trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix ThreatHunting dashboard

Browse Source 
https://github.com/clong/DetectionLab/issues/625
This commit is contained in:
Chris Long
2021-03-23 17:08:40 -07:00
committed by GitHub
parent 819ded6d85
commit 7778de6190
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Vagrant/resources/splunk_server/macros.conf
View File

@@ -73,3 +73,17 @@ iseval = 0
[indextime] [indextime]
definition = _index_earliest=-15m@m AND _index_latest=now definition = _index_earliest=-15m@m AND _index_latest=now
iseval = 0 iseval = 0
[threathunting_assets_dns]
definition = | inputlookup threathunting_asset_priority.csv \
| rename host_fqdn as dns\
| fields dns priority
iseval = 0
[process_granted_access_description]
definition = eval process_granted_access_description=case(process_granted_access = "0x1fffff", "PROCESS_ALL_ACCESS",process_granted_access = "0x40", "PROCESS_DUP_HANDLE",process_granted_access = "0x40", "PROCESS_DUP_HANDLE(0x40) + PROCESS_VM_READ (0x0010)",process_granted_access = "0xc0", "PROCESS_DUP_HANDLE (0x40) + PROCESS_CREATE_PROCESS (0x80)",process_granted_access = "0x1010", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_VM_READ (0x0010)", process_granted_access = "0x1410", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_QUERY_INFORMATION (0x0400) + PROCESS_VM_READ (0x0010)",process_granted_access = "0x1001", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_TERMINATE (0x0001)")
iseval = 0
[threathunting_index]
definition = index=threathunting
iseval = 0