# Copyright (C) 2019 Splunk Inc. All Rights Reserved. # DO NOT EDIT THIS FILE! # Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default # into ../local and edit there. # ########################### ## Active Directory ########################### [ActiveDirectory] LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag ########################### ## DHCP ########################### [DhcpSrvLog] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host EVAL-vendor = "Microsoft" EVAL-product = "Windows" EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":"))) EVAL-dest = coalesce(nt_host, ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "^(\w{2})", "\1:"), ":"), 1==1, replace(raw_mac, "-|\.|\s", ":")))) ########################### ## Splunk Windows Event Log ########################### ## Host override for WinEventLog events collected using WEF [host::WinEventLogForwardHost] TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride ## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog ## format source using sourcetype value, so we know whether its XML or not ## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype ## the mod input sets and new sources will be accommodated as well [(?::){0}WinEventLog:*] TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype [(?::){0}XmlWinEventLog:*] TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype ## Fields common to all WinEventLogs [WinEventLog] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id [XmlWinEventLog] KV_MODE = none REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System] ## windows system sub-sourcetyping [source::WinEventLog:System] TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog REPORT-bestmatch_for_windows_system = ComputerName_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body EVAL-vendor = "Microsoft" EVAL-product = "Windows" # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title ## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility # Extractions to add fields used by generic system extraction REPORT-signature_message_from_xml = updatelist_from_user_data REPORT-signature_from_xml = updatetitle_from_user_data FIELDALIAS-updateTitle_as_signature = updateTitle AS signature FIELDALIAS-Status_as_Error_Code = Status AS Error_Code EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status REPORT-bestmatch_for_windows_system_xml = Computer_as_dest ## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias EVAL-app = if(SourceName="IAS","ias",null()) ##### Explanation for SEDCMD Extractions ##### ## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g ## Apply the following properties to all WinEventLog events ## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf [source::(WMI:WinEventLog|WinEventLog)...] ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv REPORT-MESSAGE = ########################### ## Windows XML Event Log ########################### ##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::XmlWinEventLog:System] # Extractions to add fields used by generic system extraction REPORT-signature_message_from_xml = updatelist_from_user_data REPORT-signature_from_xml = updatetitle_from_user_data FIELDALIAS-updateTitle_as_signature = updateTitle AS signature FIELDALIAS-Status_as_Error_Code = Status AS Error_Code EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status REPORT-bestmatch_for_windows_system_xml = Computer_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user EVAL-body = coalesce('signature_message','Message') EVAL-vendor = "Microsoft" EVAL-product = "Windows" # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_title_for_windows = signature AS package_title FIELDALIAS-package_for_windows = signature_id AS package ##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] [source::XmlWinEventLog:Security] ## privilege REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege # Extractions to add fields used by generic security extraction REPORT-Source_Port_from_xml = IpPort_as_Source_Port REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation FIELDALIAS-Status_as_Error_Code = Status AS Error_Code FIELDALIAS-Target_User_Name_as_Group_Name = TargetUserName AS Group_Name FIELDALIAS-Target_Domain_as_Group_Domain = TargetDomainName AS Group_Domain EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status ## action, status ## Override action to allow audit log changes to correspond to Change Analysis data model LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status ## auditing FIELDALIAS-object_for_windows_security = sourcetype AS object ## privilege REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_security = Message AS body FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app ## Set the following fields based on order of operations REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity ##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-process_id_for_windows_security_from_xml = \S+).*?(?:(?:\r*\n){2}) EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?[^$]+)$ EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?.*)\\(?[^(?:\n|\r)]+) ## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility ## privilege REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege # Extractions to add fields used by generic security extraction REPORT-Source_Port_from_xml = IpPort_as_Source_Port REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation FIELDALIAS-Status_as_Error_Code = Status AS Error_Code EVAL-Error_Code = if(isnull(Error_Code), "-", Error_Code) # LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status # LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> EXTRACT-process_id_for_windows_security_from_xml = 0<\/Data> to <\/Data> in XmlWinEventLog:Security ## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security ##### SEDCMD Extractions ##### #SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g #SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g #SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ #SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g ## For XmlWinEventLog:Security #SEDCMD-cleanxmlsrcport = s/0<\/Data>/<\/Data>/ #SEDCMD-cleanxmlsrcip = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ ## IAS (Currently WinEventLog Support Only) [source::WinEventLog:System:IAS] REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias EVAL-app = "ias" [source::WinEventLog:ForwardedEvents] ##### Explanation for SEDCMD Extractions ##### ## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues ## cleanxmlsrcport: This will replace all values like 0<\/Data> to <\/Data> in XmlWinEventLog:Security ## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security ## clean_rendering_info_block: This will eliminate the entire extra block from all the events that indexes when using WEF before indexing ##### SEDCMD Extractions ##### #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-cleansrcipxml = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ #SEDCMD-cleansrcportxml=s/0<\/Data>/<\/Data>/ #SEDCMD-clean_rendering_info_block = s/(?s)(.*)<\/RenderingInfo>// ###### WindowsUpdateLog ###### [source::...WindowsUpdate.Log] sourcetype = WindowsUpdateLog [WindowsUpdateLog] SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true FIELDALIAS-dest_for_windowsupdatelog = host AS dest REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title ##################### ## Endpoint Changes ##################### ## fs_notification endpoint changes ## Required fields: action,dest,object,object_category,object_path,status,user ## Optional fields: object_id,object_attrs,user_type,msg,data,severity [fs_notification] REPORT-object_object_path_for_fs_notification = object_object_path_for_fs_notification REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification FIELDALIAS-vendor_action_for_fs_notification = action AS vendor_action FIELDALIAS-dest_for_fs_notification = host AS dest FIELDALIAS-user_for_fs_notification = uid AS user FIELDALIAS-object_attrs_for_fs_notification = chgs AS object_attrs # Field aliases for conformance to Change_Analysis::Filesystem_Changes object FIELDALIAS-file_acl_for_fs_notification = mode AS file_acl FIELDALIAS-file_hash_for_fs_notification = hash AS file_hash EVAL-file_modify_time = strptime(modtime, "%a %b %d %H:%M:%S %Y") FIELDALIAS-file_name_for_fs_notification = object AS file_name FIELDALIAS-file_path_for_fs_notification = object_path AS file_path FIELDALIAS-file_size_for_fs_notification = size AS file_size # Legacy change_type lookup to support ES 2.0.2 LOOKUP-change_type_for_fs_notification = fs_notification_change_type_lookup sourcetype OUTPUTNEW change_type LOOKUP-action_for_fs_notification = endpoint_change_vendor_action_lookup vendor_action OUTPUT action LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object AS vendor_object_category OUTPUT object_category # Any fs_notification event indicates a successful change; vendor_status in the lookup is overloaded to accommodate this. LOOKUP-object_status_for_fs_notification = endpoint_change_status_lookup vendor_status AS sourcetype OUTPUTNEW status [WinRegistry] ## Registry Extractions ## registry_path, registry_key_name, registry_value_name REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry REPORT-registry_value_data = registry_value_data_for_WinRegistry FIELDALIAS-registry_value_type = data_type AS registry_value_type ## Endpoint Change Extractions ## Required fields: action,dest,object,object_category,object_path,status,user ## Optional fields: object_id,object_attrs,user_type,msg,data,severity FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action FIELDALIAS-dest_for_WinRegistry = host AS dest REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status REPORT-user_for_WinRegistry = user_for_WinRegistry LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type ##################### ## Splunk Perfmon/WMI ##################### ## Apply the following properties to all WMI events [source::WMI...] ## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv REPORT-MESSAGE = [wmi] LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+) ## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence ## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog" TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype TRANSFORMS-FIELDS = ###### ComputerSystem ###### [WMI:ComputerSystem] FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [Perfmon:Processor] EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-cpu_instance = instance AS cpu_instance EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Processor] FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) FIELDALIAS-cpu_instance = instance AS cpu_instance FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:Network_Interface] EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) EVAL-packets = if(counter=="Packets/sec",Value,null()) EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Network_Interface] FIELDALIAS-bytes = Bytes_Total/sec as bytes FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out FIELDALIAS-packets = Packets/sec as packets FIELDALIAS-packets_in = Packets_Received/sec as packets_in FIELDALIAS-packets_out = Packets_Sent/sec as packets_out FIELDALIAS-thruput = Bytes_Total/sec as thruput FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:DFS_Replicated_Folders] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:NTDS] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:DNS] TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [Perfmon:CPU] EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-cpu_instance = instance AS cpu_instance EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:CPU] FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) FIELDALIAS-cpu_instance = instance AS cpu_instance FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:System] EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null()) EVAL-system_threads_count = if(counter=="Threads",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:System] FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count FIELDALIAS-system_threads_count = Threads as system_threads_count FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:ProcessorInformation] SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/ EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:ProcessorInformation] EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null()) EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [WMI:CPUTime] REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent FIELDALIAS-cpu_instance = Name AS cpu_instance FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Disk ###### [Perfmon:LogicalDisk] EVAL-mount = if(instance=="_Total", null(), instance) # Keeping this field in ms EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null()) EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null()) EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null()) EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null()) EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null()) EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:LogicalDisk] EVAL-mount = if(instance=="_Total", null(), instance) # Keeping this field in ms EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000 FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent FIELDALIAS-read_ops = Disk_Reads/sec as read_ops FIELDALIAS-write_ops = Disk_Writes/sec as write_ops FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:PhysicalDisk] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:PhysicalDisk] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [WMI:FreeDiskSpace] REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null()) EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null()) FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null()) EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null()) FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [WMI:LogicalDisk] FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src [WMI:LocalPhysicalDisk] REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-src_for_wmi = host AS src ###### Network ###### [WMI:LocalNetwork] FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Process ###### [Perfmon:Process] EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null()) EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null()) EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Process] EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null()) EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null()) EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ###### Installed Apps ###### [Script:InstalledApps] SHOULD_LINEMERGE = false TRUNCATE = 0 LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3} KV_MODE = none REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps ###### Installed Updates ###### [WMI:InstalledUpdates] REPORT-00Description_for_installedupdates = Description_for_installedupdates FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null()) LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Listening Ports ###### [Script:ListeningPorts] SHOULD_LINEMERGE = false KV_MODE = None REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports REPORT-1kv_for_listeningports = kv_for_listeningports FIELDALIAS-dest_for_listeningports = dest_ip AS dest FIELDALIAS-process_id_for_listeningports = pid AS process_id ###### Local Processes ###### [WMI:LocalProcesses] REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes FIELDALIAS-process_for_wmi_localprocesses = Name AS app,Name AS process FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Memory ###### ## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory ## Total memory available in WMI:ComputerSystem [Perfmon:Memory] EVAL-mem_committed = if(counter=="Committed Bytes",Value,null()) EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null()) EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null()) EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null()) EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null()) EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Memory] FIELDALIAS-mem_committed = Committed_Bytes as mem_committed FIELDALIAS-mem_free = Available_MBytes as mem_free FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [Perfmon:Network] EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) EVAL-packets = if(counter=="Packets/sec",Value,null()) EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store EVAL-metric_type = "gauge" [PerfmonMk:Network] FIELDALIAS-bytes = Bytes_Total/sec as bytes FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out FIELDALIAS-packets = Packets/sec as packets FIELDALIAS-packets_in = Packets_Received/sec as packets_in FIELDALIAS-packets_out = Packets_Sent/sec as packets_out FIELDALIAS-thruput = Bytes_Total/sec as thruput FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src [WMI:Memory] REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free FIELDALIAS-swap_used = PoolPagedBytes AS swap_used EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Service ###### [WMI:Service] REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname FIELDALIAS-file_path_for_wmi_service = PathName AS file_path FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode FIELDALIAS-status_for_wmi_service = State AS status FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Time Configuration ###### [Script:TimesyncConfiguration] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+)Current time: KV_MODE = None REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync ###### Time Synchronization ###### [Script:TimesyncStatus] DATETIME_CONFIG = CURRENT LINE_BREAKER = ([\r\n]+)Current time: KV_MODE = None REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action EVAL-last_sync_time = strptime(Last_Successful_Sync_Time, "%m/%d/%Y %I:%M:%S %p") ###### Uptime ###### [WMI:Uptime] REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store EVAL-metric_type = "gauge" ###### User Accounts ###### [WMI:UserAccounts] REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain FIELDALIAS-status_for_wmi_useraccounts = Status AS status FIELDALIAS-user_for_wmi_useraccounts = Name AS user FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled FIELDALIAS-description_for_wmi_user_account_status = Description AS description FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Version ###### [WMI:Version] REPORT-0Caption_for_wmi_version = Caption_for_wmi_version LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null()) FIELDALIAS-description = Caption as description FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid FIELDALIAS-src_for_wmi = host AS src ###### Scheduled Jobs ###### [WMI:ScheduledJobs] FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-src_for_wmi = host AS src ###### Host Inventory ###### [WinHostMon] EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null()) EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null()) EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null()) EVAL-os = if(Type=="OperatingSystem", OS, null()) EVAL-family = if(Type=="Processor", Architecture, null()) EVAL-version = if(Type=="OperatingSystem", Version, null()) EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null()) EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null()) EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null()) EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null()) EVAL-vendor_product = if(Type=="OperatingSystem", OS, null()) EVAL-mount = if (Type=="Disk", Name, null()) EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null()) EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null()) EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null()) EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null()) EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null()) EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null()) EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null()) EVAL-description = if(Type=="Processor", Name, null()) EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null()) EVAL-cpu_architecture = if(Type=="Processor", Architecture, null()) REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service FIELDALIAS-dest_for_winhostmon = host as dest EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?[^"}}\{\{]+)" EXTRACT-service_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" EVAL-start_mode = lower(StartMode) ####WMI:WinEventLog#### ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System] [WMI:WinEventLog:System] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-pid_for_wmi = IDProcess AS pid REPORT-bestmatch_for_windows_system = ComputerName_as_dest REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body # Legacy field aliases to support ES 2.0.2, Winfra FIELDALIAS-package_for_windows = signature_id AS package FIELDALIAS-package_title_for_windows = signature AS package_title ##### Explanation for SEDCMD Extractions ##### ## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security] [WMI:WinEventLog:Security] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?.*)(?:\n|\r).*Account Domain:\s*(?[^(?:\n|\r)]+) ## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-dest_for_wmi = host AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid ## action, status ## Override action to allow audit log changes to correspond to Change Analysis data model LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status ## auditing FIELDALIAS-object_for_windows_security = sourcetype AS object ## privilege REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security EVAL-vendor = "Microsoft" EVAL-product = "Windows" FIELDALIAS-body_for_windows_security = Message AS body FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") ## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app ## Set the following fields based on order of operations REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") ##### Explanation for SEDCMD Extractions ##### ## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:" ## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:" ## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:" ## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:" ## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues ## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing ## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing ## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing ##### SEDCMD Extractions ##### #SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g #SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g #SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ #SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ #SEDCMD-remove_ffff = s/::ffff://g #SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g #SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g ##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...] [WMI:WinEventLog:Application] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id FIELDALIAS-dest_for_wmi = ComputerName AS dest FIELDALIAS-pid_for_wmi = IDProcess AS pid ###### Backward Compatibility ###### ## Perfmon Disk Space # "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. [Perfmon:FreeDiskSpace] FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null()) EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null()) EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Perfmon CPUTime # "Perfmon:CPUTime" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0. [Perfmon:CPUTime] EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null()) EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null()) ## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Perfmon LocalNetwork # "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf. # The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. # The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. [Perfmon:LocalNetwork] EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src ## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0. ## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively. ## These will be deprecated in future [wineventlog] LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id [xmlwineventlog] KV_MODE = none REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result FIELDALIAS-category_for_windows = TaskCategory as category FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc FIELDALIAS-event_id_for_windows = RecordNumber AS event_id LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity FIELDALIAS-severity_id_for_windows = EventType AS severity_id FIELDALIAS-id_for_windows = RecordNumber AS id REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows ## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject ## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id ## Scripted input for collecting local ip config [Script:NetworkConfiguration] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)(Configuration for interface ) KV_MODE = none TRUNCATE = 0 EXTRACT-netshaddressif=Configuration for interface \"(?[^\"]+) EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?(Yes|No)) EXTRACT-netshaddressip=IP Address\:\s+(?[\d\.]+) EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?[^\s]+) EXTRACT-netshaddressmask=mask (?[^\)]+) EXTRACT-netshaddressgw=Gateway\:\s+(?[\d\.]+) EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?\d+) ###### Extractions moved from TA-AD ###### [MSAD:NT6:Health] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:SiteInfo] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets [MSAD:NT6:Replication] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:Netlogon] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[)) EXTRACT-subnetaffinity = \s(?[^:]+): (?NO_CLIENT_SITE): (?[^\s]+) (?[0-9A-Fa-f:\.]+) [MSAD:SubnetAffinity] EXTRACT-subnetaffinity = (?\w+): NO_CLIENT_SITE: (?\w+) (?[0-9\.]+) ###### Extractions moved from TA-DNS ###### [MSAD:NT6:DNS-Zone-Information] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false [MSAD:NT6:DNS-Health] SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false TRUNCATE = 0 REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV [MSAD:NT6:DNS] KV_MODE = none SHOULD_LINEMERGE = false CHECK_FOR_HEADER = false EXTRACT-threadid = (?[0-9A-Fa-f]+)\s+(?PACKET) EXTRACT-protocol = (?[0-9A-Fa-f]*) (?UDP|TCP) (?\w+) (?[0-9A-Fa-f\.\:]+)\s+ EXTRACT-opcode = (?[ R]) (?.) \[(?[0-9A-Fa-f]+) (?....) (?[^\]]+)\] EXTRACT-question1 = \] (?\w+)\s+(?.*) EXTRACT-question2 = \] (?[^\s]*)$ FIELDALIAS-query = questionname AS query FIELDALIAS-reply_code = response AS reply_code FIELDALIAS-transaction_id = packetid AS transaction_id FIELDALIAS-transport = protocol AS transport FIELDALIAS-vendor_query_type = opcode AS vendor_query_type REPORT_KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_RecvdIP,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class LOOKUP-dns_action_lookup = dns_action_lookup vendor_dns_action OUTPUT action LOOKUP-dns_vendor_lookup = dns_vendor_lookup sourcetype OUTPUT vendor,product,app LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class