31 lines
731 B
Plaintext
31 lines
731 B
Plaintext
[powershell_rename_host]
|
|
DEST_KEY = MetaData:Host
|
|
SOURCE_KEY = MetaData:Source
|
|
REGEX = PowerShell_transcript\.([^\.]+)\.
|
|
FORMAT = host::$1
|
|
|
|
[wef_computername_as_host]
|
|
DEST_KEY = MetaData:Host
|
|
REGEX = (?m)ComputerName=(.+)
|
|
FORMAT = host::$1
|
|
|
|
[osquery_hostidentifier_as_host]
|
|
DEST_KEY = MetaData:Host
|
|
REGEX = hostIdentifier\"\:\"([^\"]+)\"
|
|
FORMAT = host::$1
|
|
|
|
[setnull]
|
|
REGEX = Error\scasting
|
|
DEST_KEY = queue
|
|
FORMAT = nullQueue
|
|
|
|
[osqueryd_wineventlog_null]
|
|
REGEX = "Process\sName:\s+C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe""
|
|
DEST_KEY = queue
|
|
FORMAT = nullQueue
|
|
|
|
[autoruns_wineventlog_null]
|
|
REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
|
|
DEST_KEY = queue
|
|
FORMAT = nullQueue
|