Skip to content

Commit a7c93cb

Browse files
patel-bhavinpatel-bhavin
committed
updating print data
1 parent a11c9b8 commit a7c93cb

5 files changed

+178
-2
lines changed

data_sources/windows_event_log_security_4727.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,4 @@ supported_TA:
1414
fields:
1515
- _time
1616
example_log: |-
17+
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4727</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:51:45.175123800Z'/><EventRecordID>183204880</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='3064'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\ESX Admins</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>ESX Admins</Data><Data Name='SidHistory'>-</Data></EventData></Event>

data_sources/windows_event_log_security_4730.yml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,92 @@ supported_TA:
1212
url: https://splunkbase.splunk.com/app/742
1313
version: 9.0.1
1414
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- EventCode
19+
- EventData_Xml
20+
- EventID
21+
- EventRecordID
22+
- Guid
23+
- Image_File_Name
24+
- Keywords
25+
- Level
26+
- Name
27+
- Opcode
28+
- PrivilegeList
29+
- ProcessID
30+
- RecordNumber
31+
- RenderingInfo_Xml
32+
- SamAccountName
33+
- SidHistory
34+
- SourceName
35+
- SubStatus
36+
- SubjectDomainName
37+
- SubjectLogonId
38+
- SubjectUserName
39+
- SubjectUserSid
40+
- SystemTime
41+
- System_Props_Xml
42+
- TargetDomainName
43+
- TargetSid
44+
- TargetUserName
45+
- Task
46+
- TaskCategory
47+
- ThreadID
48+
- Version
49+
- action
50+
- category
51+
- date_hour
52+
- date_mday
53+
- date_minute
54+
- date_month
55+
- date_second
56+
- date_wday
57+
- date_year
58+
- date_zone
59+
- dvc
60+
- dvc_nt_host
61+
- event_id
62+
- eventtype
63+
- host
64+
- id
65+
- index
66+
- linecount
67+
- name
68+
- parent_process
69+
- process_name
70+
- punct
71+
- result
72+
- service
73+
- service_id
74+
- service_name
75+
- severity
76+
- severity_id
77+
- signature
78+
- signature_id
79+
- source
80+
- sourcetype
81+
- splunk_server
82+
- splunk_server_group
83+
- subject
84+
- tag
85+
- tag::action
86+
- tag::eventtype
87+
- timeendpos
88+
- timestartpos
89+
- user_group_id
90+
- user_id
91+
- vendor_product
92+
- _bkt
93+
- _cd
94+
- _eventtype_color
95+
- _indextime
96+
- _raw
97+
- _serial
98+
- _si
99+
- _sourcetype
100+
- _subsecond
15101
- _time
16102
example_log: |-
103+
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4730</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:51:39.613057200Z'/><EventRecordID>183203591</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='2420'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>

data_sources/windows_event_log_security_4737.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,93 @@ supported_TA:
1212
url: https://splunkbase.splunk.com/app/742
1313
version: 9.0.1
1414
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- EventCode
19+
- EventData_Xml
20+
- EventID
21+
- EventRecordID
22+
- Guid
23+
- Image_File_Name
24+
- Keywords
25+
- Level
26+
- Name
27+
- Opcode
28+
- PrivilegeList
29+
- ProcessID
30+
- RecordNumber
31+
- RenderingInfo_Xml
32+
- SamAccountName
33+
- SidHistory
34+
- SourceName
35+
- SubStatus
36+
- SubjectDomainName
37+
- SubjectLogonId
38+
- SubjectUserName
39+
- SubjectUserSid
40+
- SystemTime
41+
- System_Props_Xml
42+
- TargetDomainName
43+
- TargetSid
44+
- TargetUserName
45+
- Task
46+
- TaskCategory
47+
- ThreadID
48+
- Version
49+
- action
50+
- category
51+
- date_hour
52+
- date_mday
53+
- date_minute
54+
- date_month
55+
- date_second
56+
- date_wday
57+
- date_year
58+
- date_zone
59+
- dvc
60+
- dvc_nt_host
61+
- event_id
62+
- eventtype
63+
- host
64+
- id
65+
- index
66+
- linecount
67+
- name
68+
- parent_process
69+
- process_name
70+
- punct
71+
- result
72+
- service
73+
- service_id
74+
- service_name
75+
- severity
76+
- severity_id
77+
- signature
78+
- signature_id
79+
- source
80+
- sourcetype
81+
- splunk_server
82+
- splunk_server_group
83+
- subject
84+
- tag
85+
- tag::action
86+
- tag::eventtype
87+
- timeendpos
88+
- timestartpos
89+
- user_group_id
90+
- user_id
91+
- vendor_product
92+
- _bkt
93+
- _cd
94+
- _eventtype_color
95+
- _indextime
96+
- _raw
97+
- _serial
98+
- _si
99+
- _sourcetype
100+
- _subsecond
15101
- _time
16102
example_log: |-
103+
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4737</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:50:34.812948700Z'/><EventRecordID>183186860</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='900'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='SidHistory'>-</Data></EventData></Event>
104+

detections/endpoint/windows_defender_asr_audit_events.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
66
status: production
77
type: Anomaly
88
data_source:
9-
- Windows Event Log Defender 1122
9+
- Windows Event Log Defender 1122
1010
- Windows Event Log Defender 1125
1111
- Windows Event Log Defender 1126
1212
- Windows Event Log Defender 1132

detections/endpoint/windows_esx_admins_group_creation_security_event.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Windows ESX Admins Group Creation Security Event
22
id: 53b4c927-5ec4-47cd-8aed-d4b303304f87
33
version: 4
44
date: '2024-11-13'
5-
author: Michael Haag, Splunk
5+
author: Michael Haag, Splunk
66
data_source:
77
- Windows Event Log Security 4727
88
- Windows Event Log Security 4730

0 commit comments

Comments
 (0)