29 lines
727 B
Plaintext
29 lines
727 B
Plaintext
[source::WinEventLog:*]
|
|
TRANSFORMS-host = wef_computername_as_host
|
|
TRANSFORMS-removedescription1 = removeEventDesc1
|
|
TRANSFORMS-removedescription2 = removeEventDesc2
|
|
TRANSFORMS-null = autoruns_wineventlog_null
|
|
|
|
[powershell_transcript]
|
|
TRANSFORMS-powershell_rename_host = powershell_rename_host
|
|
SHOULD_LINEMERGE = false
|
|
LINE_BREAKER = ([\r\n]+)THISDOESNTEXIST
|
|
DATETIME_CONFIG =
|
|
NO_BINARY_CHECK = true
|
|
TIME_FORMAT = %Y%m%d%H%M%S
|
|
TIME_PREFIX = Start time:\s
|
|
category = Custom
|
|
pulldown_type = true
|
|
TRUNCATE = 0
|
|
|
|
[osquery:json]
|
|
TRANSFORMS-osquery_host = osquery_hostidentifier_as_host
|
|
TIME_PREFIX = \"unixTime\"\:
|
|
MAX_TIMESTAMP_LOOKAHEAD = 500
|
|
TIME_FORMAT = %s
|
|
TRUNCATE = 0
|
|
|
|
[osquery:status]
|
|
TRANSFORMS-null = osquery_status_filter
|
|
|