Hi,
while trying to understand why the app delivers nothing for me and does not deliver anything into the threathunting index, I found a few spots where a windows index is directly referenced.
**1:./default/savedsearches.conf:search =indextimeindex="windows" source="WinEventLog:Security" EventCode=4769 Ticket_Encryption_Type=0x17 Service_ID!=NONE_MAPPED Account_Name!="sa_*" Account_Name!="*$@INSECUREBANK.LOCAL"\ 2:./default/savedsearches.conf:search =indextimeindex=windows (EventCode=4771 OR EventCode=4768 OR EventCode=4769) Failure_Code=0x1F** 3:./default/macros.conf:definition = index=windows (source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational") 4:./default/macros.conf:definition = index=windows source="WinEventLog:Application" 5:./default/macros.conf:definition = index=windows (source="WinEventLog:Powershell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational") 6:./default/macros.conf:definition = index=windows source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" 7:./default/macros.conf:definition = index=windows source="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/*" 8:./default/macros.conf:definition = index=windows source="WinEventLog:Security" 10:./default/macros.conf:definition = index=windows source="WinEventLog:System" OR source="WinEventLog:Security" 11:./default/macros.conf:definition = index=windows source="WinEventLog:System" **12:./default/data/ui/views/computer_investigator.xml: <query>| tstats count WHERE index=windows AND (host=$host$) by _time host sourcetype span=15m | timechart span=15m sum(count) by sourcetype</query> **
The stuff in default/macors is overwritten by the customization, but the remaining two seems to be a bit of a problem.
olafhartong
commented
4 years ago
Hi, while trying to understand why the app delivers nothing for me and does not deliver anything into the threathunting index, I found a few spots where a windows index is directly referenced.
**1:./default/savedsearches.conf:search =indextimeindex="windows" source="WinEventLog:Security" EventCode=4769 Ticket_Encryption_Type=0x17 Service_ID!=NONE_MAPPED Account_Name!="sa_*" Account_Name!="*$@INSECUREBANK.LOCAL"\ 2:./default/savedsearches.conf:search =indextimeindex=windows (EventCode=4771 OR EventCode=4768 OR EventCode=4769) Failure_Code=0x1F** 3:./default/macros.conf:definition = index=windows (source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational") 4:./default/macros.conf:definition = index=windows source="WinEventLog:Application" 5:./default/macros.conf:definition = index=windows (source="WinEventLog:Powershell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational") 6:./default/macros.conf:definition = index=windows source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" 7:./default/macros.conf:definition = index=windows source="WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/*" 8:./default/macros.conf:definition = index=windows source="WinEventLog:Security" 10:./default/macros.conf:definition = index=windows source="WinEventLog:System" OR source="WinEventLog:Security" 11:./default/macros.conf:definition = index=windows source="WinEventLog:System" **12:./default/data/ui/views/computer_investigator.xml: <query>| tstats count WHERE index=windows AND (host=$host$) by _time host sourcetype span=15m | timechart span=15m sum(count) by sourcetype</query>** The stuff in default/macors is overwritten by the customization, but the remaining two seems to be a bit of a problem.cheers afx