forked from whikernel/evtx2splunk
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathindexer_patterns_sample.yml
More file actions
29 lines (29 loc) · 939 Bytes
/
indexer_patterns_sample.yml
File metadata and controls
29 lines (29 loc) · 939 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
windows:evtx:powershell:
name_rex: Windows_PowerShell.*\.jsonl$
path_suffix: evtx
host_path: "Event.System.Computer" # Extract the host from the event
timestamp_path: # Extract the timestamp from the event
- "Event.System.TimeCreated.#attributes.SystemTime"
- "Event.Timestamp"
timestamp_format: "%Y-%m-%dT%H:%M:%S.%fZ" # Specify the timestamp format
artifact: EVTX
evtx:
name_rex: \.jsonl$
path_suffix: evtx
sourcetype: _json
host_path: "Event.System.Computer"
timestamp_path:
- "Event.System.TimeCreated.#attributes.SystemTime"
timestamp_format: "%Y-%m-%dT%H:%M:%S.%fZ"
prefetch:
name_rex: \.jsonl$
path_rex: ".*prefetch"
sourcetype: _json
host_rex: (^[\w-]+)--
timestamp_path:
- LastRun
timestamp_format: "%Y-%m-%d %H:%M:%S"
reg:
path_suffix: registry
sourcetype: _json
host_rex: (^[\w-]+)--