Initial commit

2017-12-11 08:49:25 -08:00
commit 1577341ce9
157 changed files with 5271 additions and 0 deletions
--- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf
+++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
@@ -0,0 +1,402 @@
+[default]
+evt_resolve_ad_obj = 1
+evt_dc_name = ldaps.ad.ha.palantir
+evt_dns_name = ldaps.ad.ha.palantir
+evt_ad_cache_disabled = 0
+evt_ad_cache_max_entries = 40000
+evt_ad_cache_exp_neg = 10
+evt_sid_cache_disabled = 0
+evt_sid_cache_max_entries = 40000
+evt_sid_cache_exp_neg = 1000
+batch_size = 500
+
+[WinEventLog://ForwardedEvents]
+sourcetype = WinEventLog:ForwardedEvents
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Powershell]
+sourcetype = WinEventLog:Powershell
+source = WinEventLog:Powershell
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-WMI]
+sourcetype = WinEventLog:WMI
+source = WinEventLog:WMI
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-EMET]
+sourcetype = WinEventLog:Security
+source = WinEventLog:EMET
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Authentication]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Authentication
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Services]
+sourcetype = WinEventLog:System
+source = WinEventLog:Services
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Process-Execution]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Process-Execution
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC-Code-Integrity]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Code-Integrity
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Registry]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Registry
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Applocker]
+sourcetype = WinEventLog:Applocker
+source = WinEventLog:Applocker
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Task-Scheduler]
+sourcetype = WinEventLog:Task-Scheduler
+source = WinEventLog:Task-Scheduler
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Application-Crashes]
+sourcetype = WinEventLog:Application
+source = WinEventLog:Application-Crashes
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Windows-Defender]
+sourcetype = WinEventLog:Windows-Defender
+source = WinEventLog:Windows-Defender
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-Group-Policy-Errors]
+sourcetype = WinEventLog:System
+source = WinEventLog:Group-Policy-Errors
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Drivers]
+sourcetype = WinEventLog:System
+source = WinEventLog:Drivers
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Account-Management]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Account-Management
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Windows-Diagnostics]
+sourcetype = WinEventLog:System
+source = WinEventLog:Windows-Diagnostics
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Smart-Card]
+sourcetype = WinEventLog:Smart-Card
+source = WinEventLog:Smart-Card
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-USB]
+sourcetype = WinEventLog:USB
+source = WinEventLog:USB
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Print]
+sourcetype = WinEventLog:Print
+source = WinEventLog:Print
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC3-Firewall]
+sourcetype = WinEventLog:Firewall
+source = WinEventLog:Firewall
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Wireless]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Wireless
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Shares]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Shares
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Bits-Client]
+sourcetype = WinEventLog:Bits-Client
+source = WinEventLog:Bits-Client
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Windows-Updates]
+sourcetype = WinEventLog:System
+source = WinEventLog:Windows-Updates
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-Hotpatching-Errors]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Hotpatching-Errors
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-DNS]
+sourcetype = WinEventLog:DNS
+source = WinEventLog:DNS
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC4-System-Time-Change]
+sourcetype = WinEventLog:Security
+source = WinEventLog:System-Time-Change
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Operating-System]
+sourcetype = WinEventLog:System
+source = WinEventLog:Operating-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Certificate-Authority]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Certificate-Authority
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Crypto-API]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Crypto-API
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC2-File-System]
+sourcetype = WinEventLog:Security
+source = WinEventLog:File-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-MSI-Packages]
+sourcetype = WinEventLog:Security
+source = WinEventLog:MSI-Packages
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Log-Deletion-Security]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Log-Deletion-Security
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Log-Deletion-System]
+sourcetype = WinEventLog:System
+source = WinEventLog:Log-Deletion-System
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC5-Autoruns]
+sourcetype = WinEventLog:Autoruns
+source = WinEventLog:Autoruns
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Sysmon]
+sourcetype = WinEventLog:Sysmon
+source = WinEventLog:Sysmon
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Software-Restriction-Policies]
+sourcetype = WinEventLog:Software-Restriction-Policies
+source = WinEventLog:Software-Restriction-Policies
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Microsoft-Office]
+sourcetype = WinEventLog:Microsoft-Office
+source = WinEventLog:Microsoft-Office
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Exploit-Guard]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Exploit-Guard
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Duo-Security]
+sourcetype = WinEventLog:Duo-Security
+source = WinEventLog:Duo-Security
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-Device-Guard]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Device-Guard
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[WinEventLog://WEC6-ADFS]
+sourcetype = WinEventLog:ADFS
+source = WinEventLog:ADFS
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
+[monitor://c:\pslogs]
+index = powershell
+sourcetype = powershell_transcript
+recursive = true