change "sourcetype" to "source" for Win Event Logs in the macros

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.13k stars 177 forks source link

Closed bmk666 closed 5 years ago

bmk666 commented 5 years ago

For me i have to change all the macros:

from index=INDEX sourcetype="WinEventLog:Application" to index=INDEX source="WinEventLog:Application"

because only sysmon have its own sourcetype: "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

All other windows logs have sourcetype: "xmlwineventlog"

so i have to use "source=WinEventLog:System", "source=WinEventLog:Application",....

BR, BMK

jamesarmitage commented 5 years ago

Note: this only applies if you are using the 5.x release of TA-Windows for Splunk. The 4.x release still uses sourcetype: https://docs.splunk.com/Documentation/WindowsAddOn/5.0.1/User/Upgrade#WinEventLog_extraction_changes

agiallombardo commented 5 years ago

@jamesarmitage - v4 does still use sourcetype, but source is both v4 & v5 compatible

olafhartong commented 5 years ago

this has been addressed in the macro