manasmbellani/inputs.conf

## inputs.conf
#   Version 9.0.1
# these here just override and disable stuff that in system/default.

################################
# Data thru parsingQueue always
################################

[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

################################
# Make sure these get forwarded
################################

[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
_TCP_ROUTING = *
index = _internal

[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = *
index = _internal

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

## Useful for detection of blocked traffic due to Applocker
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0

## Useful for detection of persistence mechanisms via taskscheduler
[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

## Useful for detection of Malware alerts from Windows defender
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0

## Useful for detection of failed SMB Traffic generated via Responder
[WinEventLog://Microsoft-Windows-SmbClient/Security]
disabled = 0

## Useful for detection of unusual powershell (Module/Script block logging)
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0

## Useful if Aurora EDR in use (Comment if Aurora EDR not used)
[monitor://C:\Program Files\Aurora Agent\aurora_alerts.json.log]
disabled = 0
sourcetype = nextron:aurora:edr
index = main
	# Version 9.0.1
	# these here just override and disable stuff that in system/default.

	################################
	# Data thru parsingQueue always
	################################

	[splunktcp]
	route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

	################################
	# Make sure these get forwarded
	################################

	[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
	_TCP_ROUTING = *
	index = _internal

	[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
	_TCP_ROUTING = *
	index = _internal

	[WinEventLog://Microsoft-Windows-Sysmon/Operational]
	checkpointInterval = 5
	current_only = 0
	disabled = 0
	start_from = oldest

	## Useful for detection of blocked traffic due to Applocker
	[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
	disabled = 0

	## Useful for detection of persistence mechanisms via taskscheduler
	[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]
	disabled = 0

	[WinEventLog://Application]
	disabled = 0

	[WinEventLog://Security]
	disabled = 0

	[WinEventLog://System]
	disabled = 0

	## Useful for detection of Malware alerts from Windows defender
	[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
	disabled = 0

	## Useful for detection of failed SMB Traffic generated via Responder
	[WinEventLog://Microsoft-Windows-SmbClient/Security]
	disabled = 0

	## Useful for detection of unusual powershell (Module/Script block logging)
	[WinEventLog://Microsoft-Windows-PowerShell/Operational]
	disabled = 0

	## Useful if Aurora EDR in use (Comment if Aurora EDR not used)
	[monitor://C:\Program Files\Aurora Agent\aurora_alerts.json.log]
	disabled = 0
	sourcetype = nextron:aurora:edr
	index = main