trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
34889a8bb6565839035fcd0403e980ab1ff4bd9b
DetectionLab/Vagrant/resources/splunk_forwarder/wef_inputs.conf
Chris Long 84c29f6739 Fix sysmon sourcetype, update ThreatHunting app
2020-08-04 21:58:18 -07:00

428 lines
9.1 KiB
Plaintext
Executable File
Raw Blame History

[WinEventLog://ForwardedEvents]
sourcetype = WinEventLog:ForwardedEvents
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-Powershell]
sourcetype = WinEventLog:Powershell
source = WinEventLog:Powershell
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-WMI]
sourcetype = WinEventLog:WMI
source = WinEventLog:WMI
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-EMET]
sourcetype = WinEventLog:Security
source = WinEventLog:EMET
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-Authentication]
sourcetype = WinEventLog:Security
source = WinEventLog:Authentication
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-Services]
sourcetype = WinEventLog:System
source = WinEventLog:Services
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-Process-Execution]
sourcetype = WinEventLog:Security
source = WinEventLog:Process-Execution
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC-Code-Integrity]
sourcetype = WinEventLog:Security
source = WinEventLog:Code-Integrity
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Registry]
sourcetype = WinEventLog:Security
source = WinEventLog:Registry
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Applocker]
sourcetype = WinEventLog:Applocker
source = WinEventLog:Applocker
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Task-Scheduler]
sourcetype = WinEventLog:Task-Scheduler
source = WinEventLog:Task-Scheduler
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Application-Crashes]
sourcetype = WinEventLog:Application
source = WinEventLog:Application-Crashes
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Windows-Defender]
sourcetype = WinEventLog:Windows-Defender
source = WinEventLog:Windows-Defender
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Group-Policy-Errors]
sourcetype = WinEventLog:System
source = WinEventLog:Group-Policy-Errors
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-Drivers]
sourcetype = WinEventLog:System
source = WinEventLog:Drivers
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-Account-Management]
sourcetype = WinEventLog:Security
source = WinEventLog:Account-Management
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe"
[WinEventLog://WEC3-Windows-Diagnostics]
sourcetype = WinEventLog:System
source = WinEventLog:Windows-Diagnostics
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-Smart-Card]
sourcetype = WinEventLog:Smart-Card
source = WinEventLog:Smart-Card
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-USB]
sourcetype = WinEventLog:USB
source = WinEventLog:USB
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-Print]
sourcetype = WinEventLog:Print
source = WinEventLog:Print
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC3-Firewall]
sourcetype = WinEventLog:Firewall
source = WinEventLog:Firewall
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-Wireless]
sourcetype = WinEventLog:Security
source = WinEventLog:Wireless
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-Shares]
sourcetype = WinEventLog:Security
source = WinEventLog:Shares
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-Bits-Client]
sourcetype = WinEventLog:Bits-Client
source = WinEventLog:Bits-Client
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-Windows-Updates]
sourcetype = WinEventLog:System
source = WinEventLog:Windows-Updates
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-Hotpatching-Errors]
sourcetype = WinEventLog:Security
source = WinEventLog:Hotpatching-Errors
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-DNS]
sourcetype = WinEventLog:DNS
source = WinEventLog:DNS
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC4-System-Time-Change]
sourcetype = WinEventLog:Security
source = WinEventLog:System-Time-Change
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Operating-System]
sourcetype = WinEventLog:System
source = WinEventLog:Operating-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Certificate-Authority]
sourcetype = WinEventLog:Security
source = WinEventLog:Certificate-Authority
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Crypto-API]
sourcetype = WinEventLog:Security
source = WinEventLog:Crypto-API
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-File-System]
sourcetype = WinEventLog:Security
source = WinEventLog:File-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-MSI-Packages]
sourcetype = WinEventLog:Security
source = WinEventLog:MSI-Packages
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Log-Deletion-Security]
sourcetype = WinEventLog:Security
source = WinEventLog:Log-Deletion-Security
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Log-Deletion-System]
sourcetype = WinEventLog:System
source = WinEventLog:Log-Deletion-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC5-Autoruns]
sourcetype = WinEventLog:Autoruns
source = WinEventLog:Autoruns
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Sysmon]
sourcetype = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
source = WinEventLog:Sysmon
index=sysmon
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Software-Restriction-Policies]
sourcetype = WinEventLog:Software-Restriction-Policies
source = WinEventLog:Software-Restriction-Policies
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Microsoft-Office]
sourcetype = WinEventLog:Microsoft-Office
source = WinEventLog:Microsoft-Office
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Exploit-Guard]
sourcetype = WinEventLog:Security
source = WinEventLog:Exploit-Guard
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Duo-Security]
sourcetype = WinEventLog:Duo-Security
source = WinEventLog:Duo-Security
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Device-Guard]
sourcetype = WinEventLog:Security
source = WinEventLog:Device-Guard
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-ADFS]
sourcetype = WinEventLog:ADFS
source = WinEventLog:ADFS
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC7-Active-Directory]
sourcetype = WinEventLog:Security
source = WinEventLog:Active-Directory
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC7-Terminal-Services]
sourcetype = WinEventLog:Security
source = WinEventLog:Terminal-Services
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC7-Privilege-Use]
sourcetype = WinEventLog:Security
source = WinEventLog:Privilege-Use
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[WinEventLog://WEC2-Object-Manipulation]
sourcetype = WinEventLog:Security
source = WinEventLog:Object-Handle
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
[monitor://c:\pslogs]
index = powershell
sourcetype = powershell_transcript
recursive = true
Reference in New Issue View Git Blame Copy Permalink