-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathindexer_patterns_sample.yml
More file actions
38 lines (38 loc) · 1.46 KB
/
indexer_patterns_sample.yml
File metadata and controls
38 lines (38 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
windows:evtx:powershell:
name_rex: Windows_PowerShell.*\.jsonl$
path_suffix: evtx
host_path: "Event.System.Computer" # Extract the host from the event
timestamp_path: # Extract the timestamp from the event
- "Event.System.TimeCreated.#attributes.SystemTime"
- "Event.Timestamp"
timestamp_format: "%Y-%m-%dT%H:%M:%S.%fZ" # Specify the timestamp format
artifact: EVTX
evtx:
name_rex: \.jsonl$
path_suffix: evtx
sourcetype: _json
normalize:
- normalize/windows/evtx.vrl
host_path: ".host.name" # Extract the host AFTER VRL normalization from the event
timestamp_path: # Extract the timestamp from the event AFTER VRL normalization
- "timestamp"
timestamp_format: "%Y-%m-%dT%H:%M:%SZ" # Timestamp after VRL normalization
prefetch:
name_rex: \.jsonl$
path_rex: ".*prefetch"
sourcetype: _json
host_rex: (^[\w-]+)-- # Extract host from file path
normalize:
- normalize/windows/prefetch.vrl
timestamp_path: # Extract the host AFTER VRL normalization from the event
- "timestamp" # Extract the timestamp from the event AFTER VRL normalization
timestamp_format: "%Y-%m-%dT%H:%M:%SZ" # Timestamp after VRL normalization
reg:
name_rex: --hives_hk
host_rex: ([\w\.-]+)--
sourcetype: _json
normalize:
- normalize/windows/hives.vrl
timestamp_path:
- "timestamp"
timestamp_format: "%Y-%m-%dT%H:%M:%SZ"