Target_Server_Name::$1

[LogonType_as_Logon_Type]
SOURCE_KEY = LogonType
REGEX = (.+)
FORMAT = Logon_Type::$1

[SubjectLogonId_as_Logon_ID]
SOURCE_KEY = SubjectLogonId
REGEX = (.+)
FORMAT = Logon_ID::$1

[SubjectDomainName_as_Caller_Domain]
SOURCE_KEY = SubjectDomainName
REGEX = (.+)
FORMAT = Caller_Domain::$1

[TargetDomainName_as_Target_Domain]
SOURCE_KEY = TargetDomainName
REGEX = (.+)
FORMAT = Target_Domain::$1

[SubjectUserName_as_Caller_User_Name]
SOURCE_KEY = SubjectUserName
REGEX = (.+)
FORMAT = Caller_User_Name::$1

[TargetUserName_as_Target_User_Name]
SOURCE_KEY = TargetUserName
REGEX = (.+)
FORMAT = Target_User_Name::$1

[SubStatus_as_Sub_Status]
SOURCE_KEY = SubStatus
REGEX = (.+)
FORMAT = Sub_Status::$1

[Workstation_as_Source_Workstation]
SOURCE_KEY = Workstation
REGEX = (.+)
FORMAT = Source_Workstation::$1

[WorkstationName_as_Source_Workstation]
SOURCE_KEY = WorkstationName
REGEX = (.+)
FORMAT = Source_Workstation::$1

[IpAddress_as_Source_Workstation]
SOURCE_KEY = IpAddress
REGEX = (.+)
FORMAT = Source_Workstation::$1


#Tag Expansion Regexs - ADDON10972
[field_extract_wmi_localprocesses_anomalous]
REGEX = IDProcess=(?<windows_id_process>\d+)\s*Name=(?<windows_app>\S+)\s*PercentProcessorTime=(?<windows_cpu_load_percent>\d+)\s*PrivateBytes=(?<mem_used>\d+)

[field_extract_wmi_freediskspace_anomalous]
REGEX = FreeMegabytes=(?<windows_free_megabytes>\d+)\s*Name=(?<windows_name>\S+)\s*PercentFreeSpace=(?<windows_storage_free_percent>\d*)

[field_extract_wmi_memory_anomalous]
REGEX = AvailableBytes=(?<windows_available_bytes>\d+)\s*CommittedBytes=(?<windows_committed_bytes>\d+)\s*(?:PagesInputPersec=\d+(?:\.\d+)?\s*PagesOutputPersec=\d+(?:\.\d+)?)?\s*PagesPersec=(?<windows_pages_per_sec>\d+(?:\.\d+)?)\s*PercentCommittedBytesInUse=(?<windows_percent_committed>\d+(?:\.\d+)?)\s*PoolNonpagedBytes=(?<windows_pool_nonpaged_bytes>\d+)\s*PoolPagedBytes=(?<windows_pool_paged_bytes>\d+)

[field_extract_wmi_service_state_anomalous]
REGEX = Caption=(?<windows_caption>.+)\s*Description=(?<windows_description>.+)\s*Name=(?<windows_name>.+)\s*PathName=(?<windows_path_name>.*)\s*StartMode=(?<windows_start_mode>\S*)\s*StartName=(?<windows_start_name>.*)\s*State=(?<windows_state>\S*)\s*Status=(?<windows_status>\S+)

[field_extract_wmi_uptime_anomalous]
REGEX = SystemUpTime=(?<windows_uptime>\d+)

[field_extract_wmi_cputime_anomalous]
REGEX = PercentProcessorTime=(?<windows_percent_processor_time>\d+)\s*PercentUserTime=(?<windows_percent_user_time>\d+)

[field_extract_wmi_useraccounts_caption_description_name]
REGEX = Caption=(?<Caption>.+)\s*Description=(?<Description>.+)\s*Domain=.*Name=(?<Name>.+)\s*SID=

[field_extract_wmi_service_caption_description_pathname]
REGEX = Caption=(?<Caption>.+)\s*Description=(?<Description>.+)\s*Name=.*PathName=(?<PathName>.+)\sStartMode=

[field_extract_wmi_localphysicaldisk_name]
REGEX = Name=(?<Name>.+)\s*PercentDiskReadTime

[field_extract_wmi_service_path]
REGEX = PathName=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+)
FORMAT = service_path::$1

[field_extract_wmi_service_exec]
SOURCE_KEY = service_path
REGEX = (?:.*[\\\/](.*))
FORMAT = service_exec::$1

## WinHostMon
[System_Type_for_WinHostMon_computer]
REGEX = ^System\sType="([^\r\n]+)"
FORMAT = System_Type::$1

[Processor_Id_for_WinHostMon_processor]
REGEX = ^Processor\sId="([^\r\n]+)"
FORMAT = Processor_Id::$1

[Path_for_WinHostMon_service]
REGEX = ^Path="([^\r\n]+)"
FORMAT = Path::$1

[service_exec_for_WinHostMon_service_path]
REGEX = Path=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+)
FORMAT = service_path::$1

[service_exec_for_WinHostMon_service_exec]
SOURCE_KEY = service_path
REGEX = (?:.*[\\\/](.*))
FORMAT = service_exec::$1

##Metric store transforms

[value_for_perfmon_metrics_store]
REGEX = Value=\"?([^\"\r\n]*[^\"\s])
FORMAT = _value::$1
WRITE_META = true

##[metric_name_for_perfmon_metrics_store]
##REGEX = counter=\"?([^\"\r\n]*[^\"\s])
##FORMAT = metric_name::$1
##WRITE_META = true

[metric_name_for_perfmon_metrics_store]
REGEX = counter=\"?([^\"\r\n]*[^\"_\s])
FORMAT = metric_name::$1
WRITE_META = true

[object_for_perfmon_metrics_store]
REGEX = object=\"?([^\"\r\n]*[^\"\s])
FORMAT = object::$1
WRITE_META = true

[instance_for_perfmon_metrics_store]
REGEX = instance=\"?([^\"\r\n]*[^\"\s])
FORMAT = instance::$1
WRITE_META = true

[collection_for_perfmon_metrics_store]
REGEX = collection=\"?([^\"\r\n]*[^\"\s])
FORMAT = collection::$1
WRITE_META = true

[value_for_wmi_uptime_metrics_store]
REGEX = SystemUpTime=([^\s]+)
FORMAT = _value::$1
WRITE_META = true

[metric_name_for_wmi_uptime_metrics_store]
REGEX = wmi_type=([^\s]+)
FORMAT = metric_name::$1
WRITE_META = true


###### Transforms moved from TA-AD ######

[MSAD-Netlogon-Subnetaffinity]
DEST_KEY=MetaData:Sourcetype
REGEX=.*NO_CLIENT_SITE:.*
FORMAT=sourcetype::MSAD:SubnetAffinity
 
[MSAD-SiteInfo-AdjacentSites]
REGEX=AdjacentSite="([^"]+)
FORMAT=AdjacentSite::$1
MV_ADD=True
 
[MSAD-SiteInfo-SiteLinks]
REGEX=SiteLink="([^"]+)
FORMAT=SiteLink::$1
MV_ADD=True
 
[MSAD-SiteInfo-Sites]
REGEX=Site="([^"]+)
FORMAT=Site::$1
MV_ADD=True
 
[MSAD-SiteInfo-Subnets]
REGEX=Subnet="([^"]+)
FORMAT=Subnet::$1
MV_ADD=True


###### Transforms moved from TA-DNS ######

[DNSHealth_ServerAddress_MV]
REGEX = ServerAddress=\"?(?<ServerAddress>[^"]*)\"?
MV_ADD = true
 
[DNSHealth_ListenAddress_MV]
REGEX = ListenAddress=\"?(?<ListenAddress>[^"]*)\"?
MV_ADD = true
 
[DNSHealth_Forwarder_MV]
REGEX = Forwarder=\"?(?<Forwarder>[^"]*)\"?
MV_ADD = true
 
[DNSHealth_LogIPFilterList_MV]
REGEX = LogIPFilterList=\"?(?<LogIPFilterList>[^"]*)\"?
MV_ADD = true
 
[KV_for_port]
REGEX = (?:port)\s*(\d{1,5})
FORMAT = dest_port::$1
 
[KV_for_RecvdIP]
REGEX = (?:Snd|Rcv)\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
FORMAT =src::$1
 
[KV_for_Domain]
REGEX = (\(\d\)*[\w+\(\d\)]{1,})
FORMAT = src_domain::$1
 
[KV_for_microsoftdns_action]
REGEX = \[\d{1,4}\s*[A-Z]*\s*[D|DR]+\s([^.]+)\]\s(?:\w*)
FORMAT = vendor_dns_action::$1
 
[KV_for_Record_type]
REGEX = QTYPE\s+(\w+)\s+
FORMAT = record_type::$1
 
[KV_for_Record_Class]
REGEX = QCLASS\s+(\w+)\s+
FORMAT = record_class_number::$1
 
[dns_action_lookup]
filename = dns_action_lookup.csv
 
[dns_vendor_lookup]
filename = dns_vendor_lookup.csv
 
[dns_recordclass_lookup]
filename = dns_recordclass_lookup.csv