Deploiement_Server/deployment-apps/Splunk_Security_Essentials/default/transforms.conf

[data_inventory_products_lookup]
external_type = kvstore
collection = data_inventory_products
fields_list = _key, created_time, updated_time, productId, productName, vendorName, eventtypeId, status, basesearch, stage, metadata_json, cim_detail, eventsize, cim_compliant_fields, daily_event_volume, daily_host_volume, desired_sampling_ratio, termsearch, coverage_level, jsonStatus
# description = This kvstore collection contains the list of all of the products configured for data availability. You will see an entry for each product (e.g., "Palo Alto Networks") with associated metadata (e.g., daily_event_volume, cim_compliance_fields, etc), the location of the data (basesearch for full SPL, termsearch that will work in a | tstats where clause), and most importantly the data source categories (aka DSCs) that this product is mapped to. Important note for those digging in here: the mapped DSCs are stored in a field called eventtypeIds -- we renamed this in the UI because while DSCs are thematically similar to eventtypes in Splunk, they're functionally different and we didn't want to confuse the matter. Unfortunately, it was too complicated to change the underlying field.

[data_inventory_eventtypes_lookup]
external_type = kvstore
collection = data_inventory_eventtypes
fields_list = _key, name, datasource, created_time, updated_time, eventtypeId, status, basesearch, search_result, search_status, coverage_level
# description = Pair to data_inventory_products, this kvstore collection stores the status for each data source category (DSC). Most fields aren't used anymore, it's primarily there for a simplified Yes/No status indicator. Important note for those digging in here: the DSC is stored in a field called eventtypeId -- we renamed this in the UI because while DSCs are thematically similar to eventtypes in Splunk, they're functionally different and we didn't want to confuse the matter. Unfortunately, it was too complicated to change the underlying field.

[data_source_check_outputs_lookup]
external_type = kvstore
collection = data_source_check_outputs
fields_list = _key, _time, elementId, elementName, status
# description = This lookup is paired with data_source_check_lookup, and stores the summaried "per example" status. Prior to the Data Availability framework, this lookup was used to add a filter on the main Security Content page, but it is no longer actively used (though the code does keep it up to date and it cannot be removed -- it consumes almost no space)

[data_source_check_lookup]
external_type = kvstore
collection = data_source_check
fields_list = _key, _time, showcaseId, showcaseName, searchId, searchName, status
# description = Used only the data source check dashboard, this kvstore collection persists the most recent result of the data source check results. Running the app check every time you load that dashboard can take a long time (like 10 min!) which feels obnoxious when the data probably doesn't change much. Admittedly, this feature was built to make it less arduous to develop the Auto Dashboarding feature, but it's useful for everyone! This lookup is paired with data_source_check_outputs_lookup which contains the summarized data_source_check_outputs_lookup, which is no longer actively used.

[bookmark_lookup]
external_type = kvstore
collection = bookmark
fields_list = _key, _time, showcase_name, status, user, notes
# description = One of the most important SSE lookups, bookmark_lookup is a kvstore collection that stores the bookmark status (including whether content is marked as implemented!) and bookmark notes. The Correlation Search Introspection feature dumps into this lookup. 

[bookmark_names]
collection = bookmark_names
external_type = kvstore
fields_list = description,name,referenceName,_key
# This collection allows you to add your own custom bookmark names on top of the standard ones. You can also rename the exiting labels.

[external_content_lookup]
external_type = kvstore
collection = external_content
fields_list = _key, first_checked, last_checked, last_updated, channel, build
# description = SSE has an extensible collection of external content sources that can be updated. This includes automatically grabbing the latest data from ESCU (or UBA) and grabbing the latest available MITRE ATT&CK and Pre-ATT&CK. Partners also have the option to add create content channels.

[bookmark_custom_lookup]
external_type = kvstore
collection = bookmark_custom
fields_list = _key, _time, showcase_name, status, user, datasource, description, journey
# description = This lookup is deprecated. It enabled a limited custom content capability prior to SSE 2.5. Today, it's there so that when users ugrade we can grab and update to the latest verison.

[custom_content_lookup]
external_type = kvstore
collection = custom_content
fields_list = _key, _time, showcaseId, channel, local_json, json, user
# description = In SSE, we have the ability to create custom content. That content is stored in the custom_content_lookup. For simplicity, we store all the real detail in the json field, and we will (upon page load) grab all of that content and insert into the ShowcaseInfo (via the showcaseId) that is the backbone of the app. Notably, there is a json and a local_json field -- it was the intent to leave open the ability to provide overrides for content (either Splunk OOTB content or partner-provided content) by adding a local_json. That capability has yet to be implemented though, so that field just sits there as a quiet reminder of things that could have been. 

[deleted_custom_content_lookup]
external_type = kvstore
collection = deleted_custom_content
fields_list = _key, _time, showcaseId, channel, local_json, json, user
# description = In the Custom Content dashboard, you can delete content but then recover it via the recycling bin. This lookup is that recycling bin. 

[local_search_mappings_lookup]
external_type = kvstore
collection = local_search_mappings
fields_list = _key, _time, showcaseId, search_title, user
# description = For users who go through the correlation search introspection process, the app retains a connection of enabled correlation searches to MITRE details. This lookup stores a key element of that, making the association of a saved search name (search_title) to the internal showcaseId.

[sse_app_config_lookup]
external_type = kvstore
collection = sse_app_config
fields_list = _key, _time, user, param, value
# description = A barely-used location for general system configuration parameters. As of this doc writing, it is only used to store a demo-mode flag, but no reason it couldn't include other details that we don't want to make public by default.

[sse_json_doc_storage_lookup]
external_type = kvstore
collection = sse_json_doc_storage
fields_list = _key, _time, version, description, json, compression
# description = SSE has an extensible collection of external content sources that can be updated. While most of that content will go into custom_content_lookup, sometimes there are just updated documents. At the time of this doc creation, it is only MITRE ATT&CK and MITRE Pre-ATT&CK that get stored here, but it could be used for any other sources. When the user's browser grabs the latest MITRE ATT&CK JSON from the MITRE GitHub, it will add it to this kvstore collection. Why a kvstore collection rather than just a custom search command that updates the file on the filesystem? SHC compatibility.

[sse_content_exported_lookup]
external_type = kvstore
collection = sse_content_exported
fields_list = _key, search_title, mitre_id, mitre_display, mitre_description, mitre_technique_combined, mitre_technique, mitre_tactic_combined, mitre_tactic, mitre_tactic_display, mitre_sub_technique_combined, mitre_sub_technique, killchain, showcaseId, showcaseName, category, mitre_technique_description, mitre_tactic_description, mitre_sub_technique_description,analytic_story

[SSE-data-inventory-config]
filename=SSE-data-inventory-config.csv
# description = This lookup contains custom configurations you can apply to the data inventory configuration. If you would like to add in data source owner, or SLA, or something like that, you can add it to this lookup.

[SSE-data-availability-products-categorization]
filename=SSE-data-availability-products-categorization.csv
# description = On the back end of the data availability functionality, we track whether a particular product is high volume (aka, we should do high volume monitoring on it) or not. This lookup enables that. Important: Today, this differentiation isn't supported out of the box, because everything is run by the lag. But there was a desire to filter for high volume products and track those for event volume as well.

[SSE-data_availability_latency_status]
filename=SSE-data_availability_latency_status.csv
# description = This lookup is updated every time the search generates the data availability MLTK model, and stores status on when it was last updated, how mnay products were there, etc. It is used by a variety of health checks on the Data Availability dashboard. 

[sse_bookmark_backup]
filename=sse_bookmark_backup.csv
# description = All configuration snapshosts are stored in this CSV file (see? How easy it is to back up everything!)

[SSE-default-data-inventory-products]
filename=SSE-default-data-inventory-products.csv
# description = When we start the data availability functionality, we look for typical source / sourcetypes in your data. Those typical source / sourcetypes come from this CSV file. 

[datamodels]
filename=datamodels.csv
# description = This lookup contains a list of all datamodels in CIM and in ES and the associate tags that populate them. 

[SSE-STRT-macros-to-data_source_categories]
filename=SSE-STRT-macros-to-data_source_categories.csv
# description = This lookup contains a list of all macros identified in the Macros endpoint from the STRT Content API matched up against data_source_categories. It is automatically maintaned by the app. 

[lightweight_cim_regex_reference_only]
filename=lightweight_cim_regex_reference_only.csv
# description = This CSV probably (definitely) should be added into sseidenrichment search command instead if for no other reason than localization, but it's already here so /shrug. When we package SSE, we will automatically update this CSV with the contents from appserver/static/components/localization/data_inventory.json.

### Use Case Content:

[credential_patterns]
filename=credential_patterns.csv

[suspicious_container_image_names]
batch_index_query = 0
case_sensitive_match = 0
filename = suspicious_container_image_names.csv
match_type = WILDCARD(image)
max_matches = 1

[image_from_new_respository_detected_baseline]
batch_index_query = 0
case_sensitive_match = 1
filename = image_from_new_respository_detected_baseline.csv

[peer_group_for_git_use_case]
filename=peer_group_for_git_use_case.csv

[windows_system_event_id_20001_usb_inserts]
filename=windows_system_event_id_20001_usb_inserts.csv

[tools]
filename=tools.csv

[anonymized_DC_4776_logs]
filename=anonymized_DC_4776_logs.csv

[Sampled_AnonymizedLogonActivity]
filename=Sampled_AnonymizedLogonActivity.csv

[uniflow_printer_log_sample]
filename=uniflow_printer_log_sample.csv

[sysmon_process_launch_logs]
filename=sysmon_process_launch_logs.csv

[Local_User_Account_Creation]
filename=Local_User_Account_Creation.csv

[windows_interactive_logins]
filename=windows_interactive_logins.csv

[STE_Win4688]
filename=STE_Win4688.csv

[anonymized_git_history]
filename=anonymized_git_history.csv

[od_splunklive_fw_data]
filename=od_splunklive_fw_data.csv

[ping_firewall_data_anon]
filename=ping_firewall_data_anon.csv

[healthcare_cerner_patient_records]
filename=healthcare_cerner_patient_records.csv

[STE_Sysmon_commandline]
filename=STE_Sysmon_commandline.csv

[dns_data_anon]
filename=dns_data_anon.csv

[internet_traffic]
filename=internet_traffic.csv

[process_launch_logs]
filename=process_launch_logs.csv

[phone_usage]
filename=phone_usage.csv

[anon_interactive_logons]
filename=anon_interactive_logons.csv

[Example_Legacy_Pass_The_Hash]
filename=Example_Legacy_Pass_The_Hash.csv

[logins]
filename=logins.csv

[event_id_4648_runas]
filename=event_id_4648_runas.csv

[Local_Short_Lived_Account]
filename=Local_Short_Lived_Account.csv

[combined_anon_service_launch_logs]
filename=combined_anon_service_launch_logs.csv

[combined_anon_process_launch_logs]
filename=combined_anon_process_launch_logs.csv

[suspect_file_examples]
filename=suspect_file_examples.csv

[generic_sysmon_process_launch_logs]
filename=generic_sysmon_process_launch_logs.csv

[generic_sysmon_service_launch_logs]
filename=generic_sysmon_service_launch_logs.csv

[synthetic_sysmon_process_launch_logs]
filename=synthetic_sysmon_process_launch_logs.csv

[Anonymized_Email_Logs]
filename=Anonymized_Email_Logs.csv

[SampleCacheGroup]
filename=sample_cache_group.csv

[Sysmon_Timestamp_Adjustment_STE]
filename=Sysmon_Timestamp_Adjustment_STE.csv

[SFDC_Sample_Data_Anon]
filename=SFDC_Sample_Data_Anon.csv

[SFDC_User_Lookup]
filename=SFDC_User_Lookup.csv

[anonymized_box_logs]
filename=anonymized_box_logs.csv

[SampleDataList]
filename=SampleDataList.csv

[gdpr_system_category]
filename=gdpr_system_category.csv

[gdpr_aws_category]
filename=gdpr_aws_category.csv

[gdpr_user_category]
filename=gdpr_user_category.csv

[gdpr_splunk_index_category]
filename=gdpr_splunk_index_category.csv

[splunk_index_provisioning]
filename=splunk_index_provisioning.csv

[user_account_status]
filename=user_account_status.csv

[AnonymizedBruteForce]
filename=AnonymizedBruteForce.csv

[isWindowsSystemFile_lookup]
filename = system32_executables.csv
min_matches=1
default_match=false
match_type = WILDCARD(filename)

[ransomware_extensions_lookup]
filename = ransomware_extensions.csv
min_matches=1
default_match=false

[ransomware_notes_lookup]
filename = ransomware_notes.csv
min_matches=1
default_match=false
match_type = WILDCARD(ransomware_notes)

[UC_autorun_reg_keys]
filename = UC_autorun_reg_keys.csv

[UC_fake_win_process]
filename = UC_fake_win_process.csv

[UC_malicious_cmdline]
filename = UC_malicious_cmdline.csv

[UC_ransomware_extentions]
filename = UC_ransomware_extentions.csv

[UC_ransomware_notes]
filename = UC_ransomware_notes.csv
min_matches=1
default_match=false
match_type = WILDCARD(ransomware_notes)

[UC_ransomware_vulnerabilities]
filename = UC_ransomware_vulnerabilities.csv

[UC_unsuccessful_backups]
filename = UC_backups.csv

[UC_successful_backups]
filename = UC_backups.csv

[UC_successful_windows_updates]
filename = UC_windows_updates.csv

[UC_unsuccessful_windows_updates]
filename = UC_windows_updates.csv

[UC_tor_traffic]
filename = UC_tor_traffic.csv

[UC_smb_traffic_allowed]
filename = UC_smb_traffic_allowed.csv

[UC_smb_spike_detection]
filename = UC_smb_spike_detection.csv

[UC_fsutil]
filename = UC_fsutil.csv

[UC_wevtutil]
filename = UC_wevtutil.csv

[UC_wmi]
filename = UC_wmi.csv

[UC_windows_event_log]
filename = UC_windows_event_log.csv

[UC_anonymized_confluence_logs]
filename = UC_anonymized_confluence_logs.csv

[sse_project_codenames]
filename = sse_project_codenames.csv

[PrivilegedRiskScores]
filename = PrivilegedRiskScores.csv

[UC_generic_risk_events]
filename = UC_generic_risk_events.csv

[UC_raw_data_for_privilege_calculations]
filename = UC_raw_data_for_privilege_calculations.csv

[anonymized_windows_security_events_with_tags]
filename = anonymized_windows_security_events_with_tags.csv

[account_status_tracker]
filename = account_status_tracker.csv

[sse_host_to_country]
filename = sse_host_to_country.csv

[UC_file_copied_to_usb]
filename = UC_file_copied_to_usb.csv

[dynamic_dns_lookup]
filename = dynamic_dns_lookup.csv

[sse_sample_asset_list]
filename = sse_sample_asset_list.csv
match_type = CIDR(ip)
max_matches = 1

[UC_dlp_alerts]
filename = UC_dlp_alerts.csv

[bots-webproxy-data]
filename = bots-webproxy-data.csv

[anon_system_logon_with_failure_codes]
filename = anon_system_logon_with_failure_codes.csv

[UC_SFDC_GDPR_Contact_Accesses]
filename = UC_SFDC_GDPR_Contact_Accesses.csv

[UC_active_directory_search]
filename = UC_active_directory_search.csv

[firewall_traffic]
filename = firewall_traffic.csv

[anonymized_sep_logs]
filename = anonymized_sep_logs.csv

[aws-cloudtrail-data-anon]
filename = aws-cloudtrail-data-anon.csv

[tstats_online_hosts]
filename = tstats_online_hosts.csv

[anonymized_sep_virus_logs]
filename = anonymized_sep_virus_logs.csv

[anon_wmi_service_logs]
filename = anon_wmi_service_logs.csv

[UC_aws_public_buckets]
filename = UC_aws_public_buckets.csv

[high_risk_network_apps]
filename = high_risk_network_apps.csv

[ransomware_content_browser_csv]
filename=ransomware_content_browser.csv

[cert_nz]
filename=cert_nz.csv

# adding for future release
[mitre_color_scheme]
filename = mitre_color_scheme.csv



### Johan Analytics Advisor Content

[kill_chain_phases]
batch_index_query = 0
case_sensitive_match = 1
filename = kill_chain_phases.csv
# description = This lookup contains the Kill Chain phases and the order they appear in

[mitre_threat_groups]
batch_index_query = 0
case_sensitive_match = 1
filename = mitre_threat_groups.csv
max_matches = 100
# description = This lookup contains a list view of the current MITRE ATT&CK Framework Threat Groups. It is automatically maintained by the app.

[mitre_enterprise_list]
batch_index_query = 0
case_sensitive_match = 1
filename = mitre_enterprise_list.csv
max_matches = 100
# description = This contains the list version of the entire MITRE ATT&CK Enterprise Matrix. It's used for enrichment in SSE. It's also available for ad-hoc lookups if you want to enrich events with ATT&CK data. It is automatically maintained by the app.

[mitre_data_sources]
batch_index_query = 0
case_sensitive_match = 1
filename = mitre_data_sources.csv
max_matches = 100
# description = This contains the data source objects from MITRE ATT&CK. It's used for enrichment in SSE. It's also available for ad-hoc lookups if you want to enrich events with ATT&CK data. It is automatically maintained by the app.

[mitre_detections]
batch_index_query = 0
case_sensitive_match = 1
filename = mitre_detections.csv
max_matches = 100
# description = This contains the detections objects from MITRE ATT&CK. It's used for enrichment in SSE. It's also available for ad-hoc lookups if you want to enrich events with ATT&CK data. It is automatically maintained by the app.

[mitre_technique_lists]
batch_index_query = 0
case_sensitive_match = 1
filename = mitre_technique_lists.csv
max_matches = 100
# description = This contains lists of MITRE ATT&CK Techniques that can be used on the Analytics Advisor to prefilter the matrix. 

[sse_industries]
batch_index_query = 0
case_sensitive_match = 0
filename = SSE_industries.csv
match_type = WILDCARD(IndustryAlias)
max_matches = 100
# description = This contains a standardized list Industries with associated pseudonyms and keywords. 

[use_cases]
filename = use_cases.csv
# description = This lookup contains the high level use cases for Splunk security.

[mitre_environment_count]
filename = mitre_environment_count.csv
# description = This lookup contains the count of content associated with each Mitre ATT&CK Technique. It is automatically maintained by the app.

[AppDependencies]
batch_index_query = 0
case_sensitive_match = 1
filename = AppDependencies.csv
# description = This lookup contains links to the app dependencies for the Analytics Advisor.

[ColorScheme]
batch_index_query = 0
case_sensitive_match = 1
filename = ColorScheme.csv
# description = This lookup contains the colours used in the Analytics Advisor. You can change the colour scheme to something else by modifying this lookup.

[AppSettings]
batch_index_query = 0
case_sensitive_match = 1
filename = AppSettings.csv
# description = This lookup contains the names associated with the three states for the content in Analytics Advisor. If you change these the dashboards might not function properly.

### Ransomware content browser

# description = Contains a repository of Splunk content linked to Ransomware
[ransomware_content_browser_descriptions]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_descriptions.csv
# description = This lookup contains descriptions for the different stages and phases

[ransomware_content_browser_conf]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_conf.csv
# description = This lookup contains .conf content mapped to Stages and Phases

[ransomware_content_browser_blogs]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_blogs.csv
# description = This lookup contains Splunk blogs content mapped to Stages and Phases

[ransomware_content_browser_playbooks]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_playbooks.csv
# description = This lookup contains Splunk blogs content mapped to Stages and Phases

[ransomware_content_browser_apps]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_apps.csv
# description = This lookup contains Splunk blogs content mapped to Stages and Phases

[ransomware_content_browser_cert_nz]
batch_index_query = 0
case_sensitive_match = 1
filename = ransomware_content_browser_cert_nz.csv
# description = This lookup contains the links between the different Stages and Phases

[ransomware_content_browser]
external_type = kvstore
collection = ransomware_content_browser
fields_list = _key, timestamp, phase, title, description, type, location, id, email
# description = This lookup contains content captured from the form


[mitre_custom_threat_groups]
external_type = kvstore
collection = mitre_custom_threat_groups
fields_list = _key, mitre_threat_groups, mitre_threat_group_value

[mitre_custom_technique_lists]
external_type = kvstore
collection = mitre_custom_technique_lists
fields_list = _key, List, Techniques, Reference