admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
SH-Deployer/apps/stealthbits_ad_ldap/default/props.conf

22 lines
2.5 KiB
Raw Permalink Blame History

[StealthINTERCEPT]
EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout")
EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem")
EVAL-dvc = coalesce(Server,ServerAddress)
EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress)
EVAL-src = coalesce(ClientHost, ClientAddress)
EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure")
EVAL-vendor_product = "STEALTHbits StealthINTERCEPT"
EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P<event_id>[^\-]+)\s\-
FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName
[STEALTHbits]
EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout")
EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem")
EVAL-dvc = coalesce(Server,ServerAddress)
EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress)
EVAL-src = coalesce(ClientHost, ClientAddress)
EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure")
EVAL-vendor_product = "STEALTHbits StealthINTERCEPT"
EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P<event_id>[^\-]+)\s\-
FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName
Reference in new issue View Git Blame Copy Permalink