trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
7778de6190c462e0846991158561d8a2ea13b6ff
DetectionLab/Vagrant/resources/splunk_server/macros.conf

90 lines
3.6 KiB
Plaintext
Raw Blame History

[sysmon]
definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
iseval = 0
[windows-app]
definition = index=wineventlog source="WinEventLog:Application"
iseval = 0
[powershell]
definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
iseval = 0
[windows-security]
definition = index=wineventlog source="WinEventLog:Security"
iseval = 0
[pan_threat]
definition = index=pan_logs sourcetype="pan:threat"
iseval = 0
[domain]
definition = WINDOMAIN
iseval = 0
[windows]
definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
iseval = 0
[windows-system]
definition = index=wineventlog source="WinEventLog:System"
iseval = 0
[no-domain]
definition = "WINDOMAIN\\*"
iseval = 0
[process_create_whitelist]
definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
iseval = 0
[network_whitelist]
definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip dst_port src_ip process_path]
iseval = 0
[process_access_whitelist]
definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
iseval = 0
[image_load_whitelist]
definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
iseval = 0
[file_access_whitelist]
definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
iseval = 0
[registry_whitelist]
definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
iseval = 0
[pipe_created_whitelist]
definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
iseval = 0
[wmi_whitelist]
definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
iseval = 0
[remote_thread_whitelist]
definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
iseval = 0
[indextime]
definition = _index_earliest=-15m@m AND _index_latest=now
iseval = 0
[threathunting_assets_dns]
definition = | inputlookup threathunting_asset_priority.csv \
| rename host_fqdn as dns\
| fields dns priority
iseval = 0
[process_granted_access_description]
definition = eval process_granted_access_description=case(process_granted_access = "0x1fffff", "PROCESS_ALL_ACCESS",process_granted_access = "0x40", "PROCESS_DUP_HANDLE",process_granted_access = "0x40", "PROCESS_DUP_HANDLE(0x40) + PROCESS_VM_READ (0x0010)",process_granted_access = "0xc0", "PROCESS_DUP_HANDLE (0x40) + PROCESS_CREATE_PROCESS (0x80)",process_granted_access = "0x1010", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_VM_READ (0x0010)", process_granted_access = "0x1410", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_QUERY_INFORMATION (0x0400) + PROCESS_VM_READ (0x0010)",process_granted_access = "0x1001", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_TERMINATE (0x0001)")
iseval = 0
[threathunting_index]
definition = index=threathunting
iseval = 0
Reference in New Issue View Git Blame Copy Permalink