From a1e846d32745f5ac7e46b058f1abb5db02d81a0a Mon Sep 17 00:00:00 2001 From: GPS-DFIR <108487356+GPS-DFIR@users.noreply.github.com> Date: Tue, 4 Apr 2023 08:24:34 -0400 Subject: [PATCH] Add UserAccessLogs and formatting fix (#2607) --- .../definitions/Splunk/Flows/Upload.yaml | 65 ++++++++++--------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/artifacts/definitions/Splunk/Flows/Upload.yaml b/artifacts/definitions/Splunk/Flows/Upload.yaml index aa4d850e4d..fc15bf97cc 100644 --- a/artifacts/definitions/Splunk/Flows/Upload.yaml +++ b/artifacts/definitions/Splunk/Flows/Upload.yaml @@ -19,38 +19,41 @@ description: | * Go to Settings > Data Inputs > HTTP Event Collector > Global Settings * Ensure `All Tokens` is set to ENABLED * Copy the HTTP Port Number for this event - 4. Configure your Splunk props.conf and tranforms.conf + 4. Configure your Splunk props.conf and tranforms.conf * Add the following to props.conf - [vql] - INDEXED_EXTRACTIONS = json - DATETIME_CONFIG = CURRENT - TZ = GMT - category = Custom - pulldown_type = 1 - TRANSFORMS-vql-sourcetype = vql-sourcetype,vql-timestamp - TRUNCATE = 512000 - * Add the following to transforms.conf - [vql-sourcetype] - INGEST_EVAL = sourcetype=lower(_index) - [vql-timestamp] - INGEST_EVAL = _time=case( \ - _index="artifact_Linux_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_System_VFS_ListDirectory",strptime(ctime,"%Y-%m-%dT%H:%M:%S.%NZ"), \ - _index="artifact_Windows_Timeline_MFT",strptime(event_time,"%Y-%m-%dT%H:%M:%S.%NZ"), \ - _index="artifact_Windows_NTFS_MFT",strptime(Created0x10,"%Y-%m-%dT%H:%M:%S.%NZ"), \ - _index="artifact_Windows_EventLogs_Evtx",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Custom_Windows_EventLogs_System_7045",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_EventLogs_RDPAuth",strptime(EventTime,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_Analysis_EvidenceOfExecution_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_Analysis_EvidenceOfExecution_Amcache",strptime(KeyMTime,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_System_Amcache_InventoryApplicationFile",strptime(LastModified,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%S.%NZ"), \ - _index="artifact_Windows_Applications_NirsoftBrowserViewer",strptime(Visited,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_Registry_RecentDocs",strptime(LastWriteTime,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Custom_Windows_Application_IIS_IISLogs",strptime(event_time,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_MacOS_Applications_Chrome_History",strptime(last_visit_time,"%Y-%m-%dT%H:%M:%SZ"), \ - _index="artifact_Windows_Registry_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ") \ - ) + [vql] + INDEXED_EXTRACTIONS = json + DATETIME_CONFIG = CURRENT + TZ = GMT + category = Custom + pulldown_type = 1 + TRANSFORMS-vql-sourcetype = vql-sourcetype,vql-timestamp + TRUNCATE = 512000 + * Add the following to transforms.conf + [vql-sourcetype] + INGEST_EVAL = sourcetype=lower(_index) + [vql-timestamp] + INGEST_EVAL = _time=case( \ + _index="artifact_Linux_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_System_VFS_ListDirectory",strptime(ctime,"%Y-%m-%dT%H:%M:%S.%NZ"), \ + _index="artifact_Windows_Timeline_MFT",strptime(event_time,"%Y-%m-%dT%H:%M:%S.%NZ"), \ + _index="artifact_Windows_NTFS_MFT",strptime(Created0x10,"%Y-%m-%dT%H:%M:%S.%NZ"), \ + _index="artifact_Windows_EventLogs_Evtx",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Custom_Windows_EventLogs_System_7045",strptime(TimeCreated,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_EventLogs_RDPAuth",strptime(EventTime,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Analysis_EvidenceOfExecution_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Analysis_EvidenceOfExecution_Amcache",strptime(KeyMTime,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_System_Amcache_InventoryApplicationFile",strptime(LastModified,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Search_FileFinder",strptime(CTime,"%Y-%m-%dT%H:%M:%S.%NZ"), \ + _index="artifact_Windows_Applications_NirsoftBrowserViewer",strptime(Visited,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Registry_RecentDocs",strptime(LastWriteTime,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Forensics_UserAccessLogs_Clients",strptime(InsertDate,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Forensics_UserAccessLogs_DNS",strptime(LastSeen,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Forensics_UserAccessLogs_SystemIdentity",strptime(CreationTime,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Custom_Windows_Application_IIS_IISLogs",strptime(event_time,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_MacOS_Applications_Chrome_History",strptime(last_visit_time,"%Y-%m-%dT%H:%M:%SZ"), \ + _index="artifact_Windows_Registry_UserAssist",strptime(LastExecution,"%Y-%m-%dT%H:%M:%SZ") \ + ) > Note: `Enable SSL` only works if SSL is properly configured on your