-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.txt
148 lines (127 loc) · 5.52 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
TA-Microsoft-Sysmon v3.2.1
----------------------------
Author: ahall (original). japger, dherrald, jbrodsky (update).
Version/Date: 3.2.1 04/20/2016
Sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Has index-time ops: false
Input Requirements: Sysmon 3.1 or later installed with Windows Universal Forwarder
Updates
----------------------------
0.3.1
-----
Lookup table added to support Sysmon 3.1
Additional CIM compliance added
Example config added
Revved to version 0.3.1 to match current Sysmon version
3.1.1
-------
Major modification of the version to better align with SplunkBase.
Fixed typos in eventtypes.conf and props.conf
3.2.1
--------
Minor updates to align with sysmon version 3.21. For details see:
https://github.com/splunk/TA-microsoft-sysmon/issues/1
https://github.com/splunk/TA-microsoft-sysmon/issues/2
https://github.com/splunk/TA-microsoft-sysmon/issues/3
Using this TA
----------------------------
Configuration: Install TA via GUI on all search heads, install
via your preferred method (manual or Deployment Server) on
forwarders running on Windows that have Sysmon 3.1 or greater
installed
Ensure that you have at least version 6.2.0 universal forwarders.
This is because of the Windows XML event log format.
http://blogs.splunk.com/2014/11/04/splunk-6-2-feature-overview-xml-event-logs/
For additional info on Sysmon see here:
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
Support
----------------------------
This is a community supported TA. As such, post to answers.splunk.com
and reference it. Someone should be with you shortly.
Example Config
----------------------------
Sysmon is capable of delivering a large amount of events into your
Splunk instance. The following configuration, loaded into each
system running Sysmon 3.1, will reduce the amount of data considerably.
Special thanks go to Jeff Walzer from the University of Pittsburgh for
helping to test this ([email protected]).
Load this via sysmon -c (filename) from an admin-level command prompt.
(after you have placed it in a text file). You may get some
unusual errors - these are benign and can be ignored. Check the
filtering via a "sysmon -c" with no argument.
For additional Sysmon filtering, remove the entire ImageLoad
section.
**** CUT HERE ****
<Sysmon schemaversion="2.0">
<HashAlgorithms>SHA1</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<!-- Exclude certain processes that cause high event volumes -->
<ProcessCreate default="include">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessCreate>
<ProcessTerminate default="include">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ProcessTerminate>
<FileCreateTime default="include">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</FileCreateTime>
<ImageLoad default="include">
<Image condition="contains">splunk</Image>
<Image condition="contains">streamfwd</Image>
<Image condition="contains">splunkd</Image>
<Image condition="contains">splunkD</Image>
<Image condition="contains">splunk</Image>
<Image condition="contains">splunk-optimize</Image>
<Image condition="contains">splunk-MonitorNoHandle</Image>
<Image condition="contains">splunk-admon</Image>
<Image condition="contains">splunk-netmon</Image>
<Image condition="contains">splunk-regmon</Image>
<Image condition="contains">splunk-winprintmon</Image>
<Image condition="contains">btool</Image>
<Image condition="contains">PYTHON</Image>
</ImageLoad>
</EventFiltering>
</Sysmon>
**** CUT HERE ****