valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added eventlog source DNS Server to configs

Browse Source
This commit is contained in:
Florian Roth 2017-05-08 13:09:17 +02:00
parent c7cc2a00d3
commit f66085b198
3 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tools/config/elk-windows.yml
View File

@ -17,3 +17,8 @@ logsources:
service: sysmon service: sysmon
conditions: conditions:
EventLog: Microsoft-Windows-Sysmon EventLog: Microsoft-Windows-Sysmon
windows-dns-server:
product: windows
service: dns-server
conditions:
EventLog: 'DNS Server'

5
tools/config/logpoint-windows-all.yml
View File

@ -9,6 +9,11 @@ logsources:
service: system service: system
conditions: conditions:
event_source: 'Microsoft-Windows-Security-Auditing' event_source: 'Microsoft-Windows-Security-Auditing'
windows-dns-server:
product: windows
service: dns-server
conditions:
event_source: 'DNS Server'
fieldmappings: fieldmappings:
EventID: event_id EventID: event_id
FailureCode: result_code FailureCode: result_code

7
tools/config/splunk-windows-all.yml
View File

@ -28,11 +28,16 @@ logsources:
product: windows product: windows
service: powershell-classic service: powershell-classic
conditions: conditions:
source: 'Windows PowerShell' source: 'Windows PowerShell'
windows-powershell: windows-powershell:
product: windows product: windows
service: taskscheduler service: taskscheduler
conditions: conditions:
source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
windows-dns-server:
product: windows
service: dns-server
conditions:
source: 'DNS Server'
fieldmappings: fieldmappings:
EventID: EventCode EventID: EventCode