Skip to content

Commit

Permalink
Updated TAs
Browse files Browse the repository at this point in the history
  • Loading branch information
patel-bhavin authored and github-actions[bot] committed Oct 30, 2024
1 parent b88670c commit 1899784
Show file tree
Hide file tree
Showing 62 changed files with 153 additions and 152 deletions.
2 changes: 1 addition & 1 deletion data_sources/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ sourcetype: aws:firehose:json
supported_TA:
- name: Splunk Add-on for Github
url: https://splunkbase.splunk.com/app/6254
version: 3.0.0
version: 3.1.0
fields:
- _time
- action
Expand Down
32 changes: 16 additions & 16 deletions data_sources/powershell_script_block_logging_4104.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ sourcetype: xmlwineventlog
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down Expand Up @@ -65,21 +65,21 @@ fields:
- user_id
- vendor_product
field_mappings:
- data_model: cim
data_set: Endpoint.Processes
mapping:
Computer: Processes.dest
Path: Processes.process_path
ScriptBlockId: Processes.process_id
ScriptBlockText: Processes.process
UserID: Processes.user_id
- data_model: ocsf
mapping:
Computer: device.hostname
Path: process.file.path
ScriptBlockId: process.uid
ScriptBlockText: process.cmd_line
UserID: actor.user.uid
- data_model: cim
data_set: Endpoint.Processes
mapping:
Computer: Processes.dest
Path: Processes.process_path
ScriptBlockId: Processes.process_id
ScriptBlockText: Processes.process
UserID: Processes.user_id
- data_model: ocsf
mapping:
Computer: device.hostname
Path: process.file.path
ScriptBlockId: process.uid
ScriptBlockText: process.cmd_line
UserID: actor.user.uid
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated
SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_active_directory_admon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ sourcetype: ActiveDirectory
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Guid
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_application_2282.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_application_3000.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_capi2_70.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_capi2_81.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_defender_1121.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_defender_1122.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_defender_1129.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ComputerName
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_defender_5007.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_printservice_316.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ComputerName
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_printservice_808.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ComputerName
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_1100.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Channel
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_1102.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Caller_User_Name
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4624.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4625.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4627.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4648.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4662.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- AccessList
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4663.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- AccessList
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4672.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
69 changes: 35 additions & 34 deletions data_sources/windows_event_log_security_4688.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ description: Data source object for Windows Event Log Security 4688
source: XmlWinEventLog:Security
sourcetype: xmlwineventlog
separator: EventCode
configuration: Enabling Windows event log process command line logging via group policy object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
configuration: Enabling Windows event log process command line logging via group policy
object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- Caller_Domain
- Caller_User_Name
Expand Down Expand Up @@ -90,39 +91,39 @@ fields:
- vendor
- vendor_product
field_mappings:
- data_model: cim
data_set: Endpoint.Processes
mapping:
NewProcessId: Processes.process_id
NewProcessName: Processes.process_path
NewProcessName|endswith: Processes.process_name
Process_Command_Line: Processes.process
SubjectUserSid: Processes.user
ProcessId: Processes.parent_process_id
ParentProcessName: Processes.parent_process_path
ParentProcessName|endswith: Processes.parent_process_name
Computer: Processes.dest
- data_model: ocsf
mapping:
NewProcessId: process.pid
NewProcessName: process.file.path
NewProcessName|endswith: process.file.name
Process_Command_Line: process.cmd_line
SubjectUserSid: actor.user.name
ProcessId: actor.process.pid
ParentProcessName: actor.process.file.path
ParentProcessName|endswith: actor.process.file.name
Computer: device.hostname
- data_model: cim
data_set: Endpoint.Processes
mapping:
NewProcessId: Processes.process_id
NewProcessName: Processes.process_path
NewProcessName|endswith: Processes.process_name
Process_Command_Line: Processes.process
SubjectUserSid: Processes.user
ProcessId: Processes.parent_process_id
ParentProcessName: Processes.parent_process_path
ParentProcessName|endswith: Processes.parent_process_name
Computer: Processes.dest
- data_model: ocsf
mapping:
NewProcessId: process.pid
NewProcessName: process.file.path
NewProcessName|endswith: process.file.name
Process_Command_Line: process.cmd_line
SubjectUserSid: actor.user.name
ProcessId: actor.process.pid
ParentProcessName: actor.process.file.path
ParentProcessName|endswith: actor.process.file.name
Computer: device.hostname
convert_to_log_source:
- data_source: Sysmon EventID 1
mapping:
NewProcessId: ProcessId #New_Process_ID in Hex
NewProcessName: Image
Process_Command_Line: CommandLine
SubjectUserSid: User
ProcessId: ParentProcessId
ParentProcessName: ParentImage
Computer: Computer
- data_source: Sysmon EventID 1
mapping:
NewProcessId: ProcessId
NewProcessName: Image
Process_Command_Line: CommandLine
SubjectUserSid: User
ProcessId: ParentProcessId
ParentProcessName: ParentImage
Computer: Computer
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
SystemTime='2024-04-23T08:48:30.449376800Z'/><EventRecordID>432820</EventRecordID><Correlation/><Execution
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4698.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Account_Domain
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4699.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Account_Domain
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4703.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Caller_Domain
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4719.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- ActivityID
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4720.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Account_Domain
Expand Down
2 changes: 1 addition & 1 deletion data_sources/windows_event_log_security_4724.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 8.9.0
version: 9.0.0
fields:
- _time
- Caller_Domain
Expand Down
Loading

0 comments on commit 1899784

Please sign in to comment.