{ "name": "windows", "title": "Windows", "version": "2.3.2", "release": "ga", "description": "Collect logs and metrics from Windows OS and services with Elastic Agent.", "type": "integration", "download": "/epr/windows/windows-2.3.2.zip", "path": "/package/windows/2.3.2", "icons": [ { "src": "/img/logo_windows.svg", "path": "/package/windows/2.3.2/img/logo_windows.svg", "title": "logo windows", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.14.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/elastic-agent-data-plane" }, "categories": [ "os_system", "security" ], "signature_path": "/epr/windows/windows-2.3.2.zip.sig", "format_version": "3.2.1", "readme": "/package/windows/2.3.2/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/metricbeat-windows-service.png", "path": "/package/windows/2.3.2/img/metricbeat-windows-service.png", "title": "metricbeat windows service", "size": "3142x1834", "type": "image/png" }, { "src": "/img/applocker-windows-audit-and-blocked.png", "path": "/package/windows/2.3.2/img/applocker-windows-audit-and-blocked.png", "title": "applocker audited and blocked events", "size": "3040x2960", "type": "image/png" } ], "assets": [ "/package/windows/2.3.2/LICENSE.txt", "/package/windows/2.3.2/changelog.yml", "/package/windows/2.3.2/manifest.yml", "/package/windows/2.3.2/docs/README.md", "/package/windows/2.3.2/img/applocker-windows-audit-and-blocked.png", "/package/windows/2.3.2/img/logo_windows.svg", "/package/windows/2.3.2/img/metricbeat-windows-service.png", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/manifest.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/sample_event.json", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/manifest.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/sample_event.json", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/manifest.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/sample_event.json", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/manifest.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/sample_event.json", "/package/windows/2.3.2/data_stream/forwarded/manifest.yml", "/package/windows/2.3.2/data_stream/forwarded/sample_event.json", "/package/windows/2.3.2/data_stream/perfmon/manifest.yml", "/package/windows/2.3.2/data_stream/powershell/manifest.yml", "/package/windows/2.3.2/data_stream/powershell/sample_event.json", "/package/windows/2.3.2/data_stream/powershell_operational/manifest.yml", "/package/windows/2.3.2/data_stream/powershell_operational/sample_event.json", "/package/windows/2.3.2/data_stream/service/manifest.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/manifest.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/sample_event.json", "/package/windows/2.3.2/data_stream/windows_defender/manifest.yml", "/package/windows/2.3.2/data_stream/windows_defender/sample_event.json", "/package/windows/2.3.2/kibana/dashboard/windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json", "/package/windows/2.3.2/kibana/dashboard/windows-c77e06c0-9e7c-11ea-af6f-cfdb1ee1d6c8.json", "/package/windows/2.3.2/kibana/dashboard/windows-d9eba730-c991-11e7-9835-2f31fe08873b.json", "/package/windows/2.3.2/kibana/search/windows-11a61760-9f27-11ea-bef1-95118e62a7c1.json", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/fields/agent.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/fields/beats.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/fields/ecs.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/fields/winlog.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/fields/agent.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/fields/beats.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/fields/ecs.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/fields/winlog.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/fields/agent.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/fields/beats.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/fields/ecs.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/fields/winlog.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/fields/agent.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/fields/beats.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/fields/ecs.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/fields/winlog.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/agent.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/beats.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/ecs.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/fields.yml", "/package/windows/2.3.2/data_stream/forwarded/fields/winlog.yml", "/package/windows/2.3.2/data_stream/perfmon/fields/agent.yml", "/package/windows/2.3.2/data_stream/perfmon/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/perfmon/fields/fields.yml", "/package/windows/2.3.2/data_stream/powershell/fields/agent.yml", "/package/windows/2.3.2/data_stream/powershell/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/powershell/fields/beats.yml", "/package/windows/2.3.2/data_stream/powershell/fields/ecs.yml", "/package/windows/2.3.2/data_stream/powershell/fields/fields.yml", "/package/windows/2.3.2/data_stream/powershell/fields/winlog.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/agent.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/beats.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/ecs.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/fields.yml", "/package/windows/2.3.2/data_stream/powershell_operational/fields/winlog.yml", "/package/windows/2.3.2/data_stream/service/fields/agent.yml", "/package/windows/2.3.2/data_stream/service/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/service/fields/fields.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/agent.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/beats.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/ecs.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/fields.yml", "/package/windows/2.3.2/data_stream/sysmon_operational/fields/winlog.yml", "/package/windows/2.3.2/data_stream/windows_defender/fields/agent.yml", "/package/windows/2.3.2/data_stream/windows_defender/fields/base-fields.yml", "/package/windows/2.3.2/data_stream/windows_defender/fields/beats.yml", "/package/windows/2.3.2/data_stream/windows_defender/fields/fields.yml", "/package/windows/2.3.2/data_stream/windows_defender/fields/winlog.yml", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_msi_and_script/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_packaged_app_deployment/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/applocker_packaged_app_execution/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/forwarded/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/forwarded/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml", "/package/windows/2.3.2/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml", "/package/windows/2.3.2/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml", "/package/windows/2.3.2/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml", "/package/windows/2.3.2/data_stream/perfmon/agent/stream/stream.yml.hbs", "/package/windows/2.3.2/data_stream/powershell/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/powershell/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/powershell_operational/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/powershell_operational/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/service/agent/stream/stream.yml.hbs", "/package/windows/2.3.2/data_stream/sysmon_operational/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml", "/package/windows/2.3.2/data_stream/windows_defender/agent/stream/httpjson.yml.hbs", "/package/windows/2.3.2/data_stream/windows_defender/agent/stream/winlog.yml.hbs", "/package/windows/2.3.2/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "windows", "title": "Windows logs and metrics", "description": "Collect logs and metrics from Windows instances", "inputs": [ { "type": "winlog", "title": "Collect events from the following Windows event log channels:", "description": "Collecting events from Windows event log" }, { "type": "windows/metrics", "title": "Collect Windows perfmon and service metrics", "description": "Collecting perfmon and service metrics from Windows instances" }, { "type": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "URL of Splunk Enterprise Server", "description": "i.e. scheme://host:port, path is automatic", "multi": false, "required": true, "show_user": true, "default": "https://server.example.com:8089" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. The logs are part of agent's diagnostics dump under `logs/httpjson/http-request-trace-.ndjson`. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "username", "type": "text", "title": "Splunk REST API Username", "multi": false, "required": false, "show_user": true }, { "name": "password", "type": "password", "title": "Splunk REST API Password", "multi": false, "required": false, "show_user": true }, { "name": "token", "type": "password", "title": "Splunk Authorization Token", "description": "Bearer Token or Session Key, e.g. \"Bearer eyJFd3e46...\"\nor \"Splunk 192fd3e...\". Cannot be used with username\nand password.\n", "multi": false, "required": false, "show_user": true }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect logs from third-party REST API (deprecated)", "description": "Collect logs from third-party REST API (deprecated)" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "windows.applocker_exe_and_dll", "title": "Windows AppLocker/EXE and DLL logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "AppLocker/EXE and DLL", "description": "Microsoft-Windows-AppLocker/EXE and DLL channel", "enabled": false, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows AppLocker EXE and DLL Events via Splunk Enterprise REST API", "description": "Collect AppLocker EXE and DLL Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_exe_and_dll" }, { "type": "logs", "dataset": "windows.applocker_msi_and_script", "title": "Windows AppLocker/MSI and Script logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "AppLocker/MSI and Script", "description": "Microsoft-Windows-AppLocker/MSI and Script channel", "enabled": false, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows AppLocker MSI and Script Events via Splunk Enterprise REST API", "description": "Collect AppLocker MSI and Script Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_msi_and_script" }, { "type": "logs", "dataset": "windows.applocker_packaged_app_deployment", "title": "Windows AppLocker/Packaged app-Deployment logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Packaged app-Deployment", "description": "Microsoft-Windows-AppLocker/Packaged app-Deployment channel", "enabled": false, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows AppLocker/Packaged app-Deployment Events via Splunk Enterprise REST API", "description": "Collect AppLocker Packaged app-Deployment Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_packaged_app_deployment" }, { "type": "logs", "dataset": "windows.applocker_packaged_app_execution", "title": "Windows AppLocker/Packaged app-Execution logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Packaged app-Execution", "description": "Microsoft-Windows-AppLocker/Packaged app-Execution channel", "enabled": false, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows AppLocker/Packaged app-Execution Events via Splunk Enterprise REST API", "description": "Collect AppLocker Packaged app-Execution Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "applocker_packaged_app_execution" }, { "type": "logs", "dataset": "windows.forwarded", "title": "Windows forwarded events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Forwarded", "description": "Collect ForwardedEvents channel logs", "enabled": true, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:ForwardedEvents\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows ForwardedEvents via Splunk Enterprise REST API", "description": "Collect ForwardedEvents via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "forwarded" }, { "type": "metrics", "dataset": "windows.perfmon", "title": "Windows perfmon metrics", "release": "ga", "streams": [ { "input": "windows/metrics", "vars": [ { "name": "perfmon.group_measurements_by_instance", "type": "bool", "title": "Perfmon Group Measurements By Instance", "description": "Enabling this option will send all measurements with a matching perfmon instance as part of a single event", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.ignore_non_existent_counters", "type": "bool", "title": "Perfmon Ignore Non Existent Counters", "description": "Enabling this option will make sure to ignore any errors caused by counters that do not exist", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.refresh_wildcard_counters", "type": "bool", "title": "Perfmon Refresh Wildcard Counters", "description": "Enabling this option will cause the counter list to be retrieved after each fetch, rather than once at start time.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "perfmon.queries", "type": "yaml", "title": "Perfmon Queries", "description": "Will list the perfmon queries to execute, each query will have an `object` option, an optional `instance` contiguration and the actual counters", "multi": false, "required": true, "show_user": true, "default": "- object: 'Process'\n instance: [\"*\"]\n counters:\n - name: '% Processor Time'\n field: cpu_perc\n format: \"float\"\n - name: \"Working Set\"\n" }, { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "Windows perfmon metrics", "description": "Collect Windows perfmon metrics", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "path": "perfmon" }, { "type": "logs", "dataset": "windows.powershell", "title": "Windows Powershell logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": true, "show_user": false, "default": "400, 403, 600, 800" }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Powershell", "description": "Windows Powershell channel", "enabled": true, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Windows PowerShell\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows Powershell Events via Splunk Enterprise REST API", "description": "Collect Powershell Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "powershell" }, { "type": "logs", "dataset": "windows.powershell_operational", "title": "Windows Powershell/Operational logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": true, "show_user": false, "default": "4103, 4104, 4105, 4106" }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Powershell Operational", "description": "Microsoft-Windows-Powershell/Operational channel", "enabled": true, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Powershell/Operational\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows Powershell Operational Events via Splunk Enterprise REST API", "description": "Collect Powershell Operational Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": { "index_template.settings": { "analysis": { "analyzer": { "powershell_script_analyzer": { "pattern": "[\\W&&[^-]]+", "type": "pattern" } } } }, "ingest_pipeline.name": "default" }, "path": "powershell_operational" }, { "type": "metrics", "dataset": "windows.service", "title": "Windows service metrics", "release": "ga", "streams": [ { "input": "windows/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "60s" }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/metricbeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": true } ], "template_path": "stream.yml.hbs", "title": "Windows service metrics", "description": "Collect Windows service metrics", "enabled": true, "ingestion_method": "API" } ], "package": "windows", "elasticsearch": {}, "path": "service" }, { "type": "logs", "dataset": "windows.sysmon_operational", "title": "Windows Sysmon/Operational events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Sysmon Operational", "description": "Collect Microsoft-Windows-Sysmon/Operational channel logs", "enabled": true, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows Sysmon Operational Events via Splunk Enterprise REST API", "description": "Collect Sysmon Operational Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "sysmon_operational" }, { "type": "logs", "dataset": "windows.windows_defender", "title": "Windows Defender logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Windows Defender", "description": "Microsoft-Windows-Windows Defender/Operational channel", "enabled": false, "ingestion_method": "API" }, { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval to query Splunk Enterprise REST API", "description": "Go Duration syntax (eg. 10s)", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "search", "type": "text", "title": "Splunk search string", "multi": false, "required": true, "show_user": false, "default": "search sourcetype=\"XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational\"" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "forwarded" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Windows Defender Events via Splunk Enterprise REST API", "description": "Collect Windows Defender Events via Splunk Enterprise REST API", "enabled": false, "ingestion_method": "API" } ], "package": "windows", "path": "windows_defender" } ] }