admingit
/
Deployement_Server_VOLD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0cc1444654'
${ noResults }
Deployement_Server_VOLD/deployment-apps/Splunk_TA_sysmon-for-linux/default/props.conf

96 lines
4.5 KiB
Raw Blame History

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
##
##
[sysmon:linux]
TIME_PREFIX = <Data Name="UtcTime">
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%
TZ = UTC
REPORT-sysmon = sysmon-eventid,sysmon-keywords,sysmon-computer,sysmon-data,sysmon-filename
FIELDALIAS-dvc = Computer AS dvc
EVAL-file_hash = case( EventID IN ("23") AND NOT Hashes IN ("-"), Hashes )
EVAL-process_hash = case( EventID IN ("1") AND NOT Hashes IN ("-"), Hashes )
EVAL-action = case( EventID IN ("1", "3", "9"), "allowed", \
EventID="5", "blocked", \
(EventID = "11" AND UtcTime==CreationUtcTime), "created", \
EventID IN ("23"), "deleted", \
(EventID = "11" AND UtcTime!=CreationUtcTime), "modified" )
EVAL-dest = case( EventID IN ("1","4","5","9","11","16","23"), Computer, \
EventID="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \
EventID="3", DestinationIp )
# ID 1 only
EVAL-parent_process = case( EventID="1", ParentCommandLine)
FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory
EVAL-original_file_name = case( EventID="1", replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
# ID 3 only (DNS query)
FIELDALIAS-dest_port = DestinationPort AS dest_port
FIELDALIAS-SourcePort = SourcePort AS src_port
FIELDALIAS-Protocol = Protocol AS transport
EVAL-dest_host = case( EventID="3" AND DestinationHostname != '-', DestinationHostname)
FIELDALIAS-dest_ip = DestinationIp AS dest_ip
FIELDALIAS-dvc_ip = SourceIp AS dvc_ip
FIELDALIAS-src_ip = SourceIp AS src_ip
EVAL-src_host = case( EventID="3" AND NOT SourceHostname IN ("-"), SourceHostname )
EVAL-app = case( EventID="3", Image )
EVAL-creation_time = case( EventID=="3",UtcTime )
EVAL-direction = case( EventID="3" AND Initiated=="true","outbound", EventID="3", "inbound" )
EVAL-protocol = case( EventID="3", "IP" )
EVAL-protocol_version = case( EventID="3" AND DestinationIsIpv6="true", "ipv6", EventID="3", "ipv4" )
EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName)
EVAL-state = case(EventID=="3", "established")
EVAL-transport_dest_port = mvzip(transport,dest_port,"/")
EVAL-vendor_product = "Sysmon For Linux"
EVAL-src = case( EventID IN ("3"), SourceIp, \
isnotnull(SourceHostname), SourceHostname, \
isnotnull(SourceIp), SourceIp )
# ID 4, 16 only
# Endpoint:Services
EVAL-description = case( EventID="4", "Sysmon state changed", \
EventID="16", "Sysmon configuration changed")
EVAL-service = case( EventID IN ("4","16"), "Linux-Sysmon" )
EVAL-service_name = case( EventID IN ("4","16"), "Linux-Sysmon" )
EVAL-user = case( EventID IN ("3"), User, UserId="0","root")
FIELDALIAS-UserId = UserId AS user_id
EVAL-os = case( EventID IN ("1","5","9"),"Linux" )
EVAL-parent_process_path = case( EventID="1", ParentImage )
EVAL-parent_process_exec = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-parent_process_name = case( EventID="1", replace(ParentImage,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-parent_process_id = case( EventID="1", ParentProcessId )
EVAL-parent_process_guid = case( EventID="1", ParentProcessGuid )
EVAL-process = case( EventID IN ("1"), CommandLine, EventID IN ("5"), Image )
EVAL-process_path = case( EventID IN ("1","5","9","11","23"), Image )
EVAL-process_exec = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-process_name = case( EventID IN ("1","3","5","9","11","23"), replace(Image,"(.*\/)(?=.*(\.\w*)$|(\w+)$)","") )
EVAL-process_guid = case( EventID IN ("1","3","5","9","11","23"), ProcessGuid )
EVAL-process_id = case( EventID IN ("4","16"), ProcessID, \
EventID IN ("1","3","5","9","11","23"), ProcessId )
FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level
EVAL-status = case( (EventID=14 AND Keywords="0x8000000000000000"),"success", \
EventID="16","started", \
EventID="4",lower(State) )
FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time
EVAL-file_modify_time = case( EventID IN ("23"),UtcTime )
EVAL-file_path = case ( EventID IN ("11", "23"), replace(TargetFilename,"(:[\w\. ]+)",""), EventID IN ("16"), Configuration )
EVAL-file_name = case ( EventID IN ("11","23"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") )
EVAL-object_category = case( EventID IN ("11","23"), "file" )
#Fields for ChangeAnalysis DM
LOOKUP-sysmon-eventid-lookup = sysmon-eventid-lookup EventID OUTPUTNEW EventDescription EventDescription AS signature
FIELDALIAS-signature_id = EventID AS signature_id
Reference in new issue View Git Blame Copy Permalink