mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
fix: missing "WinEventLog:" in splunk-windows.yml
This commit is contained in:
Florian Roth
parent
e97bdf36f9
commit
03e2b9d376
@ -33,7 +33,7 @@ logsources:
|
||||
product: windows
|
||||
service: powershell-classic
|
||||
conditions:
|
||||
source: 'Windows PowerShell'
|
||||
source: 'WinEventLog:Windows PowerShell'
|
||||
windows-taskscheduler:
|
||||
product: windows
|
||||
service: taskscheduler
|
||||
@ -49,55 +49,55 @@ logsources:
|
||||
service: dns-server
|
||||
category: dns
|
||||
conditions:
|
||||
source: 'DNS Server'
|
||||
source: 'WinEventLog:DNS Server'
|
||||
windows-dns-server-audit:
|
||||
product: windows
|
||||
service: dns-server-audit
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-DNS-Server/Audit'
|
||||
source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit'
|
||||
windows-driver-framework:
|
||||
product: windows
|
||||
service: driver-framework
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
||||
source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
||||
windows-ntlm:
|
||||
product: windows
|
||||
service: ntlm
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-NTLM/Operational'
|
||||
source: 'WinEventLog:Microsoft-Windows-NTLM/Operational'
|
||||
windows-dhcp:
|
||||
product: windows
|
||||
service: dhcp
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-DHCP-Server/Operational'
|
||||
source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational'
|
||||
windows-applocker:
|
||||
product: windows
|
||||
service: applocker
|
||||
conditions:
|
||||
source:
|
||||
- 'Microsoft-Windows-AppLocker/MSI and Script'
|
||||
- 'Microsoft-Windows-AppLocker/EXE and DLL'
|
||||
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
||||
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
||||
- 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'
|
||||
windows-msexchange-management:
|
||||
product: windows
|
||||
service: msexchange-management
|
||||
conditions:
|
||||
source: 'MSExchange Management'
|
||||
source: 'WinEventLog:MSExchange Management'
|
||||
windows-printservice-admin:
|
||||
product: windows
|
||||
service: printservice-admin
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-PrintService/Admin'
|
||||
source: 'WinEventLog:Microsoft-Windows-PrintService/Admin'
|
||||
windows-printservice-operational:
|
||||
product: windows
|
||||
service: printservice-operational
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-PrintService/Operational'
|
||||
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
|
||||
windows-smbclient-security:
|
||||
product: windows
|
||||
service: smbclient-security
|
||||
conditions:
|
||||
source: 'Microsoft-Windows-SmbClient/Security'
|
||||
source: 'WinEventLog:Microsoft-Windows-SmbClient/Security'
|
||||
fieldmappings:
|
||||
EventID: EventCode
|
||||
|
||||
Loading…
Reference in New Issue
Block a user