admingit
/
Splunk_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Splunk_deploy/deployment-apps/Splunk_TA_linux_sysmon/default/props.conf

190 lines
10 KiB
Raw Permalink Blame History

[syslog]
TRANSFORMS-sysmonlinux = sysmonforlinux_sourcetype, sysmonforlinux_source
[sysmon_linux]
TIME_PREFIX = <Data Name="UtcTime">
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N%
TZ = UTC
REPORT-sysmon = sysmon-eventid,sysmon-version,sysmon-level,sysmon-task,sysmon-opcode,sysmon-keywords,sysmon-created,sysmon-record, \
sysmon-correlation,sysmon-channel,sysmon-computer,sysmon-sid,sysmon-registryvaluedata,sysmon-registryvaluetype,sysmon-data,sysmon-md5,sysmon-sha1,sysmon-sha256,sysmon-imphash, \
sysmon-filename,sysmon-dns-answer-data,sysmon-user,sysmon-user-and-src_host-from-clientinfo
#sysmon-hashes,sysmon-filename,sysmon-registry,sysmon-dns-record-data,sysmon-dns-ip-data,sysmon-user,sysmon-dns-record-data,
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,lx_eventdata_xml_data,rendering_info_xml_data
EVAL-file_hash = case( EventCode IN ("15"), Hash, \
EventCode IN ("23","26"), Hashes )
EVAL-process_hash = case( EventCode IN ("1","6","7","24"), Hashes )
EVAL-object_path = case( EventCode="20", Destination, \
EventCode="21", Consumer, \
EventCode IN ("12", "13"), TargetObject, \
EventCode="14", NewName )
EVAL-object = case( EventCode = "20", replace(replace(Destination,"(.*\\\)",""),"\"",""), \
EventCode="21", replace(replace(Consumer,"(\\\\\"\")",""),".+(\\\\\")","" ) )
EVAL-action = case( EventCode IN ("1", "3", "6", "8", "9", "10", "15", "17", "18", "24", "25"), "allowed", \
EventCode="5", "blocked", \
(EventCode = "11" AND UtcTime==CreationUtcTime) OR (EventCode = "12" AND EventType="CreateKey") OR (EventCode = "19") OR (EventCode IN ("20","21") AND Operation="Created"), "created", \
(EventCode = "12" AND EventType="DeleteKey") OR (EventCode IN ("20","21") AND Operation="Deleted") OR EventCode IN ("23", "26"), "deleted", \
EventCode IN ("2", "13","14") OR (EventCode = "11" AND UtcTime!=CreationUtcTime), "modified", \
EventCode="7", "success" )
EVAL-dest = case( EventCode IN ("1","2","4","5","6","7","8","9","10","11","12","13","14","15","16","17","18","19","20","21","23","24","25","26","255"), Computer, \
EventCode="3" AND isnotnull(DestinationHostname) AND DestinationHostname != "-", DestinationHostname, \
EventCode="3", DestinationIp )
# ID 1 only
FIELDALIAS-parent_process = ParentCommandLine AS parent_process
FIELDALIAS-process_current_directory = CurrentDirectory AS process_current_directory
EVAL-original_file_name = case( EventCode="1",OriginalFileName )
# ID 3 only (DNS query)
FIELDALIAS-dest_port = DestinationPort AS dest_port
FIELDALIAS-SourcePort = SourcePort AS src_port
FIELDALIAS-Protocol = Protocol AS transport
EVAL-dest_host = case( EventCode="3" AND DestinationHostname != '-', DestinationHostname)
FIELDALIAS-dest_ip = DestinationIp AS dest_ip
FIELDALIAS-dvc_ip = SourceIp AS dvc_ip
FIELDALIAS-src_ip = SourceIp AS src_ip
EVAL-src_host = case( EventCode="3", SourceHostname, EventCode="24", SrcHost )
EVAL-app = case( EventCode="3", Image )
EVAL-creation_time = case( EventCode=="3",UtcTime )
EVAL-direction = case( EventCode="3" AND Initiated=="true","outbound", EventCode="3", "inbound" )
EVAL-protocol = case( EventCode="3", "ip" )
EVAL-protocol_version = case( EventCode="3" AND DestinationIsIpv6="true", "ipv6", EventCode="3", "ipv4" )
EVAL-rule = case( EventID="3" AND isnotnull(RuleName) AND RuleName != '-', RuleName)
EVAL-state = case(EventCode=="3", "established")
EVAL-transport_dest_port = mvzip(transport,dest_port,"/")
# ID 6 only
EVAL-service_signature_exists = case( EventCode="6",Signed )
EVAL-service_signature_verified = case( EventCode="6" AND SignatureStatus="Valid", "true", EventCode="6", "false" )
# ID 7 only
EVAL-service_dll_signature_exists = case( EventCode="7",Signed )
EVAL-service_dll_signature_verified = case( EventCode="7" AND SignatureStatus="Valid", "true", EventCode="7", "false" )
# ID 8 only
FIELDALIAS-src_function = StartFunction AS src_function
FIELDALIAS-src_address = StartAddress AS src_address
FIELDALIAS-src_module = StartModule AS src_module
# ID 10 only
FIELDALIAS-granted_access = GrantedAccess AS granted_access
# ID 15 only
FIELDALIAS-http_referrer = ReferrerUrl AS http_referrer
FIELDALIAS-url = HostUrl AS url
EVAL-http_referrer_domain = case( EventCode="15", replace(ReferrerUrl, "(^\w+:|^)\/\/(.*)\/$" ,"\2"))
EVAL-url_domain = case (EventCode="15",replace(HostUrl, "(^\w+:|^)\/\/([\w.]*).*$" ,"\2"))
EVAL-uri_path = case (EventCode="15", replace(HostUrl, "(.*/)" ,""))
EVAL-url_length = len(url)
# ID 21 only
FIELDALIAS-object_attrs = Filter AS object_attrs
# ID 22 only
FIELDALIAS-QueryName = QueryName AS query
FIELDALIAS-QueryStatus = QueryStatus AS reply_code_id
EVAL-answer_count = mvcount(answer)
EVAL-query_count = mvcount(query)
LOOKUP-record_type = sysmon-record_type-lookup record_type OUTPUT record_type_name AS record_type
EVAL-vendor_product = "Linux Sysmon"
EVAL-src = case( EventCode IN ("19","20","21","22"), Computer, \
isnotnull(SourceHostname), SourceHostname, \
isnotnull(SourceIp), SourceIp )
# ID 4, 16, 255 only
# Endpoint:Services
EVAL-description = case( EventCode="255","Error occured within Sysmon", \
EventCode="4", "Sysmon state changed", \
EventCode="16", "Sysmon configuration changed")
EVAL-service = case( EventCode IN ("4","16","255"), "Sysmon" )
EVAL-service_name = case( EventCode IN ("4","16","255"), "Sysmon" )
# ID 12, 13, 14 only
# Endpoint:Registry
FIELDALIAS-registry_path = TargetObject AS registry_path
EVAL-registry_key_name = case( EventCode IN ("12","14"),TargetObject, \
EventCode="13", replace(TargetObject,"\\\(\w+)$","") )
EVAL-registry_hive = case( EventCode IN ("12","13","14") AND like(TargetObject, "HKLM\System\%"), "HKEY_LOCAL_MACHINE\\\\System", \
EventCode IN ("12","13","14") AND like(TargetObject, "HKU\%"), "HKEY_CURRENT_USER" )
EVAL-registry_value_data = case( EventCode="14" AND EventType="RenameValue",RegistryValueData, \
EventCode="13", RegistryValueData )
EVAL-registry_value_name = case( EventCode="14" AND EventType="RenameValue",replace(TargetObject,"(.*)\\\(\w+)$","\2"), \
EventCode ="13", replace(TargetObject,"(.*)\\\(\w+)$","\2") )
EVAL-registry_value_type=case( EventCode="14" AND EventType="RenameValue","REG_"+RegistryValueType, \
EventCode ="13", "REG_"+RegistryValueType)
# ID 17 & 18 only
FIELDALIAS-pipe_name = PipeName AS pipe_name
# ID 19, 20, 21
# Change:Endpoint_Changes
EVAL-change_type = case( EventCode IN ("19","20","21"), "filesystem" )
EVAL-user_name = case( EventCode IN ("19","20","21"), user )
EVAL-os = case( EventCode IN ("1","5","6","7","8","9","10","15","17","18","24","25"),"Linux" )
EVAL-parent_process_path = case( EventCode="1", ParentImage, \
EventCode="7", Image, \
EventCode IN ("8","10"), SourceImage )
EVAL-parent_process_exec = case( EventCode="1", replace(ParentImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode="7", replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("8","10"), replace(SourceImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") )
EVAL-parent_process_name = case( EventCode="1", replace(ParentImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode="7", replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("8","10"), replace(SourceImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") )
EVAL-parent_process_id = case( EventCode="1", ParentProcessId, \
EventCode="7", ProcessId, \
EventCode IN ("8","10"), SourceProcessId )
EVAL-parent_process_guid = case( EventCode="1", ParentProcessGuid, \
EventCode="7", ProcessGuid, \
EventCode="8", SourceProcessGuid, \
EventCode="10", SourceProcessGUID )
EVAL-process = case( EventCode="1",CommandLine, \
EventCode="5",Image )
EVAL-process_path = case( EventCode IN ("1","2","5","9","11","12","13","14","15","17","18","23","24","25","26"), Image, \
EventCode IN ("6","7"), ImageLoaded, \
EventCode IN ("8","10"), TargetImage )
EVAL-process_exec = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","26"), replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("7"), replace(ImageLoaded,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("8","10"), replace(TargetImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") )
EVAL-process_name = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","26"), replace(Image,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("7"), replace(ImageLoaded,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)",""), \
EventCode IN ("8","10"), replace(TargetImage,"(.*/)(?=.*(\.[^/]*)$|([^/]+)$)","") )
EVAL-process_guid = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","22","23","24","25","26"), ProcessGuid, \
EventCode="8", TargetProcessGuid, \
EventCode="10", TargetProcessGUID )
EVAL-process_id = case( EventCode IN ("1","2","3","5","9","11","12","13","14","15","17","18","23","24","25","26"), ProcessId, \
EventCode IN ("8","10"), TargetProcessId, \
EventCode IN ("16","255"), replace(ProcessID, "'", "") )
FIELDALIAS-process_integrity_level = IntegrityLevel AS process_integrity_level
EVAL-dvc = case( EventCode IN ("3", "10","13","19","20","21","24", "26", "255") , Computer )
EVAL-status = case( EventCode="255","critical", \
EventCode IN ("12","13","19","20","21") OR (EventCode=14 AND Keywords="0x8000000000000000"),"success", \
EventCode="16","started", \
EventCode="4",lower(State) )
EVAL-result = case( EventCode="25",Type, \
EventCode="255",Description, \
EventCode IN ("19","21"),lower(Operation) )
FIELDALIAS-file_create_time = CreationUtcTime AS file_create_time
EVAL-file_modify_time = case( EventCode IN ("2","23","26"),UtcTime )
EVAL-file_access_time = case( EventCode="26",UtcTime )
EVAL-file_path = case (EventCode IN ("2","11","15", "23","26"), replace(TargetFilename,"(:[\w\. ]+)","") )
EVAL-file_name = case ( EventCode IN ("11","15","23","2","26"), replace(replace(TargetFilename,"(.*/)",""),"(:[\w\. ]+)","") )
EVAL-object_category = case( EventCode IN ("2","11","23","26"), "file", \
EventCode IN ("12","13","14"), "registry", \
EventCode IN ("19","20","21"), "wmi" )
#Fields for ChangeAnalysis DM
LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
FIELDALIAS-eventid = EventCode AS EventID
FIELDALIAS-signature_id = EventCode AS signature_id
FIELDALIAS-user = User as user
Reference in new issue View Git Blame Copy Permalink