76 lines
2.7 KiB
Plaintext
76 lines
2.7 KiB
Plaintext
[sysmon]
|
|
definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
|
|
iseval = 0
|
|
|
|
[windows-app]
|
|
definition = index=wineventlog source="WinEventLog:Application"
|
|
iseval = 0
|
|
|
|
[powershell]
|
|
definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
|
|
iseval = 0
|
|
|
|
[windows-security]
|
|
definition = index=wineventlog source="WinEventLog:Security"
|
|
iseval = 0
|
|
|
|
[pan_threat]
|
|
definition = index=pan_logs sourcetype="pan:threat"
|
|
iseval = 0
|
|
|
|
[domain]
|
|
definition = WINDOMAIN
|
|
iseval = 0
|
|
|
|
[windows]
|
|
definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
|
|
iseval = 0
|
|
|
|
[windows-system]
|
|
definition = index=wineventlog source="WinEventLog:System"
|
|
iseval = 0
|
|
|
|
[no-domain]
|
|
definition = "WINDOMAIN\\*"
|
|
iseval = 0
|
|
|
|
[process_create_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
|
|
iseval = 0
|
|
|
|
[network_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip dst_port src_ip process_path]
|
|
iseval = 0
|
|
|
|
[process_access_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
|
|
iseval = 0
|
|
|
|
[image_load_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
|
|
iseval = 0
|
|
|
|
[file_access_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
|
|
iseval = 0
|
|
|
|
[registry_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
|
|
iseval = 0
|
|
|
|
[pipe_created_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
|
|
iseval = 0
|
|
|
|
[wmi_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
|
|
iseval = 0
|
|
|
|
[remote_thread_whitelist]
|
|
definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
|
|
iseval = 0
|
|
|
|
[indextime]
|
|
definition = _index_earliest=-15m@m AND _index_latest=now
|
|
iseval = 0
|