admingit
/
Splunk_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Splunk_deploy/deployment-apps/Splunk_TA_windows/default/props.conf

1936 lines
114 KiB
Raw Permalink Blame History

##
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
## DO NOT EDIT THIS FILE!
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
## into ../local and edit there.
##
###########################
## Active Directory
###########################
[ActiveDirectory]
LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag
###########################
## DHCP
###########################
[DhcpSrvLog]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
EVENT_BREAKER_ENABLE = true
TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
REPORT_1microsoft_dhcp_dest_dns = microsoft_dhcp_dest_dns
LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
FIELDALIAS-win-sign-id = msdhcp_id AS signature_id
FIELDALIAS-dhcp-user = msdhcp_user AS user
EVAL-vendor = "Microsoft"
EVAL-product = "DHCP"
EVAL-vendor_product = "Microsoft DHCP"
EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12,}$"), replace(raw_mac, "^.*(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$", "\1:\2:\3:\4:\5:\6"), 1==1, replace(raw_mac, "-|\.|\s", ":")))
EVAL-dest = coalesce(if(nt_host!="BAD_ADDRESS", nt_host, null()), ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))))
EVAL-quarantine_info = case(qresult == 0, "NoQuarantine", qresult == 1, "Quarantine", qresult == 2, "Drop Packet", qresult == 3, "Probation", qresult == 6, "No Quarantine Information", true(), qresult)
EVAL-action = case(msdhcp_id IN (13,15,12,16,18), "blocked", msdhcp_id IN (10,11), "added")
EVAL-dest_nt_host = case(nt_host!="BAD_ADDRESS", nt_host)
EVAL-reason = case(nt_host=="BAD_ADDRESS", nt_host)
###########################
## Splunk Windows Event Log
###########################
## Host override for WinEventLog events collected using WEF
[host::WinEventLogForwardHost]
TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride
TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride
## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog
## format source using sourcetype value, so we know whether its XML or not
## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype
## the mod input sets and new sources will be accommodated as well
[(?::){0}WinEventLog:*]
TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype
[(?::){0}XmlWinEventLog:*]
TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype
## Fields common to all WinEventLogs
[WinEventLog]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
## Field Mapping for Endpoint Data Model
## For Services, Processes and Filesystem Datasets
FIELDALIAS-service_id_for_windows = Service_ID AS service_id
FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
FIELDALIAS-process_for_windows = Process AS process
EVAL-process_name = if(EventCode==4688, New_Process_Name, Process_Name)
FIELDALIAS-parent_process_for_windows = Creator_Process_Name AS parent_process
FIELDALIAS-user_id_for_windows = User_ID AS user_id
EVAL-vendor_product = "Microsoft Windows"
[XmlWinEventLog]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
## Field Mapping for Endpoint Data Model
## For Services, Processes and Filesystem Datasets
FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
EVAL-process_name = if(EventCode==4688, NewProcessName, ProcessName)
FIELDALIAS-parent_process_for_windows = ParentProcessName AS parent_process
FIELDALIAS-user_id_for_windows = UserID AS user_id
EVAL-vendor_product = "Microsoft Windows"
##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System]
## windows system sub-sourcetyping
[source::WinEventLog:System]
TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog
REPORT-bestmatch_for_windows_system = ComputerName_as_dest
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
REPORT-1service_name_eventcode_7036 = service_name_eventcode_7036
REPORT-1service_name_eventcode_7040 = service_name_eventcode_7040
EVAL-status = case(EventCode=="7036" AND status=="running","started",EventCode=="7036" AND status=="stopped","stopped",EventCode=="104","success")
LOOKUP-0start_mode_for_eventcode_7040_service_windows = windows_start_mode_lookup StartType AS start_type2 OUTPUTNEW start_mode
LOOKUP-1start_mode_for_eventcode_7045_service_windows = windows_start_mode_lookup StartType AS Service_Start_Type OUTPUTNEW start_mode
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
# Legacy field aliases to support ES 2.0.2, Winfra
FIELDALIAS-package_for_windows = signature_id AS package
FIELDALIAS-package_title_for_windows = signature AS package_title
## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility
# Extractions to add fields used by generic system extraction
REPORT-signature_message_from_xml = updatelist_from_user_data
REPORT-signature_from_xml = updatetitle_from_user_data
FIELDALIAS-updateTitle_as_signature = updateTitle AS signature
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
EVAL-user = case(EventCode IN (7040,7045),case(user!="-",user),1==1,user)
EVAL-user_name = if(EventCode==104, User, user_name)
EVAL-result = if(EventCode==104, "log file was cleared", result)
EVAL-object_category = if(EventCode==104, "audit log", object_category)
EVAL-action = if(EventCode==104, "cleared", action)
EVAL-change_type = case(EventCode==104, "audit", 1==1, change_type)
EVAL-app = if(SourceName="IAS","ias",null())
EXTRACT-object_for_windows_system = (?ms)EventCode=104(?:\n|\r).*(?:Message=The\s(?<object>.+)\sfile)
##### Explanation for SEDCMD Extractions #####
## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
##### SEDCMD Extractions #####
#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
## Apply the following properties to all WinEventLog events
## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf
[source::(WMI:WinEventLog|WinEventLog)...]
## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
REPORT-MESSAGE =
###########################
## Windows XML Event Log
###########################
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
[source::XmlWinEventLog:System]
# Extractions to add fields used by generic system extraction
REPORT-signature_message_from_xml = updatelist_from_user_data
REPORT-signature_from_xml = updatetitle_from_user_data
FIELDALIAS-updateTitle_as_signature = updateTitle AS signature
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
EVAL-body = coalesce('signature_message','Message')
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
# Legacy field aliases to support ES 2.0.2, Winfra
FIELDALIAS-package_title_for_windows = signature AS package_title
FIELDALIAS-package_for_windows = signature_id AS package
REPORT-service_name = ServiceName_as_service_name
EVAL-status = case(EventCode=="7036" AND param2=="running","started",EventCode=="7036" AND param2=="stopped","stopped", EventCode==104, "success")
LOOKUP-0start_mode_for_eventcode_7045_service_windows_xml = windows_start_mode_lookup StartType OUTPUTNEW start_mode
LOOKUP-1start_mode_for_eventcode_7040_service_windows_xml = windows_start_mode_lookup StartType AS param3 OUTPUTNEW start_mode
EVAL-action = case(EventCode==104, "cleared")
EVAL-object_category = case(EventCode==104, "audit log")
EVAL-result = case(EventCode==104, "log file was cleared")
EVAL-change_type = case(EventCode==104, "audit", 1==1, change_type)
REPORT-channel_from_user_data = channel_from_user_data
EVAL-object = case(EventCode==104, user_data_channel + " log")
EXTRACT-user_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user>.*?)<\/SubjectUserName>
EXTRACT-user_name_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user_name>.*?)<\/SubjectUserName>
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
[source::XmlWinEventLog:Security]
REPORT-logfilecleared_block_extract = logfilecleared_xml_block
REPORT-logfilecleareddata_for_xml = LogFileClearedData_from_user_data
## privilege
REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
# Extractions to add fields used by generic security extraction
REPORT-Source_Port_from_xml = IpPort_as_Source_Port
REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-CategoryString_for_windows_xml_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
## action, status
## Override action to allow audit log changes to correspond to Change Analysis data model
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
LOOKUP-object_for_windows3_security = xmlsecurity_change_audit_and_account_management_lookup EventCode OUTPUTNEW object_attrs,result
## privilege
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-body_for_windows_security = Message AS body
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
## Set the following fields based on order of operations
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
EVAL-user_group = coalesce(TargetUserName,New_Account_Name,Target_Account_Name)
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
REPORT-member_user_name = special_user_from_member_name
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
EXTRACT-new_process_for_windows_security_from_xml = <Data Name='NewProcessName'>(?<new_process>[^<]+)<\/Data>
EXTRACT-parent_process_for_windows_security_from_xml = <Data Name='ParentProcessName'>(?<parent_process>[^<]+)<\/Data>
EXTRACT-new_process_id_for_windows_security_from_xml = <Data Name='NewProcessId'>(?<new_process_id>[^<]+)<\/Data>
EXTRACT-process_id_for_windows_security_from_xml = <Data Name='ProcessId'>(?<process_id>[^<]+)<\/Data>
EXTRACT-process_command_line_for_xml = <Data Name='CommandLine'>(?<Process_Command_Line>[^<]+)<\/Data>
EVAL-authentication_method = case(EventCode IN (4624, 4625), AuthenticationPackageName, 1==1, authentication_method)
## XML Security-CIM Mappings
REPORT-parent_process_name_windows_xml = extract_parent_process_name_for_windows_xml
REPORT-new_process_name_windows_xml = extract_new_process_name_for_windows_xml
REPORT-target_process_name_windows_xml = extract_target_process_name_for_windows_xml
REPORT-caller_user_name_from_user_data_xml = SubjectUserName_from_user_data
REPORT-file_name_and_path = object_file_name_and_path_from_ObjectName_for_xml,file_name_and_path_from_FileName_for_xml,file_name_and_path_from_KeyFilePath_for_xml
REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
EVAL-object_attrs = if(EventCode IN (4720,4738), null(),if(EventCode=4717, AccessGranted, (if(EventCode==4718, AccessRemoved, (if(isnotnull(SamAccountName), SamAccountName, if(EventCode IN (4732), TargetUserName, if(EventCode IN (4698,4700,4701), TaskContent, if(EventCode==4702, TaskContentNew, if(EventCode==4719, "Category="+CategoryId+",Subcategory="+SubcategoryId+",Subcategory GUID="+SubcategoryGuid+",Changes="+AuditPolicyChanges,object_attrs))))))))))
EVAL-registry_path = if(EventCode==4657,ObjectName,registry_path)
EVAL-registry_value_name = if(EventCode==4657,ObjectValueName,registry_value_name)
EVAL-registry_value_type = if(EventCode==4657,NewValueType,registry_value_type)
EVAL-src = case(EventCode==4778, ClientAddress, EventCode == 4624, IpAddress, EventCode==4625, WorkstationName, 1=1, src)
EVAL-file_name = coalesce(file_name,if(ObjectType=="File",object_file_name,null()),ShareName)
EVAL-file_path = coalesce(file_path,if(ObjectType=="File",object_file_path,null()),ShareLocalPath)
EVAL-src_port = if(EventCode=5158 OR EventCode=5156, SourcePort, src_port)
EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(NewProcessName,"\s"), "\"" + NewProcessName + "\"", NewProcessName)) + " " + process_command_line_arguments), NewProcessName) , EventCode==4696, TargetProcessName, 1==1, coalesce(process, Process, ProcessName))
EVAL-process_path = case(EventCode==4688, new_process, EventCode==4696, TargetProcessName, 1==1, coalesce(process, Process, ProcessName))
EVAL-process_id = case(EventCode==4688, new_process_id, EventCode==4696, TargetProcessId, 1==1, process_id)
EVAL-service = if(isnotnull(service),service, Service)
EVAL-parent_process = case(EventCode==4696,ProcessName,1==1,parent_process)
EVAL-parent_process_id = case(EventCode==4688 OR EventCode==4696,ProcessId)
EVAL-parent_process_name = case(EventCode==4696,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),1==1,parent_process_name)
EVAL-parent_process_path = case(EventCode==4688,parent_process,EventCode==4696,ProcessName)
EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"))
EVAL-process_name = case(EventCode=4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),1==1,ProcessName)
EVAL-user = case(EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode==4674 OR EventCode==4689 OR EventCode==4673 OR EventCode==4697 OR EventCode==1102 OR EventCode==4719 OR EventCode==4698 OR EventCode==4700 OR EventCode==4701 OR EventCode==4702, case(SubjectUserName!="-",SubjectUserName),EventCode==4696,case(user!="-",user),EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728, 4729, 4732), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), 1==1, user)
EVAL-user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767,4800,4801), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (1102,4719,4698,4700,4701,4702), SubjectUserName, EventCode==4732, if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), 1==1, user_name)
EVAL-src_user = case(EventCode IN (4624,4625,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767,4781), case(SubjectUserName!="-",SubjectUserName), EventCode IN (4634,4800,4801), TargetUserName, 1==1,src_user)
EVAL-src_user_name = case(EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781), SubjectUserName, EventCode IN (4634,4800,4801), TargetUserName, 1==1,src_user_name)
EVAL-src_nt_domain = case(EventCode IN (4634,4800,4801), TargetDomainName, 1==1, src_nt_domain)
EVAL-object = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767), TargetUserName, EventCode==4781, NewTargetUserName, EventCode==4732, if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"), -1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (4800,4801), Computer, EventCode IN (4698,4700,4701,4702),TaskName, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", 1==1, object)
EVAL-object_id = case(EventCode IN (4704, 4705, 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4767, 4781), TargetSid, EventCode IN (4634,4703), TargetUserSid, EventCode=4732, MemberSid, 1==1, object_id)
EVAL-action = case(EventCode=="4688" AND Keywords=="0x8020000000000000","allowed")
## Assigning Group_Name based on EventCodes as not all EventCodes have GroupName same as TargetUserName and GroupDomain same as TargetDomainName
EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name)
EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain)
EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
LOOKUP-start_mode_for_windows_xml = windows_endpoint_service_service_type_lookup Service_Start_Type AS ServiceStartType OUTPUTNEW start_mode
LOOKUP-service_name = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service, service_name
LOOKUP-transport_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*]
[source::XmlWinEventLog:Application]
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest
###### All Windows Event Log ######
###### Windows Application Event Log ######
## All Windows Application
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
[source::WinEventLog:Application]
EVAL-dest = coalesce('ComputerName','Computer')
## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
##Below fields extractions have been moved from [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
[source::WinEventLog:Security]
LOOKUP-CategoryString_for_windows_legacy_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
## action, status
## Security-CIM Mappings
LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
## Override action to allow audit log changes to correspond to Change Analysis data model
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
## privilege
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-body_for_windows_security = Message AS body
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
## Set the following fields based on order of operations
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,New_Security_ID_as_src_nt_domain,Security_ID_as_src_nt_domain
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Special_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
REPORT-subject_fields = subject_fields_extraction
REPORT-target_fields = target_fields_extraction
REPORT-new_account_fields = new_account_fields_extraction
REPORT-member_fields = member_fields_extraction
REPORT-account_locked_out_fields = account_locked_out_fields_extraction
REPORT-task_fields = task_fields_extraction
REPORT-new_task_fields = new_task_fields_extraction
EVAL-user = case(EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (4689,4696,4673,4674,4697),case(user!="-",user), EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode IN (4728,4729,4732), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%"), null(), user)), 1==1,user)
EVAL-user_name = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (1102,4634,4698,4700,4701,4702,4719,4800,4801), Subject_Account_Name, EventCode==104, User, EventCode IN (4732), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%"), null(), user)), 1==1,user_name)
EVAL-src_user = case(EventCode IN (4634,4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781,4800,4801), Subject_Account_Name, 1==1,src_user)
EVAL-src_user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801), Subject_Account_Name, 1==1,src_user_name)
EVAL-object = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (4800,4801), ComputerName, EventCode==4634, Subject_Account_Name, EventCode IN (4698,4700,4701,4702), Task_Name, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode IN (4732), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%"), null(), user)), 1==1,object)
EVAL-object_id = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781), Target_Security_ID, EventCode==4720, New_Account_Security_ID, EventCode==4732, Member_Security_ID, EventCode==4740, Account_Locked_Out_Security_ID, EventCode==4634, Subject_Security_ID, 1==1, object_id)
EVAL-authentication_method = case(EventCode IN (4624,4625), Authentication_Package, 1==1, authentication_method)
EVAL-src_nt_domain = case(EventCode IN (4634,4720,4732,4740,4800,4801), Subject_Account_Domain, 1==1, src_nt_domain)
EXTRACT-dest_port_for_windows_security = (?s)Network Information:.*?Destination Port:\s+(?<dest_port>\S+).*?(?:(?:\r*\n){2})
EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?<object_attrs>[^$]+)$
EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?<process>\S+).*?(?:(?:\r*\n){2})
EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?<Group_Domain>.*)\\(?<Group_Name>[^(?:\n|\r)]+)
## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility
## privilege
REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
# Extractions to add fields used by generic security extraction
REPORT-Source_Port_from_xml = IpPort_as_Source_Port
REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, 1==1, "-")
# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
EVAL-action = case(EventCode=="4688" AND Keywords=="Audit Success","allowed",EventCode=="4688" AND Keywords=="Audit Failure","blocked")
REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest
EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
EXTRACT-process_id_for_windows_security_from_xml = <Execution ProcessID='(?<process_id>\d+)'
##### Explanation for SEDCMD Extractions #####
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
##### SEDCMD Extractions #####
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
#SEDCMD-remove_ffff = s/::ffff://g
#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
## For XmlWinEventLog:Security
#SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
#SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
## Security-CIM Mappings
REPORT-parent_process_name = extract_parent_process_name
REPORT-new_process_name = extract_new_process_name
REPORT-target_process_name = extract_target_process_name
REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
REPORT-file_name_and_path = object_name_and_path_from_object_name,file_name_and_path_from_file_name,file_name_and_path_from_file_path
EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(New_Process_Name,"\s"), "\"" + New_Process_Name + "\"", New_Process_Name)) + " " + process_command_line_arguments), New_Process_Name), EventCode==4696, Target_Process_Name , 1==1, coalesce(Process, process, Process_Name))
EVAL-registry_path = if(EventCode==4657 OR EventCode==4670,Object_Name,registry_path)
EVAL-registry_value_name = if(EventCode==4657, Object_Value_Name, registry_value_name)
EVAL-registry_value_type = if(EventCode==4657, New_Value_Type, registry_value_type)
EVAL-object_attrs = if(EventCode==4717 OR EventCode==4718,Access_Right,if(isnotnull(Group_Name),Group_Name,if(EventCode IN (4698,4700,4701),TaskContent,if(EventCode==4702,TaskNewContent,if(EventCode==4719, "Category="+Category+",Subcategory="+Subcategory+",Subcategory GUID="+Subcategory_GUID+",Changes="+Changes,object_attrs)))))
EVAL-file_name = if(Object_Type=="File" AND isnotnull(object_file_name),object_file_name,if(isnotnull(Share_Name),Share_Name,file_name))
EVAL-file_path = if(Object_Type=="File" AND isnotnull(object_file_path),object_file_path,if(isnotnull(Share_Path),Share_Path,file_path))
EVAL-parent_process = case(EventCode==4696,Process_Name,1==1,parent_process)
EVAL-parent_process_id = case(EventCode==4688,Creator_Process_ID,EventCode==4696,Process_ID)
EVAL-parent_process_name = case(EventCode==4696,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),1==1,parent_process_name)
EVAL-process_path = case(EventCode==4688,New_Process_Name,EventCode==4696,Target_Process_Name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,Process_Name)
EVAL-parent_process_path = case(EventCode==4688,Creator_Process_Name,EventCode==4696,Process_Name)
EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"))
EVAL-process_name = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),1==1,Process_Name)
EVAL-process_id = case(EventCode==4696,Target_Process_ID, EventCode==4689 OR EventCode==4673, Process_ID, 1==1, process_id)
EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
LOOKUP-service_name_for_endpoint_service = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service,service_name
LOOKUP-service_type_for_endpoint_service = windows_endpoint_service_service_type_lookup Service_Start_Type OUTPUTNEW start_mode
LOOKUP-transpot_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
LOOKUP-wineventlog-change-object-fields = windows_wineventlog_change_object_fields_lookup EventCode OUTPUTNEW change_type,object_attrs,object_category,result
## IAS (Currently WinEventLog Support Only)
[source::WinEventLog:System:IAS]
REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
EVAL-app = "ias"
[source::WinEventLog:ForwardedEvents]
##### Explanation for SEDCMD Extractions #####
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
## clean_rendering_info_block: This will eliminate the entire extra <RenderingInfo> block from all the events that indexes when using WEF before indexing
##### SEDCMD Extractions #####
#SEDCMD-remove_ffff = s/::ffff://g
#SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
#SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
#SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//
###### WindowsUpdateLog ######
[source::...WindowsUpdate.Log]
sourcetype = WindowsUpdateLog
[WindowsUpdateLog]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
FIELDALIAS-dest_for_windowsupdatelog = host AS dest
REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id
# Legacy field aliases to support ES 2.0.2, Winfra
FIELDALIAS-package_for_windows = signature_id AS package
FIELDALIAS-package_title_for_windows = signature AS package_title
[WinRegistry]
## Registry Extractions
## registry_path, registry_key_name, registry_value_name
REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry
REPORT-registry_value_data = registry_value_data_for_WinRegistry
FIELDALIAS-registry_value_type = data_type AS registry_value_type
## Endpoint Change Extractions
## Required fields: action,dest,object,object_category,object_path,status,user
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action
LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
FIELDALIAS-dest_for_WinRegistry = host AS dest
REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry
LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category
REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status
REPORT-user_for_WinRegistry = user_for_WinRegistry
LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type
FIELDALIAS-src_for_WinRegistry = host AS src
## Field Mapping for Endpoint Data Model
## For Registry Dataset
FIELDALIAS-process_id_for_WinRegistry = pid AS process_id
EVAL-vendor_product = "Microsoft Windows"
#####################
## Splunk Perfmon/WMI
#####################
## Apply the following properties to all WMI events
[source::WMI...]
## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
REPORT-MESSAGE =
[wmi]
LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+)
## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence
## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog"
TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
TRANSFORMS-FIELDS =
###### ComputerSystem ######
[WMI:ComputerSystem]
FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
[Perfmon:Processor]
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:Processor]
FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[Perfmon:Network_Interface]
EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
EVAL-packets = if(counter=="Packets/sec",Value,null())
EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:Network_Interface]
FIELDALIAS-bytes = Bytes_Total/sec as bytes
FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
FIELDALIAS-packets = Packets/sec as packets
FIELDALIAS-packets_in = Packets_Received/sec as packets_in
FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
FIELDALIAS-thruput = Bytes_Total/sec as thruput
FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[Perfmon:DFS_Replicated_Folders]
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[Perfmon:NTDS]
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[Perfmon:DNS]
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[Perfmon:CPU]
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:CPU]
FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
FIELDALIAS-cpu_instance = instance AS cpu_instance
FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[Perfmon:System]
EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null())
EVAL-system_threads_count = if(counter=="Threads",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:System]
FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count
FIELDALIAS-system_threads_count = Threads as system_threads_count
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[Perfmon:ProcessorInformation]
SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/
EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
## Field Mapping for Endpoint Data Model
## For Processes Dataset
EVAL-vendor_product = "Microsoft Windows"
[PerfmonMk:ProcessorInformation]
EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null())
EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
## Field Mapping for Endpoint Data Model
## For Processes Dataset
EVAL-vendor_product = "Microsoft Windows"
[WMI:CPUTime]
REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous
FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent
FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent
FIELDALIAS-cpu_instance = Name AS cpu_instance
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Disk ######
[Perfmon:LogicalDisk]
EVAL-mount = if(instance=="_Total", null(), instance)
# Keeping this field in ms
EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null())
EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null())
EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null())
EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:LogicalDisk]
EVAL-mount = if(instance=="_Total", null(), instance)
# Keeping this field in ms
EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000
FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency
FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency
FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent
FIELDALIAS-read_ops = Disk_Reads/sec as read_ops
FIELDALIAS-write_ops = Disk_Writes/sec as write_ops
FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
FIELDALIAS-storage_free = Free_Megabytes as storage_free
EVAL-storage=((100*Free_Megabytes)/storage_free_percent)
EVAL-storage_used=(((100-storage_free_percent)*Free_Megabytes)/storage_free_percent)
EVAL-storage_used_percent=(100-storage_free_percent)
[Perfmon:PhysicalDisk]
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:PhysicalDisk]
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[WMI:FreeDiskSpace]
REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous
FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount
EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null())
EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null())
FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent
EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null())
EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null())
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
[WMI:LogicalDisk]
FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency
FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency
FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency
FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops
FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
[WMI:LocalPhysicalDisk]
REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-src_for_wmi = host AS src
###### Network ######
[WMI:LocalNetwork]
FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput
FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Process ######
[Perfmon:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
## Field Mapping for Endpoint Data Model
## For Processes Dataset
EVAL-mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
EVAL-vendor_product = "Microsoft Windows"
[PerfmonMk:Process]
EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null())
EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null())
EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
## Field Mapping for Endpoint Data Model
## For Processes Dataset
FIELDALIAS-process_id_for_perfmon = ID_Process AS process_id
EVAL-mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
EVAL-vendor_product = "Microsoft Windows"
###### Installed Apps ######
[Script:InstalledApps]
SHOULD_LINEMERGE = false
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3}
KV_MODE = none
REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps
REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps
REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps
REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps
REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps
REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps
REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps
REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps
REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps
REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps
REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps
REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps
REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps
REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps
REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps
REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps
REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps
REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps
REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps
REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps
REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps
REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps
REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps
REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps
REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps
###### Installed Updates ######
[WMI:InstalledUpdates]
REPORT-00Description_for_installedupdates = Description_for_installedupdates
FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id
EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null())
LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Listening Ports ######
[Script:ListeningPorts]
SHOULD_LINEMERGE = false
KV_MODE = None
REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports
REPORT-1kv_for_listeningports = kv_for_listeningports
FIELDALIAS-dest_for_listeningports = dest_ip AS dest
FIELDALIAS-process_id_for_listeningports = pid AS process_id
## Field Mapping for Endpoint Data Model
## For Ports Dataset
EVAL-transport_dest_port = transport."/".dest_port
EVAL-vendor_product = "Microsoft Windows"
###### Local Processes ######
[WMI:LocalProcesses]
REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous
FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent
FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes
FIELDALIAS-process_for_wmi_localprocesses = windows_app AS Name, windows_app AS app, windows_app AS process
FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
## Field Mapping for Endpoint Data Model
## For Processes Dataset
EVAL-vendor_product = "Microsoft Windows"
###### Memory ######
## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory
## Total memory available in WMI:ComputerSystem
[Perfmon:Memory]
EVAL-mem_committed = if(counter=="Committed Bytes",Value,null())
EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null())
EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null())
EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null())
EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null())
EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:Memory]
FIELDALIAS-mem_committed = Committed_Bytes as mem_committed
FIELDALIAS-mem_free = Available_MBytes as mem_free
FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free
FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used
FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops
EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free
FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in
FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[Perfmon:Network]
EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
EVAL-packets = if(counter=="Packets/sec",Value,null())
EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
EVAL-metric_type = "gauge"
[PerfmonMk:Network]
FIELDALIAS-bytes = Bytes_Total/sec as bytes
FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
FIELDALIAS-packets = Packets/sec as packets
FIELDALIAS-packets_in = Packets_Received/sec as packets_in
FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
FIELDALIAS-thruput = Bytes_Total/sec as thruput
FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
[WMI:Memory]
REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous
FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed
FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free
FIELDALIAS-swap_used = PoolPagedBytes AS swap_used
EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in
FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out
FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops
EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Service ######
[WMI:Service]
REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous
REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname
FIELDALIAS-file_path_for_wmi_service = service_path AS file_path
FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service
FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode
FIELDALIAS-status_for_wmi_service = State AS status
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
## Field Mapping for Endpoint Data Model
## For Services Dataset
REPORT-report_field_extract_wmi_service_path_and_exec_name = field_extract_wmi_service_path, field_extract_wmi_service_exec
FIELDALIAS-description_for_wmi = Description AS description
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
FIELDALIAS-service_name_for_wmi = Name AS service, Name AS service_name
EVAL-vendor_product = "Microsoft Windows"
###### Time Configuration ######
[Script:TimesyncConfiguration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)Current time:
KV_MODE = None
REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync
REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration
REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration
REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration
REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration
REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration
REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration
REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration
REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration
REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration
REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration
REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration
REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration
REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration
REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration
REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration
REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration
REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration
REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration
REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration
REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration
REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync
###### Time Synchronization ######
[Script:TimesyncStatus]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)Current time:
KV_MODE = None
REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync
REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status
REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status
REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status
REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status
REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status
REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status
REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status
REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status
REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status
REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status
REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status
REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status
REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status
REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status
REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status
REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status
REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync
LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action
EVAL-last_sync_time = coalesce(strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S %p"),strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S"),strptime(Last_Successful_Sync_Time, "%d-%m-%Y %H:%M:%S"))
FIELDALIAS-dest = host as dest
EVAL-resource_type = "system"
###### Uptime ######
[WMI:Uptime]
REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous
FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store
TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store
EVAL-metric_type = "gauge"
###### User Accounts ######
[WMI:UserAccounts]
REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name
FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain
FIELDALIAS-status_for_wmi_useraccounts = Status AS status
FIELDALIAS-user_for_wmi_useraccounts = Name AS user
FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id
LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled
FIELDALIAS-description_for_wmi_user_account_status = Description AS description
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Version ######
[WMI:Version]
REPORT-0Caption_for_wmi_version = Caption_for_wmi_version
LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range
FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family
FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version
EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null())
FIELDALIAS-description = Caption as description
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
FIELDALIAS-src_for_wmi = host AS src
###### Scheduled Jobs ######
[WMI:ScheduledJobs]
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-src_for_wmi = host AS src
###### Host Inventory ######
[WinHostMon]
EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null())
EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null())
EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null())
EVAL-os = if(Type=="OperatingSystem", OS, null())
EVAL-family = if(Type=="Processor", Architecture, null())
EVAL-version = if(Type=="OperatingSystem", Version, null())
EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null())
EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null())
EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null())
EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null())
EVAL-vendor_product = if(Type=="OperatingSystem", OS, null())
EVAL-mount = if (Type=="Disk", Name, null())
EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null())
EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null())
EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null())
EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null())
EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null())
EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null())
EVAL-description = if(Type=="Processor", Name, null())
EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null())
EVAL-cpu_architecture = if(Type=="Processor", Architecture, null())
REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer
REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor
REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service
FIELDALIAS-dest_for_winhostmon = host as dest
EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?<process>[^"}}\{\{]+)"
EXTRACT-service_for_winhostmon = DisplayName="(?<service>[^"}}\{\{]+)"
EVAL-start_mode = lower(StartMode)
## Field Mapping for Endpoint Data Model
## For Services Dataset
REPORT-service_exec_for_WinHostMon_service_path_and_exec_name = service_exec_for_WinHostMon_service_path, service_exec_for_WinHostMon_service_exec
FIELDALIAS-process_id_for_winhostmon = ProcessId AS process_id
EXTRACT-service_name_for_winhostmon = DisplayName="(?<service_name>[^"}}\{\{]+)"
####WMI:WinEventLog####
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System]
[WMI:WinEventLog:System]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
FIELDALIAS-pid_for_wmi = IDProcess AS pid
REPORT-bestmatch_for_windows_system = ComputerName_as_dest
REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
# Legacy field aliases to support ES 2.0.2, Winfra
FIELDALIAS-package_for_windows = signature_id AS package
FIELDALIAS-package_title_for_windows = signature AS package_title
## Field Mapping for Endpoint Data Model
## For Filesystem Dataset
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
EVAL-vendor_product = "Microsoft Windows"
##### Explanation for SEDCMD Extractions #####
## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
##### SEDCMD Extractions #####
#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security]
[WMI:WinEventLog:Security]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?<Group_Name>.*)(?:\n|\r).*Account Domain:\s*(?<Group_Domain>[^(?:\n|\r)]+)
## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
FIELDALIAS-dest_for_wmi = host AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
## action, status
## Override action to allow audit log changes to correspond to Change Analysis data model
LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category
LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
## privilege
REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
EVAL-vendor = "Microsoft"
EVAL-product = "Windows"
FIELDALIAS-body_for_windows_security = Message AS body
FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
## Set the following fields based on order of operations
REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
## Field Mapping for Endpoint Data Model
## For Ports, Services and Processes Datasets
FIELDALIAS-dest_port_for_windows_security = Port AS dest_port
FIELDALIAS-service_id_for_windows_security = Service_ID AS service_id
FIELDALIAS-service_for_windows_security = Service_Name AS service, Service_Name AS service_name
FIELDALIAS-process_name_for_windows_security = Process_Name AS process_name
FIELDALIAS-user_id_for_windows_security = User_ID AS user_id
EVAL-process_id = coalesce('IDProcess','Process_ID')
EVAL-vendor_product = "Microsoft Windows"
##### Explanation for SEDCMD Extractions #####
## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
##### SEDCMD Extractions #####
#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
#SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
#SEDCMD-remove_ffff = s/::ffff://g
#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...]
[WMI:WinEventLog:Application]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
FIELDALIAS-dest_for_wmi = ComputerName AS dest
FIELDALIAS-pid_for_wmi = IDProcess AS pid
## Field Mapping for Endpoint Data Model
## For Filesystem Dataset
FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
FIELDALIAS-user_for_wmi = User AS user
EVAL-vendor_product = "Microsoft Windows"
###### Backward Compatibility ######
## Perfmon Disk Space
# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf.
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
[Perfmon:FreeDiskSpace]
FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount
EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
## Perfmon CPUTime
# "Perfmon:CPUTime" sourcetype is created from perfmon.conf.
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0.
[Perfmon:CPUTime]
EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null())
## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
## Perfmon LocalNetwork
# "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf.
# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
[Perfmon:LocalNetwork]
EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
FIELDALIAS-dest_for_perfmon = host AS dest
FIELDALIAS-src_for_perfmon = host AS src
## To provide backward compatibility for WinEventLog and XmlWinEventLog data
## These will be deprecated in future
[WinEventLog:Security]
rename = wineventlog
[WinEventLog:Application]
rename = wineventlog
[WinEventLog:System]
rename = wineventlog
[WinEventLog:System:IAS]
rename = wineventlog
[WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
rename = wineventlog
[WinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
rename = wineventlog
[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
rename = wineventlog
[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
rename = wineventlog
[WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-DNS-Client/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
rename = wineventlog
[WinEventLog:Setup]
rename = wineventlog
[WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
rename = wineventlog
[WinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
rename = wineventlog
[WinEventLog:Microsoft-Windows-CAPI2/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-Defender/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-LSA/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-NetworkProfile/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
rename = wineventlog
[WinEventLog:Microsoft-Windows-PowerShell/Operational]
rename = wineventlog
[WinEventLog:Windows PowerShell]
rename = wineventlog
[WinEventLog:Microsoft-Windows-PrintService/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-WinRM/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
rename = wineventlog
[WinEventLog:Microsoft-Windows-SMBClient/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TaskScheduler/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
rename = wineventlog
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = wineventlog
[XmlWinEventLog:Security]
rename = xmlwineventlog
[XmlWinEventLog:Application]
rename = xmlwineventlog
[XmlWinEventLog:System]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-DNS-Client/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Setup]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-CAPI2/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-Defender/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-LSA/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-NetworkProfile/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-PowerShell/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Windows PowerShell]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-PrintService/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-WinRM/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-SMBClient/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
rename = xmlwineventlog
[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = xmlwineventlog
###### Rename stanzas for TA-AD WinEventLog sourcetypes ######
[WinEventLog:DFS-Replication]
rename = wineventlog
[WinEventLog:Directory-Service]
rename = wineventlog
[WinEventLog:File-Replication-Service]
rename = wineventlog
[WinEventLog:Key-Management-Service]
rename = wineventlog
###### Rename stanzas for TA-DNS WinEventLog sourcetypes ######
[WinEventLog:DNS-Server]
rename = wineventlog
## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0.
## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively.
## These will be deprecated in future
[wineventlog]
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
## Field Mapping for Endpoint Data Model
## For Services, Processes and Filesystem Datasets
FIELDALIAS-service_id_for_windows = Service_ID AS service_id
FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
FIELDALIAS-process_for_windows = Process AS process
FIELDALIAS-process_name_for_windows = Process_Name AS process_name
FIELDALIAS-user_id_for_windows = User_ID AS user_id
EVAL-vendor_product = "Microsoft Windows"
[xmlwineventlog]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
FIELDALIAS-category_for_windows = TaskCategory as category
FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
FIELDALIAS-severity_id_for_windows = EventType AS severity_id
FIELDALIAS-id_for_windows = RecordNumber AS id
REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
## Field Mapping for Endpoint Data Model
## For Services, Processes and Filesystem Datasets
FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
FIELDALIAS-process_name_for_windows = ProcessName AS process_name
FIELDALIAS-user_id_for_windows = UserID AS user_id
EVAL-vendor_product = "Microsoft Windows"
## Scripted input for collecting local ip config
[Script:NetworkConfiguration]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(Configuration for interface )
KV_MODE = none
TRUNCATE = 0
EXTRACT-netshaddressif=Configuration for interface \"(?<if>[^\"]+)
EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?<dhcp>(Yes|No))
EXTRACT-netshaddressip=IP Address\:\s+(?<ip>[\d\.]+)
EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?<cidr>[^\s]+)
EXTRACT-netshaddressmask=mask (?<mask>[^\)]+)
EXTRACT-netshaddressgw=Gateway\:\s+(?<gw>[\d\.]+)
EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?<metric>\d+)
###### Extractions moved from TA-AD ######
[MSAD:NT6:Health]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSAD:NT6:SiteInfo]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets
[MSAD:NT6:Replication]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSAD:NT6:Netlogon]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[))
EXTRACT-subnetaffinity = \s(?<src_domain>[^:]+): (?<msad_affinity>NO_CLIENT_SITE): (?<src_host>[^\s]+) (?<src_ip>[0-9A-Fa-f:\.]+)
[MSAD:SubnetAffinity]
EXTRACT-subnetaffinity = (?<src_nt_domain>\w+): NO_CLIENT_SITE: (?<src_host>\w+) (?<src_ip>[0-9\.]+)
###### Extractions moved from TA-DNS ######
[MSAD:NT6:DNS-Zone-Information]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
[MSAD:NT6:DNS-Health]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
TRUNCATE = 0
REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV
[MSAD:NT6:DNS]
KV_MODE = none
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
EXTRACT-threadid = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)
EXTRACT-protocol = (?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+
EXTRACT-opcode = (?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]
EXTRACT-question1 = \] (?<questiontype>\w+)\s+(?<questionname>.*)
EXTRACT-question2 = \] (?<questionname>[^\s]*)$
FIELDALIAS-query = questionname AS query
FIELDALIAS-reply_code = response AS reply_code
FIELDALIAS-transaction_id = packetid AS transaction_id
FIELDALIAS-transport = protocol AS transport
FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class
LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action
LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app
LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class
Reference in new issue View Git Blame Copy Permalink