Mark McCurdy
31 lines
659 B
YAML
31 lines
659 B
YAML
title: Splunk used in Falcon Portal
|
|
order: 20
|
|
backends:
|
|
- crowdstrike
|
|
logsources:
|
|
windows-sysmon:
|
|
product: windows
|
|
service: sysmon
|
|
conditions:
|
|
EventID: 1
|
|
process_creation_1:
|
|
category: process_creation
|
|
product: windows
|
|
|
|
fieldmappings:
|
|
EventID: EventID
|
|
CommandLine: Commandline
|
|
Command_Line: Commandline
|
|
cmdline: Commandline
|
|
Image: ImageFileName
|
|
TargetFilename: TargetFilename
|
|
image: ImageFileName
|
|
image_path: ImageFileName
|
|
OriginalFileName: ImageFileName
|
|
sha1: SHA1HashData
|
|
user: UserName
|
|
TaskName: TaskName
|
|
ParentImage: ParentBaseFileName
|
|
parent_image: ParentBaseFileName
|
|
ServiceName: ServiceName
|