Skip to content

Commit ae64f20

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #3332 from splunk/haagsqldb
πŸŽͺ Haag's SQL Server Story Time: Tales of SQLCMD and Suspicious Queries πŸ“š
2 parents 3dbc72f + 6033082 commit ae64f20

14 files changed

+1037
-2
lines changed

β€Ždata_sources/windows_event_log_application_15457.ymlβ€Ž

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
name: Windows Event Log Application 15457
2+
id: 4491537e-520c-46f7-9209-f56f852aa237
3+
version: 1
4+
date: '2025-03-04'
5+
author: Michael Haag, Splunk
6+
description: Data source object for Windows Event Log Application 15457
7+
source: XmlWinEventLog:Application
8+
sourcetype: XmlWinEventLog
9+
separator: EventCode
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- Error_Code
19+
- EventCode
20+
- EventData_Xml
21+
- EventID
22+
- EventRecordID
23+
- Guid
24+
- Image_File_Name
25+
- Keywords
26+
- Level
27+
- Name
28+
- Opcode
29+
- ProcessID
30+
- Qualifiers
31+
- RecordNumber
32+
- RenderingInfo_Xml
33+
- SourceName
34+
- SubStatus
35+
- SystemTime
36+
- System_Props_Xml
37+
- Task
38+
- TaskCategory
39+
- ThreadID
40+
- UserData_Xml
41+
- UserID
42+
- Version
43+
- _bkt
44+
- _cd
45+
- _eventtype_color
46+
- _indextime
47+
- _raw
48+
- _serial
49+
- _si
50+
- _sourcetype
51+
- _subsecond
52+
- _time
53+
- action
54+
- category
55+
- date_hour
56+
- date_mday
57+
- date_minute
58+
- date_month
59+
- date_second
60+
- date_wday
61+
- date_year
62+
- date_zone
63+
- dest
64+
- dvc
65+
- dvc_nt_host
66+
- event_id
67+
- eventtype
68+
- host
69+
- id
70+
- index
71+
- linecount
72+
- name
73+
- parent_process
74+
- process_name
75+
- punct
76+
- result
77+
- service
78+
- service_id
79+
- service_name
80+
- severity
81+
- severity_id
82+
- signature
83+
- signature_id
84+
- source
85+
- sourcetype
86+
- splunk_server
87+
- splunk_server_group
88+
- status
89+
- subject
90+
- tag
91+
- tag::action
92+
- tag::eventtype
93+
- timeendpos
94+
- timestartpos
95+
- user_group_id
96+
- user_id
97+
- vendor_product
98+
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>15457</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-04T19:46:19.5339693Z'/><EventRecordID>15827</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>show advanced options</Data><Data>1</Data><Data>0</Data><Binary>613C00000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
99+

β€Ždata_sources/windows_event_log_application_17135.ymlβ€Ž

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
name: Windows Event Log Application 17135
2+
id: 4491537e-520c-46f7-9209-f56f852aa231
3+
version: 1
4+
date: '2025-02-26'
5+
author: Michael Haag, Splunk
6+
description: Data source object for Windows Event Log Application 17135
7+
source: XmlWinEventLog:Application
8+
sourcetype: XmlWinEventLog
9+
separator: EventCode
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- Error_Code
19+
- EventCode
20+
- EventData_Xml
21+
- EventID
22+
- EventRecordID
23+
- Image_File_Name
24+
- Keywords
25+
- Level
26+
- Name
27+
- Opcode
28+
- ProcessID
29+
- Qualifiers
30+
- RecordNumber
31+
- RenderingInfo_Xml
32+
- SourceName
33+
- SubStatus
34+
- SystemTime
35+
- System_Props_Xml
36+
- Task
37+
- TaskCategory
38+
- ThreadID
39+
- Version
40+
- _bkt
41+
- _cd
42+
- _eventtype_color
43+
- _indextime
44+
- _raw
45+
- _serial
46+
- _si
47+
- _sourcetype
48+
- _subsecond
49+
- _time
50+
- action
51+
- category
52+
- date_hour
53+
- date_mday
54+
- date_minute
55+
- date_month
56+
- date_second
57+
- date_wday
58+
- date_year
59+
- date_zone
60+
- dest
61+
- dvc
62+
- dvc_nt_host
63+
- event_id
64+
- eventtype
65+
- host
66+
- id
67+
- index
68+
- linecount
69+
- name
70+
- parent_process
71+
- process_name
72+
- punct
73+
- result
74+
- service
75+
- service_id
76+
- service_name
77+
- severity
78+
- severity_id
79+
- signature
80+
- signature_id
81+
- source
82+
- sourcetype
83+
- splunk_server
84+
- splunk_server_group
85+
- status
86+
- subject
87+
- tag
88+
- tag::action
89+
- tag::eventtype
90+
- timeendpos
91+
- timestartpos
92+
- user_group_id
93+
- user_id
94+
- vendor_product
95+
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>17135</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T16:38:42.6969829Z'/><EventRecordID>16509</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>sp_add_sysadmin</Data><Binary>EF4200000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
96+

β€Ždata_sources/windows_event_log_application_8128.ymlβ€Ž

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: Windows Event Log Application 8128
2+
id: 4491537e-5e0c-46f7-9209-f56f852aa237
3+
version: 1
4+
date: '2025-02-26'
5+
author: Michael Haag, Splunk
6+
description: Data source object for Windows Event Log Application 8128
7+
source: XmlWinEventLog:Application
8+
sourcetype: XmlWinEventLog
9+
separator: EventCode
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Windows
12+
url: https://splunkbase.splunk.com/app/742
13+
version: 9.0.1
14+
fields:
15+
- CategoryString
16+
- Channel
17+
- Computer
18+
- Error_Code
19+
- EventCode
20+
- EventData_Xml
21+
- EventID
22+
- EventRecordID
23+
- EventSourceName
24+
- Guid
25+
- Image_File_Name
26+
- Keywords
27+
- Level
28+
- Name
29+
- Opcode
30+
- ProcessID
31+
- Qualifiers
32+
- RecordNumber
33+
- RenderingInfo_Xml
34+
- SourceName
35+
- SubStatus
36+
- SystemTime
37+
- System_Props_Xml
38+
- Task
39+
- TaskCategory
40+
- ThreadID
41+
- UserID
42+
- Version
43+
- _bkt
44+
- _cd
45+
- _eventtype_color
46+
- _indextime
47+
- _raw
48+
- _serial
49+
- _si
50+
- _sourcetype
51+
- _time
52+
- action
53+
- category
54+
- dest
55+
- dvc
56+
- dvc_nt_host
57+
- event_id
58+
- eventtype
59+
- host
60+
- id
61+
- index
62+
- linecount
63+
- name
64+
- parent_process
65+
- process_name
66+
- punct
67+
- result
68+
- service
69+
- service_id
70+
- service_name
71+
- severity
72+
- severity_id
73+
- signature
74+
- signature_id
75+
- source
76+
- sourcetype
77+
- splunk_server
78+
- splunk_server_group
79+
- status
80+
- subject
81+
- tag
82+
- tag::action
83+
- tag::eventtype
84+
- user_group_id
85+
- user_id
86+
- vendor_product
87+
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>8128</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T20:03:14.2006851Z'/><EventRecordID>16635</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>odsole70.dll</Data><Data>2022.160.1000</Data><Data>sp_OACreate</Data><Binary>C01F00000A00000009000000610072002D00770069006E002D0032000000050000006D007300640062000000</Binary></EventData></Event>
88+

0 commit comments

Comments
Β (0)