├── LICENSE
├── README.md
├── default
├── app.conf
├── data
│ └── ui
│ │ ├── nav
│ │ └── default.xml
│ │ └── views
│ │ ├── README
│ │ ├── file_creation_overview.xml
│ │ ├── investigator.xml
│ │ ├── network_connections.xml
│ │ ├── network_overview.xml
│ │ ├── overview.xml
│ │ ├── process_finder.xml
│ │ ├── process_overview.xml
│ │ ├── process_timeline.xml
│ │ ├── process_watch.xml
│ │ ├── registry_overview.xml
│ │ ├── suspicious_indicators.xml
│ │ └── sysmon_overview.xml
├── macros.conf
└── savedsearches.conf
├── metadata
└── default.meta
└── static
├── appIcon.png
├── appIconAlt.png
├── appIconAlt_2x.png
└── appIcon_2x.png
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 Michael Haag
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Sysmon Splunk app
2 |
3 | This is combined Splunk App effort between @jarrettp and @m_haggis.
4 |
5 | ### Joint Contributor Credits
6 |
7 | * Gibin John (beahunt3r)
8 | * Vineet Bhatia (threathunting)
9 |
10 | #### What is in the App:
11 |
12 | ##### Dashboards:
13 | - Sysmon Overview - Shows basic overview and usage for Sysmon events.
14 | - Investigator - Allows searching of events for specific hosts, users.
15 | - Network Overview
16 | - File Creation Overview
17 | - Process Overview
18 | - Suspicious Indicators - Collection of some known IOC
19 | - Registry Overview
20 | - Network Connections
21 | - Process Finder - Helps find unique hash values based on percentage
22 | - Process Timeline - Uses LogonGuid to map timeline of processes. Allows clicking for drilldown.
23 |
24 | ##### Reports:
25 | - Over 40+ reports
26 |
27 | ##### Alerts:
28 | - 19 Pre-built alerts
29 |
30 | # Setup
31 |
32 | Deploy [Sysmon-TA](https://splunkbase.splunk.com/app/1914/)
33 |
34 | Download and deploy this app to your Splunk Search Head.
35 |
36 | A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.
37 |
38 | Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment
39 |
40 | Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
41 |
42 | Thats it.
43 |
44 |
45 | # Install Sysmon
46 |
47 | ### Install ###
48 |
49 | Run with administrator rights
50 | ~~~~
51 | sysmon.exe -accepteula -i sysmonconfig-export.xml
52 | ~~~~
53 |
54 | ### Update existing configuration ###
55 |
56 | Run with administrator rights
57 |
58 | sysmon.exe -c sysmonconfig-export.xml
59 |
60 | Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”.
61 |
62 | ## Sysmon configuration ##
63 |
64 | Sysmon resources and example configuration files may be found [here](https://github.com/MHaggis/sysmon-dfir)
65 |
--------------------------------------------------------------------------------
/default/app.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Splunk app configuration file
3 | #
4 |
5 | [install]
6 | is_configured = 0
7 |
8 | [ui]
9 | is_visible = 1
10 | label = Sysmon App for Splunk
11 |
12 | [launcher]
13 | author = MHaggis,kidcrash22
14 | description =
15 | version = 1.0
16 |
17 | [package]
18 | id = sysmon-splunk-app
19 |
--------------------------------------------------------------------------------
/default/data/ui/nav/default.xml:
--------------------------------------------------------------------------------
1 |
25 |
--------------------------------------------------------------------------------
/default/data/ui/views/README:
--------------------------------------------------------------------------------
1 | Add all the views that your app needs in this directory
2 |
--------------------------------------------------------------------------------
/default/data/ui/views/file_creation_overview.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/investigator.xml:
--------------------------------------------------------------------------------
1 |
102 |
--------------------------------------------------------------------------------
/default/data/ui/views/network_connections.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/network_overview.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/overview.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | High level overview of your Sysmon environment.
4 |
5 |
6 | Computer Count
7 |
8 |
9 | `sysmon` | stats dc(Computer)
10 | -24h@h
11 | now
12 | 1
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 | Sysmon-Top EventDescription
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 | Critical Process
40 |
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/default/data/ui/views/process_finder.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/process_overview.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/process_timeline.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/data/ui/views/process_watch.xml:
--------------------------------------------------------------------------------
1 |
54 |
--------------------------------------------------------------------------------
/default/data/ui/views/registry_overview.xml:
--------------------------------------------------------------------------------
1 |
87 |
--------------------------------------------------------------------------------
/default/data/ui/views/suspicious_indicators.xml:
--------------------------------------------------------------------------------
1 |
99 |
--------------------------------------------------------------------------------
/default/data/ui/views/sysmon_overview.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/default/macros.conf:
--------------------------------------------------------------------------------
1 |
2 | [sysmon]
3 | definition = sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
4 | iseval = 0
5 |
--------------------------------------------------------------------------------
/default/savedsearches.conf:
--------------------------------------------------------------------------------
1 |
2 | [Powershell - EventDescription]
3 | action.email.useNSSubject = 1
4 | alert.track = 0
5 | dispatch.earliest_time = -24h@h
6 | dispatch.latest_time = now
7 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
8 | display.general.type = statistics
9 | display.page.search.mode = verbose
10 | display.page.search.tab = statistics
11 | display.visualizations.charting.chart = bar
12 | display.visualizations.show = 0
13 | request.ui_dispatch_app = sysmon-splunk-app
14 | request.ui_dispatch_view = search
15 | search = `sysmon` process=powershell.exe | stats values(EventDescription) by process
16 |
17 | [Sysmon - Top EventDescription]
18 | action.email.useNSSubject = 1
19 | alert.track = 0
20 | dispatch.earliest_time = -24h@h
21 | dispatch.latest_time = now
22 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
23 | display.general.type = statistics
24 | display.page.search.mode = verbose
25 | display.page.search.tab = statistics
26 | display.visualizations.charting.chart = bar
27 | display.visualizations.show = 0
28 | request.ui_dispatch_app = sysmon-splunk-app
29 | request.ui_dispatch_view = search
30 | search = `sysmon` | top EventDescription
31 |
32 | [Sysmon - Parent to Child]
33 | action.email.useNSSubject = 1
34 | alert.track = 0
35 | dispatch.earliest_time = -24h@h
36 | dispatch.latest_time = now
37 | dispatchAs = user
38 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
39 | display.general.type = statistics
40 | display.page.search.mode = verbose
41 | display.page.search.tab = statistics
42 | display.visualizations.charting.chart = bar
43 | display.visualizations.show = 0
44 | request.ui_dispatch_app = sysmon-splunk-app
45 | request.ui_dispatch_view = search
46 | search = `sysmon` NOT splunk | stats values(ParentImage) by process
47 |
48 | [EventDescription - by process, Commandline]
49 | action.email.useNSSubject = 1
50 | alert.track = 0
51 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
52 | display.general.type = statistics
53 | display.page.search.mode = verbose
54 | display.page.search.tab = statistics
55 | display.visualizations.charting.chart = bar
56 | display.visualizations.show = 0
57 | request.ui_dispatch_app = sysmon-splunk-app
58 | request.ui_dispatch_view = search
59 | search = `sysmon` NOT splunk | stats values(EventDescription) by process,CommandLine
60 |
61 | [Powershell - All PoSh by Computer]
62 | action.email.useNSSubject = 1
63 | alert.track = 0
64 | dispatchAs = user
65 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
66 | display.general.type = statistics
67 | display.page.search.mode = verbose
68 | display.page.search.tab = statistics
69 | display.visualizations.charting.chart = bar
70 | display.visualizations.show = 0
71 | request.ui_dispatch_app = sysmon-splunk-app
72 | request.ui_dispatch_view = search
73 | search = `sysmon` process=powershell.exe | stats values(CommandLine) by Computer,process
74 |
75 | [net - All net usage]
76 | action.email.useNSSubject = 1
77 | alert.track = 0
78 | dispatch.earliest_time = -60m@m
79 | dispatch.latest_time = now
80 | dispatchAs = user
81 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
82 | display.general.type = statistics
83 | display.page.search.mode = verbose
84 | display.page.search.tab = statistics
85 | display.visualizations.charting.chart = bar
86 | display.visualizations.show = 0
87 | request.ui_dispatch_app = sysmon-splunk-app
88 | request.ui_dispatch_view = search
89 | search = `sysmon` process=net.exe | stats count by Computer,CommandLine
90 |
91 | [wmic.exe - all wmic execution]
92 | action.email.useNSSubject = 1
93 | alert.track = 0
94 | dispatch.earliest_time = -60m@m
95 | dispatch.latest_time = now
96 | dispatchAs = user
97 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
98 | display.general.type = statistics
99 | display.page.search.mode = verbose
100 | display.page.search.tab = statistics
101 | display.visualizations.charting.chart = bar
102 | display.visualizations.show = 0
103 | request.ui_dispatch_app = sysmon-splunk-app
104 | request.ui_dispatch_view = search
105 | search = `sysmon` process=wmic.exe | stats count by Computer,CommandLine
106 |
107 | [CommandLine - By computer, process]
108 | action.email.useNSSubject = 1
109 | alert.track = 0
110 | dispatchAs = user
111 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
112 | display.general.type = statistics
113 | display.page.search.mode = verbose
114 | display.page.search.tab = statistics
115 | display.visualizations.charting.chart = bar
116 | display.visualizations.show = 0
117 | request.ui_dispatch_app = sysmon-splunk-app
118 | request.ui_dispatch_view = search
119 | search = `sysmon` | stats values(CommandLine) by Computer,process
120 |
121 | [Net - Group, localgroup]
122 | action.email.useNSSubject = 1
123 | alert.track = 0
124 | dispatchAs = user
125 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
126 | display.general.type = statistics
127 | display.page.search.mode = verbose
128 | display.page.search.tab = statistics
129 | display.visualizations.charting.chart = bar
130 | display.visualizations.show = 0
131 | request.ui_dispatch_app = sysmon-splunk-app
132 | request.ui_dispatch_view = search
133 | search = `sysmon` process="net.exe" (CommandLine="*net group*" OR CommandLine="*net localgroup*") | stats count by Computer,CommandLine
134 |
135 | [Users by Computer]
136 | action.email.useNSSubject = 1
137 | alert.track = 0
138 | dispatchAs = user
139 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
140 | display.general.type = statistics
141 | display.page.search.mode = verbose
142 | display.page.search.tab = statistics
143 | display.visualizations.charting.chart = bar
144 | display.visualizations.show = 0
145 | request.ui_dispatch_app = sysmon-splunk-app
146 | request.ui_dispatch_view = search
147 | search = `sysmon` | stats values(user) by Computer
148 |
149 | [Commandline by user]
150 | action.email.useNSSubject = 1
151 | alert.track = 0
152 | dispatchAs = user
153 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
154 | display.general.type = statistics
155 | display.page.search.mode = verbose
156 | display.page.search.tab = statistics
157 | display.visualizations.charting.chart = bar
158 | display.visualizations.show = 0
159 | request.ui_dispatch_app = sysmon-splunk-app
160 | request.ui_dispatch_view = search
161 | search = `sysmon` | stats values(CommandLine) by user
162 |
163 | [Net - net view]
164 | action.email.useNSSubject = 1
165 | alert.track = 0
166 | dispatchAs = user
167 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
168 | display.general.type = statistics
169 | display.page.search.mode = verbose
170 | display.page.search.tab = statistics
171 | display.visualizations.charting.chart = bar
172 | display.visualizations.show = 0
173 | request.ui_dispatch_app = sysmon-splunk-app
174 | request.ui_dispatch_view = search
175 | search = `sysmon` process=net.exe (CommandLine="net view") | stats count by Computer,CommandLine
176 |
177 | [Windows Credential Editor]
178 | action.email.useNSSubject = 1
179 | alert.track = 0
180 | dispatch.earliest_time = -24h@h
181 | dispatch.latest_time = now
182 | dispatchAs = user
183 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
184 | display.page.search.mode = verbose
185 | display.visualizations.charting.chart = bar
186 | display.visualizations.show = 0
187 | request.ui_dispatch_app = sysmon-splunk-app
188 | request.ui_dispatch_view = search
189 | search = `sysmon` ParentImage="services.exe" | regex CommandLine="\\\\[a-z0-9]{8}-[a-z0-9]{4}-[az0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\.exe-S$"
190 |
191 | [mimikatz]
192 | action.email.useNSSubject = 1
193 | alert.track = 0
194 | dispatch.earliest_time = -24h@h
195 | dispatch.latest_time = now
196 | dispatchAs = user
197 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
198 | display.page.search.mode = verbose
199 | display.visualizations.charting.chart = bar
200 | display.visualizations.show = 0
201 | request.ui_dispatch_app = sysmon-splunk-app
202 | request.ui_dispatch_view = search
203 | search = `sysmon` CommandLine="*privileges::debug*" OR CommandLine="*sekurlsa::*" OR CommandLine="*kerberos::*" OR CommandLine="*crypto::*" OR CommandLine="*lsadump::*" OR CommandLine="*process::*"
204 |
205 | [gsecdump]
206 | action.email.useNSSubject = 1
207 | alert.track = 0
208 | dispatch.earliest_time = -24h@h
209 | dispatch.latest_time = now
210 | dispatchAs = user
211 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
212 | display.page.search.mode = verbose
213 | display.visualizations.charting.chart = bar
214 | display.visualizations.show = 0
215 | request.ui_dispatch_app = sysmon-splunk-app
216 | request.ui_dispatch_view = search
217 | search = `sysmon` process="g64-*" | regex process="\\\\g64-[a-z0-9]{3}\.exe$"
218 |
219 | [wmic - process call create]
220 | action.email.useNSSubject = 1
221 | alert.track = 0
222 | dispatch.earliest_time = -24h@h
223 | dispatch.latest_time = now
224 | dispatchAs = user
225 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
226 | display.page.search.mode = verbose
227 | display.visualizations.charting.chart = bar
228 | display.visualizations.show = 0
229 | request.ui_dispatch_app = sysmon-splunk-app
230 | request.ui_dispatch_view = search
231 | search = `sysmon` process="WMIC.exe" CommandLine="*process call create*"
232 |
233 | [wmiprvse - parent execution]
234 | action.email.useNSSubject = 1
235 | alert.track = 0
236 | dispatch.earliest_time = -24h@h
237 | dispatch.latest_time = now
238 | dispatchAs = user
239 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
240 | display.general.type = statistics
241 | display.page.search.mode = verbose
242 | display.page.search.tab = statistics
243 | display.visualizations.charting.chart = bar
244 | display.visualizations.show = 0
245 | request.ui_dispatch_app = sysmon-splunk-app
246 | request.ui_dispatch_view = search
247 | search = `sysmon` ParentImage="WmiPrvSE.exe" | stats count by Computer,CommandLine
248 |
249 | [wmic - /node]
250 | action.email.useNSSubject = 1
251 | alert.track = 0
252 | dispatch.earliest_time = -24h@h
253 | dispatch.latest_time = now
254 | dispatchAs = user
255 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
256 | display.page.search.mode = verbose
257 | display.visualizations.charting.chart = bar
258 | display.visualizations.show = 0
259 | request.ui_dispatch_app = sysmon-splunk-app
260 | request.ui_dispatch_view = search
261 | search = `sysmon` process="WMIC.exe" CommandLine="*/NODE:*"
262 |
263 | [vssadmin - delete]
264 | action.email.useNSSubject = 1
265 | alert.track = 0
266 | dispatchAs = user
267 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
268 | display.page.search.mode = verbose
269 | display.visualizations.charting.chart = bar
270 | display.visualizations.show = 0
271 | request.ui_dispatch_app = sysmon-splunk-app
272 | request.ui_dispatch_view = search
273 | search = `sysmon` EventCode=1 process=vssadmin.exe | search CommandLine="*vssadmin*" CommandLine="*Delete *" CommandLine="*Shadows*"
274 |
275 | [taskeng - parentproc all]
276 | action.email.useNSSubject = 1
277 | alert.track = 0
278 | dispatch.earliest_time = -24h@h
279 | dispatch.latest_time = now
280 | dispatchAs = user
281 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
282 | display.general.type = statistics
283 | display.page.search.mode = verbose
284 | display.page.search.tab = statistics
285 | display.visualizations.charting.chart = bar
286 | display.visualizations.show = 0
287 | request.ui_dispatch_app = sysmon-splunk-app
288 | request.ui_dispatch_view = search
289 | search = `sysmon` ParentImage="taskeng.exe" | stats count by Computer,CommandLine
290 |
291 | [schtasks - run]
292 | action.email.useNSSubject = 1
293 | alert.track = 0
294 | dispatch.earliest_time = -24h@h
295 | dispatch.latest_time = now
296 | dispatchAs = user
297 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
298 | display.page.search.mode = verbose
299 | display.visualizations.charting.chart = bar
300 | display.visualizations.show = 0
301 | request.ui_dispatch_app = sysmon-splunk-app
302 | request.ui_dispatch_view = search
303 | search = `sysmon` process="schtasks.exe" CommandLine="*/Run*" CommandLine="*/s *"
304 |
305 | [schtasks - delete]
306 | action.email.useNSSubject = 1
307 | alert.track = 0
308 | dispatch.earliest_time = -24h@h
309 | dispatch.latest_time = now
310 | dispatchAs = user
311 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
312 | display.page.search.mode = verbose
313 | display.visualizations.charting.chart = bar
314 | display.visualizations.show = 0
315 | request.ui_dispatch_app = sysmon-splunk-app
316 | request.ui_dispatch_view = search
317 | search = `sysmon` process="schtasks.exe" CommandLine="*/Delete*" CommandLine="*/s *"
318 |
319 | [schtasks - create]
320 | action.email.useNSSubject = 1
321 | alert.track = 0
322 | dispatch.earliest_time = -24h@h
323 | dispatch.latest_time = now
324 | dispatchAs = user
325 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
326 | display.page.search.mode = verbose
327 | display.visualizations.charting.chart = bar
328 | display.visualizations.show = 0
329 | request.ui_dispatch_app = sysmon-splunk-app
330 | request.ui_dispatch_view = search
331 | search = `sysmon` process="schtasks.exe" CommandLine="*/Create*" CommandLine="*/s *"
332 |
333 | [schtasks - change]
334 | action.email.useNSSubject = 1
335 | alert.track = 0
336 | dispatch.earliest_time = -24h@h
337 | dispatch.latest_time = now
338 | dispatchAs = user
339 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
340 | display.page.search.mode = verbose
341 | display.visualizations.charting.chart = bar
342 | display.visualizations.show = 0
343 | request.ui_dispatch_app = sysmon-splunk-app
344 | request.ui_dispatch_view = search
345 | search = `sysmon` process="schtasks.exe" CommandLine="*/Change*" CommandLine="*/s *"
346 |
347 | [schtasks - all]
348 | action.email.useNSSubject = 1
349 | alert.track = 0
350 | dispatch.earliest_time = -24h@h
351 | dispatch.latest_time = now
352 | dispatchAs = user
353 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
354 | display.general.type = statistics
355 | display.page.search.mode = verbose
356 | display.page.search.tab = statistics
357 | display.visualizations.charting.chart = bar
358 | display.visualizations.show = 0
359 | request.ui_dispatch_app = sysmon-splunk-app
360 | request.ui_dispatch_view = search
361 | search = `sysmon` process="schtasks.exe"| stats count by Computer,CommandLine
362 |
363 | [rundll32 - suspicious execution]
364 | action.email.useNSSubject = 1
365 | alert.track = 0
366 | dispatch.earliest_time = -24h@h
367 | dispatch.latest_time = now
368 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
369 | display.page.search.mode = verbose
370 | display.visualizations.charting.chart = bar
371 | display.visualizations.show = 0
372 | request.ui_dispatch_app = sysmon-splunk-app
373 | request.ui_dispatch_view = search
374 | search = `sysmon` EventCode=1 rundll32.exe \
375 | | search Image="rundll32.exe" (CommandLine="AppData\\Local\\Temp*" CommandLine="*qwerty*") \
376 | OR (ParentImage="winword.exe" \
377 | OR ParentImage="excel.exe" OR ParentImage="cscript.exe" \
378 | OR ParentImage="wscript.exe" OR ParentImage="mshta.exe")
379 |
380 | [psexecsvc - all]
381 | action.email.useNSSubject = 1
382 | alert.track = 0
383 | dispatchAs = user
384 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
385 | display.general.type = statistics
386 | display.page.search.mode = verbose
387 | display.page.search.tab = statistics
388 | display.visualizations.charting.chart = bar
389 | display.visualizations.show = 0
390 | request.ui_dispatch_app = sysmon-splunk-app
391 | request.ui_dispatch_view = search
392 | search = `sysmon` ParentImage="PSEXESVC.EXE" | stats count by Image,Hashes
393 |
394 | [psexec - IMPHASH not psexec.exe]
395 | action.email.useNSSubject = 1
396 | alert.track = 0
397 | dispatch.earliest_time = -24h@h
398 | dispatch.latest_time = now
399 | dispatchAs = user
400 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
401 | display.page.search.mode = verbose
402 | display.visualizations.charting.chart = bar
403 | display.visualizations.show = 0
404 | request.ui_dispatch_app = sysmon-splunk-app
405 | request.ui_dispatch_view = search
406 | search = `sysmon` Hashes="*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*" NOT process="*PsExec.exe"
407 |
408 | [psexec - IMPHASH]
409 | action.email.useNSSubject = 1
410 | alert.track = 0
411 | dispatch.earliest_time = -24h@h
412 | dispatch.latest_time = now
413 | dispatchAs = user
414 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
415 | display.page.search.mode = verbose
416 | display.visualizations.charting.chart = bar
417 | display.visualizations.show = 0
418 | request.ui_dispatch_app = sysmon-splunk-app
419 | request.ui_dispatch_view = search
420 | search = `sysmon` Hashes="*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*"
421 |
422 | [powershell - invoke-command]
423 | action.email.useNSSubject = 1
424 | alert.track = 0
425 | dispatch.earliest_time = -24h@h
426 | dispatch.latest_time = now
427 | dispatchAs = user
428 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
429 | display.page.search.mode = verbose
430 | display.visualizations.charting.chart = bar
431 | display.visualizations.show = 0
432 | request.ui_dispatch_app = sysmon-splunk-app
433 | request.ui_dispatch_view = search
434 | search = `sysmon` process="*powershell.exe" CommandLine="*Invoke-Command*"
435 |
436 | [at execution]
437 | action.email.useNSSubject = 1
438 | alert.track = 0
439 | dispatch.earliest_time = -24h@h
440 | dispatch.latest_time = now
441 | dispatchAs = user
442 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
443 | display.general.type = statistics
444 | display.page.search.mode = verbose
445 | display.page.search.tab = statistics
446 | display.visualizations.charting.chart = bar
447 | display.visualizations.show = 0
448 | request.ui_dispatch_app = sysmon-splunk-app
449 | request.ui_dispatch_view = search
450 | search = `sysmon` ParentImage="at.exe" | stats count by Computer,CommandLine
451 |
452 | [wsmprovhost - powershell]
453 | action.email.useNSSubject = 1
454 | alert.track = 0
455 | dispatch.earliest_time = -24h@h
456 | dispatch.latest_time = now
457 | dispatchAs = user
458 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
459 | display.general.type = statistics
460 | display.page.search.mode = verbose
461 | display.page.search.tab = statistics
462 | display.visualizations.charting.chart = bar
463 | display.visualizations.show = 0
464 | request.ui_dispatch_app = sysmon-splunk-app
465 | request.ui_dispatch_view = search
466 | search = `sysmon` ParentImage="*wsmprovhost.exe" | stats count by Computer,CommandLine
467 |
468 | [msbuild - all]
469 | action.email.useNSSubject = 1
470 | alert.track = 0
471 | dispatch.earliest_time = -24h@h
472 | dispatch.latest_time = now
473 | dispatchAs = user
474 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
475 | display.general.type = statistics
476 | display.page.search.mode = verbose
477 | display.page.search.tab = statistics
478 | display.visualizations.charting.chart = bar
479 | display.visualizations.show = 0
480 | request.ui_dispatch_app = sysmon-splunk-app
481 | request.ui_dispatch_view = search
482 | search = `sysmon` process="msbuild.exe"| stats count by Computer,CommandLine
483 |
484 | [rundll32.exe - all]
485 | action.email.useNSSubject = 1
486 | alert.track = 0
487 | dispatch.earliest_time = -24h@h
488 | dispatch.latest_time = now
489 | dispatchAs = user
490 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
491 | display.general.type = statistics
492 | display.page.search.mode = verbose
493 | display.page.search.tab = statistics
494 | display.visualizations.charting.chart = bar
495 | display.visualizations.show = 0
496 | request.ui_dispatch_app = sysmon-splunk-app
497 | request.ui_dispatch_view = search
498 | search = `sysmon` process="rundll32.exe"| stats count by Computer,CommandLine
499 |
500 | [rundll32.exe - Control_RunDLL]
501 | action.email.useNSSubject = 1
502 | alert.track = 0
503 | dispatch.earliest_time = -24h@h
504 | dispatch.latest_time = now
505 | dispatchAs = user
506 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
507 | display.general.type = statistics
508 | display.page.search.mode = verbose
509 | display.page.search.tab = statistics
510 | display.visualizations.charting.chart = bar
511 | display.visualizations.show = 0
512 | request.ui_dispatch_app = sysmon-splunk-app
513 | request.ui_dispatch_view = search
514 | search = `sysmon` process="rundll32.exe" CommandLine="*,Control_RunDLL"| stats count by Computer,CommandLine
515 |
516 | [rundll32.exe - DllRegisterServer]
517 | action.email.useNSSubject = 1
518 | alert.track = 0
519 | dispatch.earliest_time = -24h@h
520 | dispatch.latest_time = now
521 | dispatchAs = user
522 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
523 | display.general.type = statistics
524 | display.page.search.mode = verbose
525 | display.page.search.tab = statistics
526 | display.visualizations.charting.chart = bar
527 | display.visualizations.show = 0
528 | request.ui_dispatch_app = sysmon-splunk-app
529 | request.ui_dispatch_view = search
530 | search = `sysmon` process="rundll32.exe" DllRegisterServer | stats count by Computer,CommandLine
531 |
532 | [rundll32.exe - \\roaming\\ execution]
533 | action.email.useNSSubject = 1
534 | alert.track = 0
535 | dispatch.earliest_time = -24h@h
536 | dispatch.latest_time = now
537 | dispatchAs = user
538 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
539 | display.general.type = statistics
540 | display.page.search.mode = verbose
541 | display.page.search.tab = statistics
542 | display.visualizations.charting.chart = bar
543 | display.visualizations.show = 0
544 | request.ui_dispatch_app = sysmon-splunk-app
545 | request.ui_dispatch_view = search
546 | search = `sysmon` process=rundll32.exe \\roaming\\ | stats count by Computer,CommandLine,ParentCommandLine
547 |
548 | [cscript - http]
549 | action.email.useNSSubject = 1
550 | alert.track = 0
551 | dispatch.earliest_time = -24h@h
552 | dispatch.latest_time = now
553 | dispatchAs = user
554 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
555 | display.general.type = statistics
556 | display.page.search.mode = verbose
557 | display.page.search.tab = statistics
558 | display.visualizations.charting.chart = bar
559 | display.visualizations.show = 0
560 | request.ui_dispatch_app = sysmon-splunk-app
561 | request.ui_dispatch_view = search
562 | search = `sysmon` process="cscript.exe" http | stats count by Computer,CommandLine
563 |
564 | [wscript - js execution]
565 | action.email.useNSSubject = 1
566 | alert.track = 0
567 | dispatch.earliest_time = -24h@h
568 | dispatch.latest_time = now
569 | dispatchAs = user
570 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
571 | display.general.type = statistics
572 | display.page.search.mode = verbose
573 | display.page.search.tab = statistics
574 | display.visualizations.charting.chart = bar
575 | display.visualizations.show = 0
576 | request.ui_dispatch_app = sysmon-splunk-app
577 | request.ui_dispatch_view = search
578 | search = `sysmon` process="wscript.exe" .js | stats count by Computer,CommandLine
579 |
580 | [wscript - vbs or vbe execution]
581 | action.email.useNSSubject = 1
582 | alert.track = 0
583 | dispatch.earliest_time = -24h@h
584 | dispatch.latest_time = now
585 | dispatchAs = user
586 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
587 | display.general.type = statistics
588 | display.page.search.mode = verbose
589 | display.page.search.tab = statistics
590 | display.visualizations.charting.chart = bar
591 | display.visualizations.show = 0
592 | request.ui_dispatch_app = sysmon-splunk-app
593 | request.ui_dispatch_view = search
594 | search = `sysmon` process="wscript.exe" CommandLine=*.vbs* OR CommandLine=*.vbe* | stats count by Computer,CommandLine
595 |
596 | [wscript - Suspicious rar/zip userprofile execution]
597 | action.email.useNSSubject = 1
598 | alert.track = 0
599 | dispatch.earliest_time = -24h@h
600 | dispatch.latest_time = now
601 | dispatchAs = user
602 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
603 | display.general.type = statistics
604 | display.page.search.mode = verbose
605 | display.page.search.tab = statistics
606 | display.visualizations.charting.chart = bar
607 | display.visualizations.show = 0
608 | request.ui_dispatch_app = sysmon-splunk-app
609 | request.ui_dispatch_view = search
610 | search = `sysmon` process="wscript.exe" \\Rar$ OR ".zip" \\appdata\\ | stats count by Computer,CommandLine
611 |
612 | [netsh - all]
613 | action.email.useNSSubject = 1
614 | alert.track = 0
615 | dispatch.earliest_time = -24h@h
616 | dispatch.latest_time = now
617 | dispatchAs = user
618 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
619 | display.general.type = statistics
620 | display.page.search.mode = verbose
621 | display.page.search.tab = statistics
622 | display.visualizations.charting.chart = bar
623 | display.visualizations.show = 0
624 | request.ui_dispatch_app = sysmon-splunk-app
625 | request.ui_dispatch_view = search
626 | search = `sysmon` process="netsh.exe" | stats values(CommandLine) by Computer
627 |
628 | [bitsadmin - all]
629 | action.email.useNSSubject = 1
630 | alert.track = 0
631 | dispatch.earliest_time = -24h@h
632 | dispatch.latest_time = now
633 | dispatchAs = user
634 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
635 | display.general.type = statistics
636 | display.page.search.mode = verbose
637 | display.page.search.tab = statistics
638 | display.visualizations.charting.chart = bar
639 | display.visualizations.show = 0
640 | request.ui_dispatch_app = sysmon-splunk-app
641 | request.ui_dispatch_view = search
642 | search = `sysmon` process="bitsadmin.exe" | stats values(CommandLine) by Computer
643 |
644 | [Net - IPC$ access]
645 | action.email.useNSSubject = 1
646 | alert.track = 0
647 | dispatch.earliest_time = -24h@h
648 | dispatch.latest_time = now
649 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
650 | display.general.type = statistics
651 | display.page.search.mode = verbose
652 | display.page.search.tab = statistics
653 | display.visualizations.charting.chart = bar
654 | display.visualizations.show = 0
655 | request.ui_dispatch_app = sysmon-splunk-app
656 | request.ui_dispatch_view = search
657 | search = `sysmon` process="net.exe" *ipc$* | stats values(CommandLine) by Computer
658 |
659 | [installutil - all]
660 | action.email.useNSSubject = 1
661 | alert.track = 0
662 | dispatch.earliest_time = -24h@h
663 | dispatch.latest_time = now
664 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
665 | display.general.type = statistics
666 | display.page.search.mode = verbose
667 | display.page.search.tab = statistics
668 | display.visualizations.charting.chart = bar
669 | display.visualizations.show = 0
670 | request.ui_dispatch_app = sysmon-splunk-app
671 | request.ui_dispatch_view = search
672 | search = `sysmon` process="installutil.exe" | stats values(CommandLine) by Computer
673 |
674 | [Powershell - EncodedCommand]
675 | action.email.useNSSubject = 1
676 | alert.track = 0
677 | dispatchAs = user
678 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
679 | display.general.type = statistics
680 | display.page.search.mode = verbose
681 | display.page.search.tab = statistics
682 | display.visualizations.charting.chart = bar
683 | display.visualizations.show = 0
684 | request.ui_dispatch_app = sysmon-splunk-app
685 | request.ui_dispatch_view = search
686 | search = `sysmon` process="powershell.exe" (CommandLine="*-encodedcommand*" OR CommandLine="*-enc*" OR CommandLine="-e" OR CommandLine="-ec" OR CommandLine="-encodedcomman" OR CommandLine="-encodedcomma" OR CommandLine="-encodedcomm" OR CommandLine="-encodedcom" OR CommandLine="-encodedco" OR CommandLine="-encodedc" OR CommandLine="-encoded" OR CommandLine="-encode" OR CommandLine="-encod" OR CommandLine="-enco" OR CommandLine="-en")| stats count by CommandLine | top CommandLine
687 |
688 | [Critical Process]
689 | action.email.useNSSubject = 1
690 | alert.track = 0
691 | dispatch.earliest_time = -24h@h
692 | dispatch.latest_time = now
693 | dispatchAs = user
694 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"]
695 | display.general.type = statistics
696 | display.page.search.mode = verbose
697 | display.page.search.tab = statistics
698 | display.visualizations.charting.chart = bar
699 | display.visualizations.show = 0
700 | display.visualizations.type = singlevalue
701 | request.ui_dispatch_app = sysmon-splunk-app
702 | request.ui_dispatch_view = search
703 | search = `sysmon` process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="cmd.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="certutil.exe" | stats count by process
704 |
705 |
706 | [IOC - svchost.exe not run by services.exe]
707 | action.email.useNSSubject = 1
708 | alert.suppress = 0
709 | alert.track = 1
710 | counttype = number of events
711 | cron_schedule = */15 * * * *
712 | dispatch.earliest_time = -15m
713 | display.page.search.mode = verbose
714 | display.visualizations.charting.chart = pie
715 | display.visualizations.type = mapping
716 | enableSched = 1
717 | quantity = 0
718 | relation = greater than
719 | request.ui_dispatch_app = sysmon-splunk-app
720 | request.ui_dispatch_view = search
721 | search = `sysmon` EventCode="1" svchost.exe\
722 | | search (Image="svchost.exe") (ParentImage!="services.exe")
723 |
724 | [IOC - >5 Critical Process in 10m]
725 | action.email.useNSSubject = 1
726 | alert.suppress = 0
727 | alert.track = 1
728 | counttype = number of events
729 | cron_schedule = */10 * * * *
730 | dispatch.earliest_time = -10m
731 | display.general.type = statistics
732 | display.page.search.mode = verbose
733 | display.page.search.tab = statistics
734 | display.visualizations.charting.chart = pie
735 | display.visualizations.type = mapping
736 | enableSched = 1
737 | quantity = 0
738 | relation = greater than
739 | request.ui_dispatch_app = sysmon-splunk-app
740 | request.ui_dispatch_view = search
741 | search = `sysmon` EventCode="1" (process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="nbtstat.exe") ParentImage!="C:\\Program Files (x86)\\Microsoft Visual Studio Common7\\IDE\\devenv.exe" ParentImage="C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Professional\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Node.x86\\ServiceHub.Host.Node.x86.exe" | bin span=10m _time | stats values(CommandLine), count by host _time
742 |
743 | [IOC - Suspicious Driver Loaded from Temp]
744 | action.email.useNSSubject = 1
745 | alert.suppress = 0
746 | alert.track = 1
747 | counttype = number of events
748 | cron_schedule = */20 * * * *
749 | description = Driver loaded from /temp/ directory
750 | dispatch.earliest_time = -20m
751 | display.page.search.mode = verbose
752 | display.visualizations.charting.chart = pie
753 | enableSched = 1
754 | quantity = 0
755 | relation = greater than
756 | request.ui_dispatch_app = sysmon-splunk-app
757 | request.ui_dispatch_view = search
758 | search = `sysmon` EventCode=6 ImageLoaded="*\Temp\*"
759 |
760 | [IOC - Suspicious Exe Path]
761 | action.email.useNSSubject = 1
762 | alert.suppress = 0
763 | alert.track = 1
764 | counttype = number of events
765 | cron_schedule = */20 * * * *
766 | dispatch.earliest_time = -20m
767 | display.page.search.mode = verbose
768 | display.visualizations.charting.chart = pie
769 | enableSched = 1
770 | quantity = 0
771 | relation = greater than
772 | request.ui_dispatch_app = sysmon-splunk-app
773 | request.ui_dispatch_view = search
774 | search = `sysmon` EventCode="1" (Image="$Recycle.bin" OR process="Users\\All Users\\*" OR process="Users\\Default\\*" OR process="C:\\Perflogs\\*" OR process="config\\systemprofile\\*" OR process="Windows\\Fonts\\*" OR process="Windows\\IME\\*" OR process="Windows\\addins\\*")
775 |
776 | [IOC - Eventviewer UAC Bypass]
777 | action.email.useNSSubject = 1
778 | alert.suppress = 0
779 | alert.track = 1
780 | counttype = number of events
781 | cron_schedule = */20 * * * *
782 | description = Detects UAC bypass method using Windows event viewer
783 | dispatch.earliest_time = -20m
784 | display.page.search.mode = verbose
785 | display.visualizations.charting.chart = pie
786 | enableSched = 1
787 | quantity = 0
788 | relation = greater than
789 | request.ui_dispatch_app = sysmon-splunk-app
790 | request.ui_dispatch_view = search
791 | search = `sysmon` EventCode=13 TargetObject="HKey_Users\\mscfile*"
792 |
793 | [IOC - UAC Bypass sdclt]
794 | action.email.useNSSubject = 1
795 | alert.suppress = 0
796 | alert.track = 1
797 | counttype = number of events
798 | cron_schedule = */20 * * * *
799 | description = Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand
800 | dispatch.earliest_time = -20m
801 | display.page.search.mode = verbose
802 | display.visualizations.charting.chart = pie
803 | enableSched = 1
804 | quantity = 0
805 | relation = greater than
806 | request.ui_dispatch_app = sysmon-splunk-app
807 | request.ui_dispatch_view = search
808 | search = `sysmon` EventCode=13 TargetObject="HKEY_USERS\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand"
809 |
810 | [IOC - Powershell Suspicious Strings]
811 | action.email.useNSSubject = 1
812 | alert.suppress = 0
813 | alert.track = 1
814 | counttype = number of events
815 | cron_schedule = */20 * * * *
816 | dispatch.earliest_time = -20m
817 | display.general.type = statistics
818 | display.page.search.mode = verbose
819 | display.page.search.tab = statistics
820 | display.visualizations.charting.chart = pie
821 | display.visualizations.type = mapping
822 | enableSched = 1
823 | quantity = 0
824 | relation = greater than
825 | request.ui_dispatch_app = sysmon-splunk-app
826 | request.ui_dispatch_view = search
827 | search = `sysmon` EventCode=1 powershell.exe Invoke* OR IEX OR Download* \
828 | | table _time, host, ProcessID, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine
829 |
830 | [IOC - Abnormally long Powershell Command]
831 | action.email.useNSSubject = 1
832 | alert.suppress = 0
833 | alert.track = 1
834 | counttype = number of events
835 | cron_schedule = */20 * * * *
836 | dispatch.earliest_time = -20m
837 | display.page.search.mode = verbose
838 | display.visualizations.charting.chart = pie
839 | display.visualizations.type = mapping
840 | enableSched = 1
841 | quantity = 0
842 | relation = greater than
843 | request.ui_dispatch_app = sysmon-splunk-app
844 | request.ui_dispatch_view = search
845 | search = `sysmon` EventCode=1 process=powershell.exe | eval c_length=len(CommandLine) | where c_length>500
846 |
847 | [IOC - Commands run from Office Doc/Browser]
848 | action.email.useNSSubject = 1
849 | alert.suppress = 0
850 | alert.track = 1
851 | counttype = number of events
852 | cron_schedule = */15 * * * *
853 | dispatch.earliest_time = -15m
854 | display.general.type = statistics
855 | display.page.search.mode = verbose
856 | display.page.search.tab = statistics
857 | display.visualizations.charting.chart = pie
858 | display.visualizations.type = mapping
859 | enableSched = 1
860 | quantity = 0
861 | relation = greater than
862 | request.ui_dispatch_app = sysmon-splunk-app
863 | request.ui_dispatch_view = search
864 | search = `sysmon` EventCode=1 ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\POWERPNT.EXE" OR ParentImage="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" OR ParentImage="C:\\Program Files\\Internet Explorer\\iexplore.exe" OR ParentImage="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" OR ParentImage="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" AND (Image="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" OR Image="C:\\Windows\\System32\\cmd.exe" OR Image="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" OR Image="C:\\Windows\\System32\\rundll32.exe" OR Image="C:\\Windows\\System32\\wscript.exe" OR Image="C:\\Windows\\System32\\cscript.exe") CurrentDirectory!="C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Browser\\WCChromeExtn\\" CurrentDirectory!="C:\\Users\\AppData\\Local\\Blue Jeans\\App\\" CommandLine!="*ScreenConnect*" CommandLine!="C:\\windows\\system32\\rundll32.exe C:\\windows\\system32\\inetcpl.cpl,ClearMyTracksByProcess*"| table _time host ParentImage CommandLine
865 |
866 | [IOC - Suspicious binary launch location]
867 | action.email.useNSSubject = 1
868 | alert.suppress = 0
869 | alert.track = 1
870 | counttype = number of events
871 | cron_schedule = */15 * * * *
872 | dispatch.earliest_time = -15m
873 | display.page.search.mode = fast
874 | display.visualizations.charting.chart = pie
875 | display.visualizations.type = mapping
876 | enableSched = 1
877 | quantity = 0
878 | relation = greater than
879 | request.ui_dispatch_app = sysmon-splunk-app
880 | request.ui_dispatch_view = search
881 | search = `sysmon` EventCode="1" (Image="C:\\windows\\fonts\\*" OR Image="C:\\windows\\help\\*" OR Image="C:\\windows\\wbem\\*" OR Image="C:\\windows\\addins\\*" OR Image="C:\\windows\\debut\\*" OR Image="C:\\windows\\system32\\tasks*" OR Image="C:\\windows\\tasks\\*" OR Image="C:\\debug\\*")
882 |
883 | [IOC - Suspicious execution of rundll - User Profile/Browser]
884 | action.email.useNSSubject = 1
885 | alert.suppress = 0
886 | alert.track = 1
887 | counttype = number of events
888 | cron_schedule = */20 * * * *
889 | dispatch.earliest_time = -20m
890 | display.page.search.mode = verbose
891 | display.visualizations.charting.chart = pie
892 | display.visualizations.type = mapping
893 | enableSched = 1
894 | quantity = 0
895 | relation = greater than
896 | request.ui_dispatch_app = sysmon-splunk-app
897 | request.ui_dispatch_view = search
898 | search = `sysmon` EventCode=1 Image="C:\\Windows\\system32\\rundll32.exe" CommandLine=*C:\\Users\\* ParentCommandLine="C:\\Program Files\\Internet Explorer\\Iexplore.exe\"
899 |
900 | [IOC - Certutil Decode in Appdata]
901 | action.email.useNSSubject = 1
902 | alert.suppress = 0
903 | alert.track = 1
904 | counttype = number of events
905 | cron_schedule = */20 * * * *
906 | description = Detetcs a Microsoft certutil execution with the 'decode' sub command on files in the AppData folder, which is sometimes used to decode malicious code with the built-in certutil utility
907 | dispatch.earliest_time = -20m
908 | display.page.search.mode = verbose
909 | display.visualizations.charting.chart = pie
910 | enableSched = 1
911 | quantity = 0
912 | relation = greater than
913 | request.ui_dispatch_app = sysmon-splunk-app
914 | request.ui_dispatch_view = search
915 | search = `sysmon` EventCode=1 process="certutil.exe" CommandLine="* -decode AppData\\*"
916 |
917 | [IOC - Download from bitsadmin]
918 | action.email.useNSSubject = 1
919 | alert.suppress = 0
920 | alert.track = 1
921 | counttype = number of events
922 | cron_schedule = */20 * * * *
923 | description = Detects usage of bitsadmin downloading a file
924 | dispatch.earliest_time = -20m
925 | display.page.search.mode = verbose
926 | display.visualizations.charting.chart = pie
927 | enableSched = 1
928 | quantity = 0
929 | relation = greater than
930 | request.ui_dispatch_app = sysmon-splunk-app
931 | request.ui_dispatch_view = search
932 | search = `sysmon` EventCode=1 process="bitsadmin.exe" CommandLine="/transfer"
933 |
934 | [IOC - MSHTA Spawning Windows Shell]
935 | action.email.useNSSubject = 1
936 | alert.suppress = 0
937 | alert.track = 1
938 | counttype = number of events
939 | cron_schedule = */20 * * * *
940 | description = Detects a Windows command line executable started from MSHTA
941 | dispatch.earliest_time = -20m
942 | display.page.search.mode = verbose
943 | display.visualizations.charting.chart = pie
944 | enableSched = 1
945 | quantity = 0
946 | relation = greater than
947 | request.ui_dispatch_app = sysmon-splunk-app
948 | request.ui_dispatch_view = search
949 | search = `sysmon` EventCode=1 ParentImage=*\\mshta.exe (process="cmd.exe" OR process="powershell.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="sh.exe" OR process="bash.exe")
950 |
951 | [IOC - Process Created by MMC]
952 | action.email.useNSSubject = 1
953 | alert.suppress = 0
954 | alert.track = 1
955 | counttype = number of events
956 | cron_schedule = */20 * * * *
957 | description = Processes started by MMC could by a sign of lateral movement using MMC application COM object
958 | dispatch.earliest_time = -20m
959 | display.page.search.mode = verbose
960 | display.visualizations.charting.chart = pie
961 | enableSched = 1
962 | quantity = 0
963 | relation = greater than
964 | request.ui_dispatch_app = sysmon-splunk-app
965 | request.ui_dispatch_view = search
966 | search = `sysmon` EventCode=1 ParentImage=*\\mmc.exe process="cmd.exe" CommandLine!="runcmd.cmd"
967 |
968 | [IOC - Shellcode Injected from Office]
969 | action.email.useNSSubject = 1
970 | alert.suppress = 0
971 | alert.track = 1
972 | counttype = number of events
973 | cron_schedule = */20 * * * *
974 | dispatch.earliest_time = -20m
975 | display.page.search.mode = verbose
976 | display.visualizations.charting.chart = pie
977 | enableSched = 1
978 | quantity = 0
979 | relation = greater than
980 | request.ui_dispatch_app = sysmon-splunk-app
981 | request.ui_dispatch_view = search
982 | search = `sysmon` EventCode=10 TargetImage="verclsid.exe" GrantedAccess="0x1FFFFF" (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="Microsoft Office\\*" AND CallTrace="*|UNKNOWN*"))
983 |
984 | [IOC - Suspicious Powershell Exe from Scripting]
985 | action.email.useNSSubject = 1
986 | alert.suppress = 0
987 | alert.track = 1
988 | counttype = number of events
989 | cron_schedule = */20 * * * *
990 | dispatch.earliest_time = -20m
991 | display.page.search.mode = verbose
992 | display.visualizations.charting.chart = pie
993 | enableSched = 1
994 | quantity = 0
995 | relation = greater than
996 | request.ui_dispatch_app = sysmon-splunk-app
997 | request.ui_dispatch_view = search
998 | search = `sysmon` EventCode=1 (ParentImage="wscript.exe" OR ParentImage="cscript.exe") process="powershell.exe"
999 |
1000 | [IOC - Suspicious Script Execution]
1001 | action.email.useNSSubject = 1
1002 | alert.suppress = 0
1003 | alert.track = 1
1004 | counttype = number of events
1005 | cron_schedule = */20 * * * *
1006 | description = Detects suspicious file execution by wscript and cscript
1007 | dispatch.earliest_time = -20m
1008 | display.page.search.mode = verbose
1009 | display.visualizations.charting.chart = pie
1010 | enableSched = 1
1011 | quantity = 0
1012 | relation = greater than
1013 | request.ui_dispatch_app = sysmon-splunk-app
1014 | request.ui_dispatch_view = search
1015 | search = `sysmon` EventCode=1 (process="wscript.exe" OR process="cscript.exe") (CommandLine="*.jse" OR CommandLine="*.vbe" OR CommandLine="*.js" OR CommandLine="*.vba" OR CommandLine="*.vbe")
1016 |
1017 | [IOC - Vssadmin Activity]
1018 | action.email.useNSSubject = 1
1019 | alert.suppress = 0
1020 | alert.track = 1
1021 | counttype = number of events
1022 | cron_schedule = */20 * * * *
1023 | description = Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
1024 | dispatch.earliest_time = -20m
1025 | display.page.search.mode = verbose
1026 | display.visualizations.charting.chart = pie
1027 | enableSched = 1
1028 | quantity = 0
1029 | relation = greater than
1030 | request.ui_dispatch_app = sysmon-splunk-app
1031 | request.ui_dispatch_view = search
1032 | search = `sysmon` EventCode=1 (CommandLine="vssadmin.exe Delete Shadows" OR CommandLine="vssadmin create shadow /for=C:" OR CommandLine="copy \\\\?\\GLOBALROOT\\Device\\windows\\ntds\\ntds.dit" OR CommandLine="copy \\?\GLOBALROOT\Device\*\config\SAM" OR CommandLine="vssadmin delete shadows /for=C:" OR CommandLine="reg SAVE HKLM\SYSTEM ")
1033 |
1034 | [IOC - MSHTA JavaScript Invoke]
1035 | action.email.useNSSubject = 1
1036 | action.securityanalytics_ar.param.verbose = 0
1037 | alert.suppress = 0
1038 | alert.track = 1
1039 | counttype = number of events
1040 | cron_schedule = */20 * * * *
1041 | dispatch.earliest_time = -20m
1042 | display.general.type = statistics
1043 | display.page.search.tab = statistics
1044 | display.visualizations.charting.chart = bar
1045 | enableSched = 1
1046 | quantity = 0
1047 | relation = greater than
1048 | request.ui_dispatch_app = sysmon-splunk-app
1049 | request.ui_dispatch_view = search
1050 | search = `sysmon` EventCode=1 process=mshta.exe CommandLine=*javascript:* | table Computer ParentImage ParentCommandLine process CommandLine user LogonGuid
1051 |
1052 | [IOC - Powershell Suspicious Strings 01]
1053 | action.email.useNSSubject = 1
1054 | action.securityanalytics_ar.param.verbose = 0
1055 | alert.suppress = 0
1056 | alert.track = 1
1057 | counttype = number of events
1058 | cron_schedule = */20 * * * *
1059 | dispatch.earliest_time = -20m
1060 | display.general.type = statistics
1061 | display.page.search.mode = verbose
1062 | display.page.search.tab = statistics
1063 | display.visualizations.charting.chart = pie
1064 | display.visualizations.type = mapping
1065 | enableSched = 1
1066 | quantity = 0
1067 | relation = greater than
1068 | request.ui_dispatch_app = sysmon-splunk-app
1069 | request.ui_dispatch_view = search
1070 | search = `sysmon` EventCode=1 process=powershell.exe (*-W*Hidden* OR *-nologo* OR *-nop* OR *IEX* OR *Out-MiniDump* OR *-enc* OR *-EncodedCommand* OR *DownloadString* OR *DownloadFile* OR *DownloadData* OR *ShellExecute* OR *Invoke-Mimikatz* OR *schtasks*create* OR *Webclient* OR *FromBase64String* OR *IO.StreamReader* OR *IO.MemoryStream* OR *IO.Compression.DeflateStream* ) NOT ( C:\\windows\\ccm\\)\
1071 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User
1072 |
1073 | [T1086 - Powershell Suspicious Strings]
1074 | action.email.useNSSubject = 1
1075 | action.securityanalytics_ar.param.verbose = 0
1076 | alert.suppress = 0
1077 | alert.track = 0
1078 | cron_schedule = */20 * * * *
1079 | dispatch.earliest_time = -20m
1080 | display.general.type = statistics
1081 | display.page.search.mode = verbose
1082 | display.page.search.tab = statistics
1083 | display.visualizations.charting.chart = pie
1084 | display.visualizations.show = 0
1085 | display.visualizations.type = mapping
1086 | quantity = 0
1087 | relation = greater than
1088 | request.ui_dispatch_app = sysmon-splunk-app
1089 | request.ui_dispatch_view = search
1090 | search = `sysmon` EventCode=1 process=powershell.exe (*-W*Hidden* OR *-nologo* OR *-nop* OR *IEX* OR *Out-MiniDump* OR *-enc* OR *-EncodedCommand* OR *DownloadString* OR *DownloadFile* OR *DownloadData* OR *ShellExecute* OR *Invoke-Mimikatz* OR *schtasks*create* OR *Webclient* OR *FromBase64String* OR *IO.StreamReader* OR *IO.MemoryStream* OR *IO.Compression.DeflateStream* ) NOT ( C:\\windows\\ccm\\)\
1091 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User
1092 |
1093 | [T1015_Accessibility_Backdoor]
1094 | action.email.useNSSubject = 1
1095 | action.securityanalytics_ar.param.verbose = 0
1096 | alert.track = 0
1097 | description = T1015_Accessibility_Backdoor
1098 | dispatch.earliest_time = -24h@h
1099 | dispatch.latest_time = now
1100 | dispatchAs = user
1101 | display.general.type = statistics
1102 | display.page.search.tab = statistics
1103 | display.visualizations.charting.chart = bar
1104 | display.visualizations.show = 0
1105 | request.ui_dispatch_app = sysmon-splunk-app
1106 | request.ui_dispatch_view = search
1107 | search = `sysmon` EventCode=1 (\
1108 | (ParentImage=*\\winlogon.exe \
1109 | ((process=Utilman.exe CommandLine=*/debug*) OR (process=sethc.exe (CommandLine=*sethc.exe 211* OR CommandLine=*sethc.exe 101*)))) \
1110 | OR\
1111 | (ParentImage=*\\utilman.exe (CommandLine=*osk.exe* OR CommandLine=*magnify.exe* OR CommandLine=*narrator.exe* OR CommandLine=*DisplaySwitch.exe* OR CommandLine=*AtBroker.exe*))\
1112 | )\
1113 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User
1114 |
1115 | [IOC - Disable Startup Repair]
1116 | action.email.useNSSubject = 1
1117 | action.securityanalytics_ar.param.verbose = 0
1118 | alert.suppress = 0
1119 | alert.track = 1
1120 | counttype = number of events
1121 | cron_schedule = */20 * * * *
1122 | dispatch.earliest_time = -20m
1123 | display.visualizations.charting.chart = bubble
1124 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1125 | display.visualizations.type = custom
1126 | enableSched = 1
1127 | quantity = 0
1128 | relation = greater than
1129 | request.ui_dispatch_app = sysmon-splunk-app
1130 | request.ui_dispatch_view = search
1131 | search = `sysmon` process=BCDEDIT.EXE (CommandLine=*/set*recoveryenable*no* OR CommandLine=*/set*bootstatuspolicy*ignoreallfailures*)
1132 |
1133 | [Runs From RECYCLEBIN]
1134 | action.email.useNSSubject = 1
1135 | action.securityanalytics_ar.param.verbose = 0
1136 | alert.track = 0
1137 | dispatch.earliest_time = -7d@h
1138 | dispatch.latest_time = now
1139 | dispatchAs = user
1140 | display.general.type = statistics
1141 | display.page.search.tab = statistics
1142 | display.visualizations.charting.chart = bubble
1143 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1144 | display.visualizations.show = 0
1145 | display.visualizations.type = custom
1146 | request.ui_dispatch_app = sysmon-splunk-app
1147 | request.ui_dispatch_view = search
1148 | search = `sysmon` EventCode=1 $RECYCLE.BIN OR \\RECYCLER\\ | stats values(host) as host values(CommandLine) values(user) count by ParentImage process
1149 |
1150 | [Runs from SYSVOL]
1151 | action.email.useNSSubject = 1
1152 | action.securityanalytics_ar.param.verbose = 0
1153 | alert.track = 0
1154 | dispatch.earliest_time = -24h@h
1155 | dispatch.latest_time = now
1156 | display.general.type = statistics
1157 | display.page.search.tab = statistics
1158 | display.visualizations.charting.chart = bubble
1159 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1160 | display.visualizations.show = 0
1161 | display.visualizations.type = custom
1162 | request.ui_dispatch_app = sysmon-splunk-app
1163 | request.ui_dispatch_view = search
1164 | search = `sysmon` EventCode=1 :\\System Volume Information\\ | stats values(host) as host values(CommandLine) values(user) count by ParentImage Image
1165 |
1166 | [T1117 - REGSVR Proxy Execution]
1167 | action.email.useNSSubject = 1
1168 | action.securityanalytics_ar.param.verbose = 0
1169 | alert.severity = 4
1170 | alert.suppress = 0
1171 | alert.track = 1
1172 | counttype = number of events
1173 | cron_schedule = */20 * * * *
1174 | dispatch.earliest_time = -20m
1175 | display.general.type = statistics
1176 | display.page.search.tab = statistics
1177 | display.visualizations.charting.chart = bubble
1178 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1179 | display.visualizations.type = custom
1180 | enableSched = 1
1181 | quantity = 0
1182 | relation = greater than
1183 | request.ui_dispatch_app = sysmon-splunk-app
1184 | request.ui_dispatch_view = search
1185 | search = `sysmon` EventCode=1 process=REGSVR32.EXE CommandLine=*/i:*http://* | table _time host Image CommandLine ParentImage ParentCommandLine host user
1186 |
1187 | [rundll32.exe - All Executions]
1188 | action.email.useNSSubject = 1
1189 | action.securityanalytics_ar.param.verbose = 0
1190 | alert.track = 0
1191 | description = T1085
1192 | dispatch.earliest_time = -24h@h
1193 | dispatch.latest_time = now
1194 | display.general.type = statistics
1195 | display.page.search.tab = statistics
1196 | display.visualizations.charting.chart = bubble
1197 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1198 | display.visualizations.show = 0
1199 | display.visualizations.type = custom
1200 | request.ui_dispatch_app = sysmon-splunk-app
1201 | request.ui_dispatch_view = search
1202 | search = `sysmon` process=rundll32.exe | stats values(ParentImage) values(process) count by CommandLine
1203 |
1204 | [T1085 - rundll32 with javascript arg]
1205 | action.email.useNSSubject = 1
1206 | action.securityanalytics_ar.param.verbose = 0
1207 | alert.suppress = 0
1208 | alert.track = 1
1209 | counttype = number of events
1210 | cron_schedule = */20 * * * *
1211 | dispatch.earliest_time = -20m
1212 | display.general.type = statistics
1213 | display.page.search.tab = statistics
1214 | display.visualizations.charting.chart = bubble
1215 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1216 | display.visualizations.type = custom
1217 | enableSched = 1
1218 | quantity = 0
1219 | relation = greater than
1220 | request.ui_dispatch_app = sysmon-splunk-app
1221 | request.ui_dispatch_view = search
1222 | search = `sysmon` EventCode=1 process=rundll32.exe CommandLine=*javascript:* | table _time host process ParentImage CommandLine ParentCommandLine
1223 |
1224 | [IOC - Suspicious msiexec execution]
1225 | action.email.useNSSubject = 1
1226 | action.securityanalytics_ar.param.verbose = 0
1227 | alert.suppress = 0
1228 | alert.track = 1
1229 | counttype = number of events
1230 | cron_schedule = */20 * * * *
1231 | dispatch.earliest_time = -20m
1232 | display.page.search.mode = verbose
1233 | display.visualizations.charting.chart = bar
1234 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz
1235 | display.visualizations.type = singlevalue
1236 | enableSched = 1
1237 | quantity = 0
1238 | relation = greater than
1239 | request.ui_dispatch_app = sysmon-splunk-app
1240 | request.ui_dispatch_view = search
1241 | search = `sysmon` process=msiexec.exe CommandLine=*/i*http*
1242 |
--------------------------------------------------------------------------------
/metadata/default.meta:
--------------------------------------------------------------------------------
1 |
2 | # Application-level permissions
3 |
4 | []
5 | access = read : [ * ], write : [ admin, power ]
6 |
7 | ### EVENT TYPES
8 |
9 | [eventtypes]
10 | export = system
11 |
12 |
13 | ### PROPS
14 |
15 | [props]
16 | export = system
17 |
18 |
19 | ### TRANSFORMS
20 |
21 | [transforms]
22 | export = system
23 |
24 |
25 | ### LOOKUPS
26 |
27 | [lookups]
28 | export = system
29 |
30 |
31 | ### VIEWSTATES: even normal users should be able to create shared viewstates
32 |
33 | [viewstates]
34 | access = read : [ * ], write : [ * ]
35 | export = system
36 |
--------------------------------------------------------------------------------
/static/appIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIcon.png
--------------------------------------------------------------------------------
/static/appIconAlt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIconAlt.png
--------------------------------------------------------------------------------
/static/appIconAlt_2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIconAlt_2x.png
--------------------------------------------------------------------------------
/static/appIcon_2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIcon_2x.png
--------------------------------------------------------------------------------