428 lines
9.1 KiB
Plaintext
Executable File
428 lines
9.1 KiB
Plaintext
Executable File
[WinEventLog://ForwardedEvents]
|
|
sourcetype = WinEventLog:ForwardedEvents
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-Powershell]
|
|
sourcetype = WinEventLog:Powershell
|
|
source = WinEventLog:Powershell
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-WMI]
|
|
sourcetype = WinEventLog:WMI
|
|
source = WinEventLog:WMI
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-EMET]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:EMET
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-Authentication]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Authentication
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-Services]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Services
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-Process-Execution]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Process-Execution
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC-Code-Integrity]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Code-Integrity
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Registry]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Registry
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Applocker]
|
|
sourcetype = WinEventLog:Applocker
|
|
source = WinEventLog:Applocker
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Task-Scheduler]
|
|
sourcetype = WinEventLog:Task-Scheduler
|
|
source = WinEventLog:Task-Scheduler
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Application-Crashes]
|
|
sourcetype = WinEventLog:Application
|
|
source = WinEventLog:Application-Crashes
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Windows-Defender]
|
|
sourcetype = WinEventLog:Windows-Defender
|
|
source = WinEventLog:Windows-Defender
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Group-Policy-Errors]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Group-Policy-Errors
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-Drivers]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Drivers
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-Account-Management]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Account-Management
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe"
|
|
|
|
[WinEventLog://WEC3-Windows-Diagnostics]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Windows-Diagnostics
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-Smart-Card]
|
|
sourcetype = WinEventLog:Smart-Card
|
|
source = WinEventLog:Smart-Card
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-USB]
|
|
sourcetype = WinEventLog:USB
|
|
source = WinEventLog:USB
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-Print]
|
|
sourcetype = WinEventLog:Print
|
|
source = WinEventLog:Print
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC3-Firewall]
|
|
sourcetype = WinEventLog:Firewall
|
|
source = WinEventLog:Firewall
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-Wireless]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Wireless
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-Shares]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Shares
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-Bits-Client]
|
|
sourcetype = WinEventLog:Bits-Client
|
|
source = WinEventLog:Bits-Client
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-Windows-Updates]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Windows-Updates
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-Hotpatching-Errors]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Hotpatching-Errors
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-DNS]
|
|
sourcetype = WinEventLog:DNS
|
|
source = WinEventLog:DNS
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC4-System-Time-Change]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:System-Time-Change
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Operating-System]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Operating-System
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Certificate-Authority]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Certificate-Authority
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Crypto-API]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Crypto-API
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-File-System]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:File-System
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-MSI-Packages]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:MSI-Packages
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Log-Deletion-Security]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Log-Deletion-Security
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Log-Deletion-System]
|
|
sourcetype = WinEventLog:System
|
|
source = WinEventLog:Log-Deletion-System
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC5-Autoruns]
|
|
sourcetype = WinEventLog:Autoruns
|
|
source = WinEventLog:Autoruns
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Sysmon]
|
|
sourcetype = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
|
|
source = WinEventLog:Sysmon
|
|
index=sysmon
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Software-Restriction-Policies]
|
|
sourcetype = WinEventLog:Software-Restriction-Policies
|
|
source = WinEventLog:Software-Restriction-Policies
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Microsoft-Office]
|
|
sourcetype = WinEventLog:Microsoft-Office
|
|
source = WinEventLog:Microsoft-Office
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Exploit-Guard]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Exploit-Guard
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Duo-Security]
|
|
sourcetype = WinEventLog:Duo-Security
|
|
source = WinEventLog:Duo-Security
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-Device-Guard]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Device-Guard
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC6-ADFS]
|
|
sourcetype = WinEventLog:ADFS
|
|
source = WinEventLog:ADFS
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC7-Active-Directory]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Active-Directory
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC7-Terminal-Services]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Terminal-Services
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC7-Privilege-Use]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Privilege-Use
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[WinEventLog://WEC2-Object-Manipulation]
|
|
sourcetype = WinEventLog:Security
|
|
source = WinEventLog:Object-Handle
|
|
index=wineventlog
|
|
disabled = 0
|
|
start_from = oldest
|
|
current_only = 0
|
|
checkpointInterval = 5
|
|
|
|
[monitor://c:\pslogs]
|
|
index = powershell
|
|
sourcetype = powershell_transcript
|
|
recursive = true
|