Initial release. Contains basic extractions for most Malware CIM

fields. Data from event logs will contain lots of magic values,
still needing to be decyphered.

README.md

@@ -1,2 +1,32 @@
 # TA-microsoft-windefender
 Splunk TA for Windows Defender inputs and extractions.
+
+Original Author: Patrick O'Connell
+       Version/Date: 1.0.0 / Sep 18, 2017
+       Sourcetype: iXmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
+       Has index-time ops: false
+
+# Update History
+       1.0.0 Sep 18, 207
+       --------
+       Initial release
+
+# Using this TA
+       Configuration: Install TA via GUI on all search heads, install
+       via your preferred method (manual or Deployment Server) on
+       forwarders running on Windows running Windows Defender.
+
+       Ensure that you have at least version 6.2.0 universal forwarders.
+       This is because of the Windows XML event log format.
+
+       http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
+
+       For information on Windows Defender event codes, see below.
+       https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+
+
+# Support
+       This is a community supported TA. As such, post to answers.splunk.com
+       and reference it. Someone should be with you shortly.
+
+       Pull requests via github are welcome!

README.txt

@@ -0,0 +1,39 @@
+TA-Microsoft-WinDefender v1.0.0
+----------------------------       
+
+       Original Author: Patrick O'Connell
+       Version/Date: 1.0.0 / Sep 18, 2017
+       Sourcetype: iXmlWinEventLog:Microsoft-Windows-Windows Defender/Operational
+       Has index-time ops: false
+
+Update History
+----------------------------
+
+       1.0.0 Sep 18, 207
+       --------
+       Initial release
+
+Using this TA
+----------------------------
+
+       Configuration: Install TA via GUI on all search heads, install
+       via your preferred method (manual or Deployment Server) on
+       forwarders running on Windows running Windows Defender.
+
+       Ensure that you have at least version 6.2.0 universal forwarders.
+       This is because of the Windows XML event log format.
+
+       http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
+
+       For information on Windows Defender event codes, see below.
+       https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
+
+
+Support
+----------------------------
+
+       This is a community supported TA. As such, post to answers.splunk.com
+       and reference it. Someone should be with you shortly.
+
+       Pull requests via github are welcome!
+

default/app.conf

@@ -0,0 +1,16 @@
+[launcher]
+description = Provides data inputs for handling Microsoft Windows Defender logs
+version = 1.0.0
+
+[package]
+id = TA-microsoft-windefender
+check_for_updates = true
+
+[install]
+is_configured = false
+state = enabled
+install_source_checksum = 923246cc33ddb54884b03808373e08db2b0e9889
+
+[ui]
+is_visible = false
+label = Microsoft Windows Defender Add-on

default/eventtypes.conf

@@ -0,0 +1,5 @@
+[ms-windefender-attack]
+search = sourcetype="XmlWinEventLog:Microsoft-Windows-Defender/Operational" (EventCode="1116" OR EventCode="1117" OR EventCode="1119" OR EventCode="1120" OR EventCode="1116")
+
+[ms-windefender-operation]
+search = sourcetype="XmlWinEventLog:Microsoft-Windows-Defender/Operational" (EventCode="1000" OR EventCode="1001" OR EventCode="1002" OR EventCode="1005" OR EventCode="1150" OR EventCode="2*" OR EventCode="3*" OR EventCode="5*")

default/inputs.conf

@@ -0,0 +1,3 @@
+[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
+disabled = false
+renderXml = 1

default/props.conf

@@ -0,0 +1,22 @@
+[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
+REPORT-windefender = windefender-eventid,windefender-version,windefender-level,windefender-task,windefender-opcode,windefender-keywords,windefender-created,windefender-record,windefender-correlation,windefender-channel,windefender-computer,windefender-sid,windefender-data
+EVAL-dvc = Computer
+EVAL-session_id = ProcessGuid
+EVAL-process_id = ProcessId
+LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
+FIELDALIAS-signature_id = EventCode AS signature_id  
+
+EVAL-action = Action_Name
+EVAL-category = Category_Name
+EVAL-dest = Computer
+EVAL-file_hash = TODO
+REPORT-file_name = windefender-filename
+EVAL-file_path = Path
+EVAL-sender = TODO
+EVAL-signature = Threat_Name
+EVAL-src = Computer
+EVAL-user = if(isnotnull(Detection_User),Detection_User,User)
+EVAL-url = FWLink 
+EVAL-vendor_product = "Microsoft Windows Defender"
+EVAL-product_version = Current_Engine_Version
+EVAL-signature_version = Current_Signature_Version

default/tags.conf

@@ -0,0 +1,7 @@
+[eventtype=ms-windefender-attack]
+malware = enabled
+attack = enabled
+
+[eventtype=ms-windefender-operation]
+malware = enabled
+operations = enabled

default/transforms.conf

@@ -0,0 +1,60 @@
+[windefender-eventid]
+REGEX = <EventID>(\d+)</EventID>
+FORMAT = EventCode::$1
+
+[windefender-version]
+REGEX = <Version>(\d+)</Version>
+FORMAT = Version::$1
+
+[windefender-level]
+REGEX = <Level>(\d+)</Level>
+FORMAT = Level::$1
+
+[windefender-task]
+REGEX = <Task>(\d+)</Task>
+FORMAT = Task::$1
+
+[windefender-opcode]
+REGEX = <Opcode>(\d+)</Opcode>
+FORMAT = Opcode::$1
+
+[windefender-keywords]
+REGEX = <Keywords>(0x[0-9a-fA-F]+)</Keywords>
+FORMAT = Keywords::$1
+
+[windefender-created]
+REGEX = <TimeCreated SystemTime='(.*?)'/>
+FORMAT = TimeCreated::$1
+
+[windefender-record]
+REGEX = <EventRecordID>(\d+)</EventRecordID>
+FORMAT = RecordID::$1
+
+[windefender-correlation]
+REGEX = <Correlation>(.*?)</Correlation>
+FORMAT = Correlation::$1
+
+[windefender-channel]
+REGEX = <Channel>(.*?)</Channel>
+FORMAT = EventChannel::$1
+
+[windefender-computer]
+REGEX = <Computer>(.*?)</Computer>
+FORMAT = Computer::$1
+
+[windefender-sid]
+REGEX = <Security UserID='(S-[0-9a-fA-f-]+)'/>
+FORMAT = SecurityID::$1
+
+[windefender-data]
+REGEX = <Data Name='(.*?)'>(.*?)</Data>
+FORMAT = $1::$2
+
+[windefender-filename]
+SOURCE_KEY = Path
+REGEX = [^\\\](.*?)+$
+
+[eventcode]
+default_match = Unknown
+filename = eventcode.csv
+min_matches = 1 

local/inputs.conf

@@ -0,0 +1,4 @@
+[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
+index = windefender
+disabled = false
+renderXml = 1

lookups/eventcode.csv

@@ -0,0 +1,43 @@
+EventCode,EventDescription
+1000,"Scan started."
+1001,"Scan completed."
+1002,"Scan stopped (canceled)."
+1005,"Scan terminated due to error."
+1116,"Malware detection."
+1117,"Malware remediation."
+1119,"Remediation error (not found)."
+1120,"Windows Defender has deduced the hashes for a threat resource."
+1150,"If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state."
+2000,"The antimalware definitions updated successfully."
+2001,"The antimalware definition update failed."
+2002,"The antimalware engine updated successfully."
+2003,"The antimalware engine update failed."
+2004,"There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions."
+2005,"The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update."
+2006,"The platform update failed."
+2007,"The platform will soon be out of date. Download the latest platform to maintain up-to-date protection."
+2010,"The antimalware engine used the Dynamic Signature Service to get additional definitions."
+2011,"The Dynamic Signature Service deleted the out-of-date dynamic definitions."
+2012,"The antimalware engine encountered an error when trying to use the Dynamic Signature Service."
+2013,"The Dynamic Signature Service deleted all dynamic definitions."
+2020,"The antimalware engine downloaded a clean file."
+2021,"The antimalware engine failed to download a clean file."
+2030,"The antimalware engine was downloaded and is configured to run offline on the next system restart."
+2031,"The antimalware engine was unable to download and configure an offline scan."
+2040,"Antimalware support for this operating system version will soon end."
+2041,"Antimalware support for this operating system has ended. You must upgrade the operating system for continued support."
+2042,"The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware."
+3002,"Real-time protection encountered an error and failed."
+3007,"Real-time protection recovered from a failure. We recommend running a full system scan when you see this error."
+5000,"Real-time protection is enabled."
+5001,"Real-time protection is disabled."
+5004,"The real-time protection configuration changed."
+5007,"The antimalware platform configuration changed."
+5008,"The antimalware engine encountered an error and failed."
+5009,"Scanning for malware and other potentially unwanted software is enabled."
+5010,"Scanning for malware and other potentially unwanted software is disabled."
+5011,"Scanning for viruses is enabled."
+5012,"Scanning for viruses is disabled."
+5100,"The antimalware platform will expire soon."
+5101,"The antimalware platform is expired."
+

metadata/default.meta

@@ -0,0 +1,19 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system
+owner = admin
+
+[lookups/eventcode.csv]
+access = read : [ * ], write : [ admin ]
+export = system
+owner = admin
+
+[transforms/eventcode]
+access = read : [ * ], write : [ admin ]
+export = system
+owner = admin
+
+[props/XmlWinEventLog%3AMicrosoft-Windows-Windows%20Defender%2FOperational/LOOKUP-eventcode]
+access = read : [ * ], write : [ admin ]
+export = system
+owner = admin

metadata/local.meta

@@ -0,0 +1,3 @@
+[app/install/install_source_checksum]
+version = 1.0.0
+modtime = 1505600174.422398000