-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial release. Contains basic extractions for most Malware CIM
fields. Data from event logs will contain lots of magic values, still needing to be decyphered.
- Loading branch information
1 parent
5d2f145
commit e0fbb82
Showing
14 changed files
with
251 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,32 @@ | ||
# TA-microsoft-windefender | ||
Splunk TA for Windows Defender inputs and extractions. | ||
|
||
Original Author: Patrick O'Connell | ||
Version/Date: 1.0.0 / Sep 18, 2017 | ||
Sourcetype: iXmlWinEventLog:Microsoft-Windows-Windows Defender/Operational | ||
Has index-time ops: false | ||
|
||
# Update History | ||
1.0.0 Sep 18, 207 | ||
-------- | ||
Initial release | ||
|
||
# Using this TA | ||
Configuration: Install TA via GUI on all search heads, install | ||
via your preferred method (manual or Deployment Server) on | ||
forwarders running on Windows running Windows Defender. | ||
|
||
Ensure that you have at least version 6.2.0 universal forwarders. | ||
This is because of the Windows XML event log format. | ||
|
||
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/ | ||
|
||
For information on Windows Defender event codes, see below. | ||
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus | ||
|
||
|
||
# Support | ||
This is a community supported TA. As such, post to answers.splunk.com | ||
and reference it. Someone should be with you shortly. | ||
|
||
Pull requests via github are welcome! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
TA-Microsoft-WinDefender v1.0.0 | ||
---------------------------- | ||
|
||
Original Author: Patrick O'Connell | ||
Version/Date: 1.0.0 / Sep 18, 2017 | ||
Sourcetype: iXmlWinEventLog:Microsoft-Windows-Windows Defender/Operational | ||
Has index-time ops: false | ||
|
||
Update History | ||
---------------------------- | ||
|
||
1.0.0 Sep 18, 207 | ||
-------- | ||
Initial release | ||
|
||
Using this TA | ||
---------------------------- | ||
|
||
Configuration: Install TA via GUI on all search heads, install | ||
via your preferred method (manual or Deployment Server) on | ||
forwarders running on Windows running Windows Defender. | ||
|
||
Ensure that you have at least version 6.2.0 universal forwarders. | ||
This is because of the Windows XML event log format. | ||
|
||
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/ | ||
|
||
For information on Windows Defender event codes, see below. | ||
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus | ||
|
||
|
||
Support | ||
---------------------------- | ||
|
||
This is a community supported TA. As such, post to answers.splunk.com | ||
and reference it. Someone should be with you shortly. | ||
|
||
Pull requests via github are welcome! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
[launcher] | ||
description = Provides data inputs for handling Microsoft Windows Defender logs | ||
version = 1.0.0 | ||
|
||
[package] | ||
id = TA-microsoft-windefender | ||
check_for_updates = true | ||
|
||
[install] | ||
is_configured = false | ||
state = enabled | ||
install_source_checksum = 923246cc33ddb54884b03808373e08db2b0e9889 | ||
|
||
[ui] | ||
is_visible = false | ||
label = Microsoft Windows Defender Add-on |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[ms-windefender-attack] | ||
search = sourcetype="XmlWinEventLog:Microsoft-Windows-Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120" OR EventCode="1116") | ||
|
||
[ms-windefender-operation] | ||
search = sourcetype="XmlWinEventLog:Microsoft-Windows-Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[WinEventLog://Microsoft-Windows-Windows Defender/Operational] | ||
disabled = false | ||
renderXml = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational] | ||
REPORT-windefender = windefender-eventid,windefender-version,windefender-level,windefender-task,windefender-opcode,windefender-keywords,windefender-created,windefender-record,windefender-correlation,windefender-channel,windefender-computer,windefender-sid,windefender-data | ||
EVAL-dvc = Computer | ||
EVAL-session_id = ProcessGuid | ||
EVAL-process_id = ProcessId | ||
LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature | ||
FIELDALIAS-signature_id = EventCode AS signature_id | ||
|
||
EVAL-action = Action_Name | ||
EVAL-category = Category_Name | ||
EVAL-dest = Computer | ||
EVAL-file_hash = TODO | ||
REPORT-file_name = windefender-filename | ||
EVAL-file_path = Path | ||
EVAL-sender = TODO | ||
EVAL-signature = Threat_Name | ||
EVAL-src = Computer | ||
EVAL-user = if(isnotnull(Detection_User),Detection_User,User) | ||
EVAL-url = FWLink | ||
EVAL-vendor_product = "Microsoft Windows Defender" | ||
EVAL-product_version = Current_Engine_Version | ||
EVAL-signature_version = Current_Signature_Version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
[eventtype=ms-windefender-attack] | ||
malware = enabled | ||
attack = enabled | ||
|
||
[eventtype=ms-windefender-operation] | ||
malware = enabled | ||
operations = enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
[windefender-eventid] | ||
REGEX = <EventID>(\d+)</EventID> | ||
FORMAT = EventCode::$1 | ||
|
||
[windefender-version] | ||
REGEX = <Version>(\d+)</Version> | ||
FORMAT = Version::$1 | ||
|
||
[windefender-level] | ||
REGEX = <Level>(\d+)</Level> | ||
FORMAT = Level::$1 | ||
|
||
[windefender-task] | ||
REGEX = <Task>(\d+)</Task> | ||
FORMAT = Task::$1 | ||
|
||
[windefender-opcode] | ||
REGEX = <Opcode>(\d+)</Opcode> | ||
FORMAT = Opcode::$1 | ||
|
||
[windefender-keywords] | ||
REGEX = <Keywords>(0x[0-9a-fA-F]+)</Keywords> | ||
FORMAT = Keywords::$1 | ||
|
||
[windefender-created] | ||
REGEX = <TimeCreated SystemTime='(.*?)'/> | ||
FORMAT = TimeCreated::$1 | ||
|
||
[windefender-record] | ||
REGEX = <EventRecordID>(\d+)</EventRecordID> | ||
FORMAT = RecordID::$1 | ||
|
||
[windefender-correlation] | ||
REGEX = <Correlation>(.*?)</Correlation> | ||
FORMAT = Correlation::$1 | ||
|
||
[windefender-channel] | ||
REGEX = <Channel>(.*?)</Channel> | ||
FORMAT = EventChannel::$1 | ||
|
||
[windefender-computer] | ||
REGEX = <Computer>(.*?)</Computer> | ||
FORMAT = Computer::$1 | ||
|
||
[windefender-sid] | ||
REGEX = <Security UserID='(S-[0-9a-fA-f-]+)'/> | ||
FORMAT = SecurityID::$1 | ||
|
||
[windefender-data] | ||
REGEX = <Data Name='(.*?)'>(.*?)</Data> | ||
FORMAT = $1::$2 | ||
|
||
[windefender-filename] | ||
SOURCE_KEY = Path | ||
REGEX = [^\\\](.*?)+$ | ||
|
||
[eventcode] | ||
default_match = Unknown | ||
filename = eventcode.csv | ||
min_matches = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[WinEventLog://Microsoft-Windows-Windows Defender/Operational] | ||
index = windefender | ||
disabled = false | ||
renderXml = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
EventCode,EventDescription | ||
1000,"Scan started." | ||
1001,"Scan completed." | ||
1002,"Scan stopped (canceled)." | ||
1005,"Scan terminated due to error." | ||
1116,"Malware detection." | ||
1117,"Malware remediation." | ||
1119,"Remediation error (not found)." | ||
1120,"Windows Defender has deduced the hashes for a threat resource." | ||
1150,"If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state." | ||
2000,"The antimalware definitions updated successfully." | ||
2001,"The antimalware definition update failed." | ||
2002,"The antimalware engine updated successfully." | ||
2003,"The antimalware engine update failed." | ||
2004,"There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions." | ||
2005,"The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update." | ||
2006,"The platform update failed." | ||
2007,"The platform will soon be out of date. Download the latest platform to maintain up-to-date protection." | ||
2010,"The antimalware engine used the Dynamic Signature Service to get additional definitions." | ||
2011,"The Dynamic Signature Service deleted the out-of-date dynamic definitions." | ||
2012,"The antimalware engine encountered an error when trying to use the Dynamic Signature Service." | ||
2013,"The Dynamic Signature Service deleted all dynamic definitions." | ||
2020,"The antimalware engine downloaded a clean file." | ||
2021,"The antimalware engine failed to download a clean file." | ||
2030,"The antimalware engine was downloaded and is configured to run offline on the next system restart." | ||
2031,"The antimalware engine was unable to download and configure an offline scan." | ||
2040,"Antimalware support for this operating system version will soon end." | ||
2041,"Antimalware support for this operating system has ended. You must upgrade the operating system for continued support." | ||
2042,"The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware." | ||
3002,"Real-time protection encountered an error and failed." | ||
3007,"Real-time protection recovered from a failure. We recommend running a full system scan when you see this error." | ||
5000,"Real-time protection is enabled." | ||
5001,"Real-time protection is disabled." | ||
5004,"The real-time protection configuration changed." | ||
5007,"The antimalware platform configuration changed." | ||
5008,"The antimalware engine encountered an error and failed." | ||
5009,"Scanning for malware and other potentially unwanted software is enabled." | ||
5010,"Scanning for malware and other potentially unwanted software is disabled." | ||
5011,"Scanning for viruses is enabled." | ||
5012,"Scanning for viruses is disabled." | ||
5100,"The antimalware platform will expire soon." | ||
5101,"The antimalware platform is expired." | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
[] | ||
access = read : [ * ], write : [ admin ] | ||
export = system | ||
owner = admin | ||
|
||
[lookups/eventcode.csv] | ||
access = read : [ * ], write : [ admin ] | ||
export = system | ||
owner = admin | ||
|
||
[transforms/eventcode] | ||
access = read : [ * ], write : [ admin ] | ||
export = system | ||
owner = admin | ||
|
||
[props/XmlWinEventLog%3AMicrosoft-Windows-Windows%20Defender%2FOperational/LOOKUP-eventcode] | ||
access = read : [ * ], write : [ admin ] | ||
export = system | ||
owner = admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[app/install/install_source_checksum] | ||
version = 1.0.0 | ||
modtime = 1505600174.422398000 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.