File tree Expand file tree Collapse file tree 4 files changed +251
-1
lines changed Expand file tree Collapse file tree 4 files changed +251
-1
lines changed Original file line number Diff line number Diff line change @@ -12,5 +12,89 @@ supported_TA:
1212 url : https://splunkbase.splunk.com/app/742
1313 version : 9.0.1
1414fields :
15+ - CategoryString
16+ - Channel
17+ - Computer
18+ - DomainName
19+ - EventCode
20+ - EventData_Xml
21+ - EventID
22+ - EventRecordID
23+ - Guid
24+ - Image_File_Name
25+ - Keywords
26+ - Level
27+ - Name
28+ - Opcode
29+ - ProcessID
30+ - RecordNumber
31+ - RenderingInfo_Xml
32+ - SChannelName
33+ - SChannelType
34+ - SourceName
35+ - SubStatus
36+ - SystemTime
37+ - System_Props_Xml
38+ - Task
39+ - TaskCategory
40+ - ThreadID
41+ - UserID
42+ - UserName
43+ - Version
44+ - WorkstationName
45+ - action
46+ - category
47+ - date_hour
48+ - date_mday
49+ - date_minute
50+ - date_month
51+ - date_second
52+ - date_wday
53+ - date_year
54+ - date_zone
55+ - dvc
56+ - dvc_nt_host
57+ - event_id
58+ - eventtype
59+ - host
60+ - id
61+ - index
62+ - linecount
63+ - name
64+ - parent_process
65+ - process_name
66+ - punct
67+ - result
68+ - service
69+ - service_id
70+ - service_name
71+ - severity
72+ - severity_id
73+ - signature
74+ - signature_id
75+ - source
76+ - sourcetype
77+ - splunk_server
78+ - splunk_server_group
79+ - subject
80+ - tag
81+ - tag::action
82+ - tag::eventtype
83+ - timeendpos
84+ - timestartpos
85+ - user_group_id
86+ - user_id
87+ - vendor_product
88+ - _bkt
89+ - _cd
90+ - _eventtype_color
91+ - _indextime
92+ - _raw
93+ - _serial
94+ - _si
95+ - _sourcetype
96+ - _subsecond
1597- _time
1698example_log : |-
99+ <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Netlogon' Guid='{E5BA83F6-07D0-46B1-8BC7-7E669A1D31DC}'/><EventID>8004</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-01-18T05:04:59.727635000Z'/><EventRecordID>2728229667</EventRecordID><Correlation/><Execution ProcessID='812' ThreadID='3684'/><Channel>Microsoft-Windows-NTLM/Operational</Channel><Computer>attack_dc.attack_range.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='SChannelName'>VICTIM_PC</Data><Data Name='UserName'>backup</Data><Data Name='DomainName'>NULL</Data><Data Name='WorkstationName'>WIN-SHKRDLDI338</Data><Data Name='SChannelType'>2</Data></EventData></Event>
100+
Original file line number Diff line number Diff line change @@ -12,5 +12,88 @@ supported_TA:
1212 url : https://splunkbase.splunk.com/app/742
1313 version : 9.0.1
1414fields :
15+ column
16+ - CategoryString
17+ - Channel
18+ - Computer
19+ - DomainName
20+ - EventCode
21+ - EventData_Xml
22+ - EventID
23+ - EventRecordID
24+ - Guid
25+ - Image_File_Name
26+ - Keywords
27+ - Level
28+ - Name
29+ - Opcode
30+ - ProcessID
31+ - RecordNumber
32+ - RenderingInfo_Xml
33+ - SChannelName
34+ - SChannelType
35+ - SourceName
36+ - SubStatus
37+ - SystemTime
38+ - System_Props_Xml
39+ - Task
40+ - TaskCategory
41+ - ThreadID
42+ - UserID
43+ - UserName
44+ - Version
45+ - WorkstationName
46+ - action
47+ - category
48+ - date_hour
49+ - date_mday
50+ - date_minute
51+ - date_month
52+ - date_second
53+ - date_wday
54+ - date_year
55+ - date_zone
56+ - dvc
57+ - dvc_nt_host
58+ - event_id
59+ - eventtype
60+ - host
61+ - id
62+ - index
63+ - linecount
64+ - name
65+ - parent_process
66+ - process_name
67+ - punct
68+ - result
69+ - service
70+ - service_id
71+ - service_name
72+ - severity
73+ - severity_id
74+ - signature
75+ - signature_id
76+ - source
77+ - sourcetype
78+ - splunk_server
79+ - splunk_server_group
80+ - subject
81+ - tag
82+ - tag::action
83+ - tag::eventtype
84+ - timeendpos
85+ - timestartpos
86+ - user_group_id
87+ - user_id
88+ - vendor_product
89+ - _bkt
90+ - _cd
91+ - _eventtype_color
92+ - _indextime
93+ - _raw
94+ - _serial
95+ - _si
96+ - _sourcetype
97+ - _subsecond
1598- _time
1699example_log : |-
Original file line number Diff line number Diff line change @@ -12,5 +12,88 @@ supported_TA:
1212 url : https://splunkbase.splunk.com/app/742
1313 version : 9.0.1
1414fields :
15+ column
16+ - CategoryString
17+ - Channel
18+ - Computer
19+ - DomainName
20+ - EventCode
21+ - EventData_Xml
22+ - EventID
23+ - EventRecordID
24+ - Guid
25+ - Image_File_Name
26+ - Keywords
27+ - Level
28+ - Name
29+ - Opcode
30+ - ProcessID
31+ - RecordNumber
32+ - RenderingInfo_Xml
33+ - SChannelName
34+ - SChannelType
35+ - SourceName
36+ - SubStatus
37+ - SystemTime
38+ - System_Props_Xml
39+ - Task
40+ - TaskCategory
41+ - ThreadID
42+ - UserID
43+ - UserName
44+ - Version
45+ - WorkstationName
46+ - action
47+ - category
48+ - date_hour
49+ - date_mday
50+ - date_minute
51+ - date_month
52+ - date_second
53+ - date_wday
54+ - date_year
55+ - date_zone
56+ - dvc
57+ - dvc_nt_host
58+ - event_id
59+ - eventtype
60+ - host
61+ - id
62+ - index
63+ - linecount
64+ - name
65+ - parent_process
66+ - process_name
67+ - punct
68+ - result
69+ - service
70+ - service_id
71+ - service_name
72+ - severity
73+ - severity_id
74+ - signature
75+ - signature_id
76+ - source
77+ - sourcetype
78+ - splunk_server
79+ - splunk_server_group
80+ - subject
81+ - tag
82+ - tag::action
83+ - tag::eventtype
84+ - timeendpos
85+ - timestartpos
86+ - user_group_id
87+ - user_id
88+ - vendor_product
89+ - _bkt
90+ - _cd
91+ - _eventtype_color
92+ - _indextime
93+ - _raw
94+ - _serial
95+ - _si
96+ - _sourcetype
97+ - _subsecond
1598- _time
1699example_log : |-
Original file line number Diff line number Diff line change @@ -12,7 +12,7 @@ description: The following analytic detects when a device is the target of numer
1212 a large number of EventID 4776 events in tandem, however these events will not indicate
1313 the attacker or target device
1414data_source :
15- - NTLM Operational 8004
15+ - NTLM Operational 8004
1616- NTLM Operational 8005
1717- NTLM Operational 8006
1818search : ' `ntlm_audit` EventCode IN (8004,8005,8006) DomainName=NULL UserName!=NULL
You can’t perform that action at this time.
0 commit comments