title: Splunk Windows log source conditions order: 20 backends: - splunk - splunkxml - splunkdm logsources: windows-application: product: windows service: application conditions: source: 'WinEventLog:Application' windows-security: product: windows service: security conditions: source: 'WinEventLog:Security' windows-system: product: windows service: system conditions: source: 'WinEventLog:System' windows-sysmon: product: windows service: sysmon conditions: source: 'WinEventLog:Microsoft-Windows-Sysmon/Operational' windows-process-creation: product: windows service: sysmon category: process_creation # Optimized search for process creation, being dramatically faster in Lispy than just EventCode=1 search, as 'ParentProcessGuid' is more unique than '1' in the raw data. # This also supports custom splunk macros, just like they are written in splunk (i.e. as `macro`), minding that it has to be written inside the string quotes here. search: 'ParentProcessGuid EventCode=1' windows-file-creation: product: windows service: sysmon category: file_creation search: 'TargetFilename EventCode=11' windows-powershell: product: windows service: powershell conditions: source: 'WinEventLog:Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic conditions: source: 'WinEventLog:Windows PowerShell' windows-taskscheduler: product: windows service: taskscheduler conditions: source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi conditions: source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dns-server: product: windows service: dns-server category: dns conditions: source: 'WinEventLog:DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: source: 'WinEventLog:Microsoft-Windows-DNS-Server/Audit' windows-driver-framework: product: windows service: driver-framework conditions: source: 'WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-ntlm: product: windows service: ntlm conditions: source: 'WinEventLog:Microsoft-Windows-NTLM/Operational' windows-dhcp: product: windows service: dhcp conditions: source: 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' windows-applocker: product: windows service: applocker conditions: source: - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' windows-msexchange-management: product: windows service: msexchange-management conditions: source: 'WinEventLog:MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin conditions: source: 'WinEventLog:Microsoft-Windows-PrintService/Admin' windows-printservice-operational: product: windows service: printservice-operational conditions: source: 'WinEventLog:Microsoft-Windows-PrintService/Operational' windows-codeintegrity-operational: product: windows service: codeintegrity-operational conditions: source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security conditions: source: 'WinEventLog:Microsoft-Windows-SmbClient/Security' windows-rpc-firewall: product: rpc_firewall category: application conditions: source: 'WinEventLog:RPCFW' windows-firewall-advanced-security: product: windows service: firewall-as conditions: source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' windows-bits-client: product: windows service: bits-client conditions: source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' fieldmappings: EventID: EventCode