[sysmon] definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" iseval = 0 [windows-app] definition = index=wineventlog source="WinEventLog:Application" iseval = 0 [powershell] definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational") iseval = 0 [windows-security] definition = index=wineventlog source="WinEventLog:Security" iseval = 0 [pan_threat] definition = index=pan_logs sourcetype="pan:threat" iseval = 0 [domain] definition = WINDOMAIN iseval = 0 [windows] definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security" iseval = 0 [windows-system] definition = index=wineventlog source="WinEventLog:System" iseval = 0 [no-domain] definition = "WINDOMAIN\\*" iseval = 0 [process_create_whitelist] definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256] iseval = 0 [network_whitelist] definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip dst_port src_ip process_path] iseval = 0 [process_access_whitelist] definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access] iseval = 0 [image_load_whitelist] definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus] iseval = 0 [file_access_whitelist] definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path] iseval = 0 [registry_whitelist] definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details] iseval = 0 [pipe_created_whitelist] definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name] iseval = 0 [wmi_whitelist] definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name] iseval = 0 [remote_thread_whitelist] definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address] iseval = 0 [indextime] definition = _index_earliest=-15m@m AND _index_latest=now iseval = 0 [threathunting_assets_dns] definition = | inputlookup threathunting_asset_priority.csv \ | rename host_fqdn as dns\ | fields dns priority iseval = 0 [process_granted_access_description] definition = eval process_granted_access_description=case(process_granted_access = "0x1fffff", "PROCESS_ALL_ACCESS",process_granted_access = "0x40", "PROCESS_DUP_HANDLE",process_granted_access = "0x40", "PROCESS_DUP_HANDLE(0x40) + PROCESS_VM_READ (0x0010)",process_granted_access = "0xc0", "PROCESS_DUP_HANDLE (0x40) + PROCESS_CREATE_PROCESS (0x80)",process_granted_access = "0x1010", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_VM_READ (0x0010)", process_granted_access = "0x1410", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_QUERY_INFORMATION (0x0400) + PROCESS_VM_READ (0x0010)",process_granted_access = "0x1001", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_TERMINATE (0x0001)") iseval = 0 [threathunting_index] definition = index=threathunting iseval = 0