SigmaHQ/tools/config/splunk-windows-all.yml

logsources:
  windows:
    product: windows
    index: windows
  windows-application:
    product: windows
    service: application
    conditions:
      sourcetype: 'WinEventLog:Application'
  windows-security:
    product: windows
    service: security
    conditions:
      sourcetype: 'WinEventLog:Security'
  windows-security:
    product: windows
    service: system
    conditions:
      sourcetype: 'WinEventLog:System'
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
  windows-powershell:
    product: windows
    service: powershell
    conditions:
      source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
  windows-powershell:
    product: windows
    service: taskscheduler
    conditions:
      source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
Splunk Windows Configuration Example 2017-03-17 09:00:56 +00:00			`logsources:`
Windows index in Splunk example configuration 2017-03-17 22:30:11 +00:00			`windows:`
			`product: windows`
			`index: windows`
Splunk Windows Configuration Example 2017-03-17 09:00:56 +00:00			`windows-application:`
			`product: windows`
			`service: application`
			`conditions:`
			`sourcetype: 'WinEventLog:Application'`
			`windows-security:`
			`product: windows`
			`service: security`
			`conditions:`
			`sourcetype: 'WinEventLog:Security'`
			`windows-security:`
			`product: windows`
			`service: system`
			`conditions:`
			`sourcetype: 'WinEventLog:System'`
			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational'`
			`windows-powershell:`
			`product: windows`
			`service: powershell`
			`conditions:`
			`source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational'`
			`windows-powershell:`
			`product: windows`
			`service: taskscheduler`
			`conditions:`
			`source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'`