udpating asr fields

patel-bhavin · patel-bhavin · commit a11c9b82b349 · 2025-02-21T13:41:26.000-08:00
diff --git a/data_sources/windows_event_log_defender_1125.yml b/data_sources/windows_event_log_defender_1125.yml
@@ -14,3 +14,4 @@ supported_TA:
 fields:
 - _time
 example_log: |-
+ <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_defender_1126.yml b/data_sources/windows_event_log_defender_1126.yml
@@ -13,4 +13,89 @@ supported_TA:
   version: 9.0.1
 fields:
 - _time
+- ActivityID
+- CategoryString
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Image_File_Name
+- Inhertiance_Flags
+- Involved_File
+- Keywords
+- Level
+- Message
+- Name
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RenderingInfo_Xml
+- RuleType
+- Security_intelligence_Version
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- TaskCategory
+- ThreadID
+- Unused
+- User
+- UserID
+- Version
+- action
+- category
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timestamp
+- user_group_id
+- user_id
+- vendor_product
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _pre_msg
+- _raw
+- _serial
+- _si
+- _sourcetype
 example_log: |-
diff --git a/data_sources/windows_event_log_defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
@@ -58,4 +58,4 @@ fields:
 - timeendpos
 - timestartpos
 - vendor_product
-example_log: 11/17/2023 05:23:37 PM
+example_log: |- 
diff --git a/data_sources/windows_event_log_defender_1131.yml b/data_sources/windows_event_log_defender_1131.yml
@@ -12,5 +12,90 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/742
   version: 9.0.1
 fields:
+- ActivityID
+- CategoryString
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Image_File_Name
+- Inhertiance_Flags
+- Involved_File
+- Keywords
+- Level
+- Message
+- Name
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RenderingInfo_Xml
+- RuleType
+- Security_intelligence_Version
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- TaskCategory
+- ThreadID
+- Unused
+- User
+- UserID
+- Version
+- action
+- category
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timestamp
+- user_group_id
+- user_id
+- vendor_product
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _pre_msg
+- _raw
+- _serial
+- _si
+- _sourcetype
 - _time
 example_log: |-
diff --git a/data_sources/windows_event_log_defender_1132.yml b/data_sources/windows_event_log_defender_1132.yml
@@ -12,5 +12,90 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/742
   version: 9.0.1
 fields:
+- ActivityID
+- CategoryString
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Image_File_Name
+- Inhertiance_Flags
+- Involved_File
+- Keywords
+- Level
+- Message
+- Name
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RenderingInfo_Xml
+- RuleType
+- Security_intelligence_Version
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- TaskCategory
+- ThreadID
+- Unused
+- User
+- UserID
+- Version
+- action
+- category
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timestamp
+- user_group_id
+- user_id
+- vendor_product
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _pre_msg
+- _raw
+- _serial
+- _si
+- _sourcetype
 - _time
 example_log: |-
diff --git a/data_sources/windows_event_log_defender_1133.yml b/data_sources/windows_event_log_defender_1133.yml
@@ -12,5 +12,90 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/742
   version: 9.0.1
 fields:
+- ActivityID
+- CategoryString
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Image_File_Name
+- Inhertiance_Flags
+- Involved_File
+- Keywords
+- Level
+- Message
+- Name
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RenderingInfo_Xml
+- RuleType
+- Security_intelligence_Version
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- TaskCategory
+- ThreadID
+- Unused
+- User
+- UserID
+- Version
+- action
+- category
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timestamp
+- user_group_id
+- user_id
+- vendor_product
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _pre_msg
+- _raw
+- _serial
+- _si
+- _sourcetype
 - _time
 example_log: |-
diff --git a/data_sources/windows_event_log_defender_1134.yml b/data_sources/windows_event_log_defender_1134.yml
