Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
37 lines (37 sloc) 2.11 KB
'!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!
'
'Version 1.0 of Basic Config (1/2014)
'Author tcw3bb@gmail.com
'This is a low volume config to capture malicious activity
'Newest Verion is avaiable at https://github.com/tcw3bb/ISC_Posts/
'
'
'Comments must start with an apostrophe and
'must be the only thing on that line.
'
'Do not combine comments and definitions on the same line!
'
'Format is as follows - EventSource:EventID
'Use * as a wildcard to ignore all ID's from a given source
'E.g. Security-Auditing:*
'
'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix
'In Vista/2k8+ you may also specify custom XPath queries
'Format is the word 'XPath' followed by a ':', the event log to search,
'followed by a ':', and then the select expression
'E.g XPath:Application:<expression>
'
'Details can be found in the readme file at the following location:
'https://code.google.com/p/eventlog-to-syslog/downloads/list
'**********************:**************************
'XPath:Application:<Select Path="Application">*</Select>
'XPath:Security:<Select Path="Security">*</Select>
'XPath:Setup:<Select Path="Setup">*</Select>
'XPath:System:<Select Path="System">*</Select>
XPath:Application:<Select Path="Application">*[System[Provider[@Name='Application Error'] and (EventID=1000)]]</Select>
XPath:Application:<Select Path="Application">*[System[Provider[@Name='Application Hang'] and (EventID=1002)]]</Select>
XPath:Microsoft-Windows-AppLocker/EXE and DLL:<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select>
XPath:Microsoft-Windows-AppLocker/MSI and Script:<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
XPath:Application:<Select Path="Application">*[System[Provider[@Name='EMET'] and (EventID=1 or EventID=2)]]</Select>
XPath:Microsoft-Windows-Windows Defender/Operational:<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1005 or EventID=1006 or EventID=1010 or EventID=1012 or EventID=1014 or EventID=2001 or EventID=2003 or EventID=204 or EventID=3002 or EventID=5008)]]</Select>
XPath:Security:<Select Path="Security">*[System[(EventID=4740 or EventID=4732)]]</Select>
You can’t perform that action at this time.