Pulsar (Windows) (win_pulsar.py)

This will setup your computer to enable auditing for specified folders inputted into a yaml file. It will then scan the ntfs journal for changes to those folders and report when it finds one.

hubblestack.extmods.modules.win_pulsar.process(configfile='salt://hubblestack_pulsar/hubblestack_pulsar_win_config.yaml', verbose=False)[source]

Watch the configured files

Example yaml config on fileserver (targeted by configfile option)

C:\Users: {}
C:\Windows:
  mask:
    - 'File Create'
    - 'File Delete'
    - 'Security Change'
  exclude:
    - C:\Windows\System32\*
C:      emp: {}
return: splunk_pulsar_return
batch: True

Note that if ‘batch: True’, the configured returner must support receiving a list of events, rather than single one-off events

the mask list can contain the following events (the default mask is create, delete, and modify):

  1. Basic Info Change A user has either changed file or directory attributes, or one or more time stamps
  2. Close The file or directory is closed
  3. Compression Change The compression state of the file or directory is changed from or to compressed
  4. Data Extend The file or directory is extended (added to)
  5. Data Overwrite The data in the file or directory is overwritten
  6. Data Truncation The file or directory is truncated
  7. EA Change A user made a change to the extended attributes of a file or directory (These NTFS
    file system attributes are not accessible to Windows-based applications)
  8. Encryption Change The file or directory is encrypted or decrypted
  9. File Create The file or directory is created for the first time
  10. File Delete The file or directory is deleted
  11. Hard Link Change An NTFS file system hard link is added to or removed from the file or directory
  12. Indexable Change A user changes the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute (changes the file
    or directory from one where content can be indexed to one where content cannot be indexed, or vice versa)
  13. Integrity Change A user changed the state of the FILE_ATTRIBUTE_INTEGRITY_STREAM attribute for the given
    stream (On the ReFS file system, integrity streams maintain a checksum of all data for that stream, so that the contents of the file can be validated during read or write operations)
  14. Named Data Extend The one or more named data streams for a file are extended (added to)
  15. Named Data Overwrite The data in one or more named data streams for a file is overwritten
  16. Named Data truncation The one or more named data streams for a file is truncated
  17. Object ID Change The object identifier of a file or directory is changed
  18. Rename New Name A file or directory is renamed, and the file name in the USN_RECORD_V2 structure is the
    new name
  19. Rename Old Name The file or directory is renamed, and the file name in the USN_RECORD_V2 structure is
    the previous name
  20. Reparse Point Change The reparse point that is contained in a file or directory is changed, or a reparse
    point is added to or deleted from a file or directory
  21. Security Change A change is made in the access rights to a file or directory
  22. Stream Change A named stream is added to or removed from a file, or a named stream is renamed
  23. Transacted Change The given stream is modified through a TxF transaction
exclude:
Exclude directories or files from triggering events in the watched directory. Note that the directory excludes shoud not have a trailing slash
Returns:
hubblestack.extmods.modules.win_pulsar.top(topfile='salt://hubblestack_pulsar/win_top.pulsar', verbose=False)[source]

Execute pulsar using a top.pulsar file to decide which configs to use for this host.

The topfile should be formatted like this:

pulsar:
  '<salt compound match identifying host(s)>':
    - list.of.paths
    - using.dots.as.directory.separators

Paths in the topfile should be relative to salt://hubblestack_pulsar, and the .yaml should not be included.