Fix ThreatHunting dashboard

clong#625
gregclermont · Mar 24, 2021 · 7778de6 · 7778de6
1 parent 819ded6
commit 7778de6
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/Vagrant/resources/splunk_server/macros.conf b/Vagrant/resources/splunk_server/macros.conf
@@ -73,3 +73,17 @@ iseval = 0
 [indextime]
 definition = _index_earliest=-15m@m AND _index_latest=now
 iseval = 0
+
+[threathunting_assets_dns]
+definition = | inputlookup threathunting_asset_priority.csv \
+| rename host_fqdn as dns\
+| fields dns priority
+iseval = 0
+
+[process_granted_access_description]
+definition = eval process_granted_access_description=case(process_granted_access = "0x1fffff", "PROCESS_ALL_ACCESS",process_granted_access = "0x40", "PROCESS_DUP_HANDLE",process_granted_access = "0x40", "PROCESS_DUP_HANDLE(0x40) + PROCESS_VM_READ (0x0010)",process_granted_access = "0xc0", "PROCESS_DUP_HANDLE (0x40) + PROCESS_CREATE_PROCESS (0x80)",process_granted_access = "0x1010", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_VM_READ (0x0010)", process_granted_access = "0x1410", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_QUERY_INFORMATION (0x0400) + PROCESS_VM_READ (0x0010)",process_granted_access = "0x1001", "PROCESS_QUERY_LIMITED_INFORMATION (0x1000) + PROCESS_TERMINATE (0x0001)")
+iseval = 0
+
+[threathunting_index]
+definition = index=threathunting
+iseval = 0