[WinEventLog://ForwardedEvents] sourcetype = WinEventLog:ForwardedEvents index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-Powershell] sourcetype = WinEventLog:Powershell source = WinEventLog:Powershell index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-WMI] sourcetype = WinEventLog:WMI source = WinEventLog:WMI index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-EMET] sourcetype = WinEventLog:Security source = WinEventLog:EMET index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-Authentication] sourcetype = WinEventLog:Security source = WinEventLog:Authentication index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-Services] sourcetype = WinEventLog:System source = WinEventLog:Services index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC-Process-Execution] sourcetype = WinEventLog:Security source = WinEventLog:Process-Execution index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 blacklist = Message="(?:Process Name:).+(?:C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe)" blacklist1 = Message="(?:Process Name:).+(?:C:\\Program Files\\SplunkUniversalForwarder\\bin\\)" [WinEventLog://WEC-Code-Integrity] sourcetype = WinEventLog:Security source = WinEventLog:Code-Integrity index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Registry] sourcetype = WinEventLog:Security source = WinEventLog:Registry index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Applocker] sourcetype = WinEventLog:Applocker source = WinEventLog:Applocker index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Object-Manipulation] sourcetype = WinEventLog:Security source = WinEventLog:Object-Handle index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 blacklist = Message="(?:Process Name:).+(?:osqueryd.exe)" [WinEventLog://WEC2-Task-Scheduler] sourcetype = WinEventLog:Task-Scheduler source = WinEventLog:Task-Scheduler index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Application-Crashes] sourcetype = WinEventLog:Application source = WinEventLog:Application-Crashes index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Windows-Defender] sourcetype = WinEventLog:Windows-Defender source = WinEventLog:Windows-Defender index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-Group-Policy-Errors] sourcetype = WinEventLog:System source = WinEventLog:Group-Policy-Errors index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Drivers] sourcetype = WinEventLog:System source = WinEventLog:Drivers index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Account-Management] sourcetype = WinEventLog:Security source = WinEventLog:Account-Management index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Windows-Diagnostics] sourcetype = WinEventLog:System source = WinEventLog:Windows-Diagnostics index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Smart-Card] sourcetype = WinEventLog:Smart-Card source = WinEventLog:Smart-Card index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-USB] sourcetype = WinEventLog:USB source = WinEventLog:USB index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Print] sourcetype = WinEventLog:Print source = WinEventLog:Print index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC3-Firewall] sourcetype = WinEventLog:Firewall source = WinEventLog:Firewall index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-Wireless] sourcetype = WinEventLog:Security source = WinEventLog:Wireless index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-Shares] sourcetype = WinEventLog:Security source = WinEventLog:Shares index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-Bits-Client] sourcetype = WinEventLog:Bits-Client source = WinEventLog:Bits-Client index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-Windows-Updates] sourcetype = WinEventLog:System source = WinEventLog:Windows-Updates index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-Hotpatching-Errors] sourcetype = WinEventLog:Security source = WinEventLog:Hotpatching-Errors index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-DNS] sourcetype = WinEventLog:DNS source = WinEventLog:DNS index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC4-System-Time-Change] sourcetype = WinEventLog:Security source = WinEventLog:System-Time-Change index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Operating-System] sourcetype = WinEventLog:System source = WinEventLog:Operating-System index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Certificate-Authority] sourcetype = WinEventLog:Security source = WinEventLog:Certificate-Authority index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Crypto-API] sourcetype = WinEventLog:Security source = WinEventLog:Crypto-API index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC2-File-System] sourcetype = WinEventLog:Security source = WinEventLog:File-System index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-MSI-Packages] sourcetype = WinEventLog:Security source = WinEventLog:MSI-Packages index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Log-Deletion-Security] sourcetype = WinEventLog:Security source = WinEventLog:Log-Deletion-Security index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Log-Deletion-System] sourcetype = WinEventLog:System source = WinEventLog:Log-Deletion-System index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC5-Autoruns] sourcetype = WinEventLog:Autoruns source = WinEventLog:Autoruns index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Sysmon] sourcetype = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational source = WinEventLog:Sysmon index=sysmon disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Software-Restriction-Policies] sourcetype = WinEventLog:Software-Restriction-Policies source = WinEventLog:Software-Restriction-Policies index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Microsoft-Office] sourcetype = WinEventLog:Microsoft-Office source = WinEventLog:Microsoft-Office index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Exploit-Guard] sourcetype = WinEventLog:Security source = WinEventLog:Exploit-Guard index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Duo-Security] sourcetype = WinEventLog:Duo-Security source = WinEventLog:Duo-Security index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-Device-Guard] sourcetype = WinEventLog:Security source = WinEventLog:Device-Guard index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC6-ADFS] sourcetype = WinEventLog:ADFS source = WinEventLog:ADFS index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC7-Active-Directory] sourcetype = WinEventLog:Security source = WinEventLog:Active-Directory index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC7-Terminal-Services] sourcetype = WinEventLog:Security source = WinEventLog:Terminal-Services index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [WinEventLog://WEC7-Privilege-Use] sourcetype = WinEventLog:Security source = WinEventLog:Privilege-Use index=wineventlog disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 [monitor://c:\pslogs] index = powershell sourcetype = powershell_transcript recursive = true