238 lines
8.7 KiB
Plaintext
238 lines
8.7 KiB
Plaintext
<?xml version="1.0" encoding="utf-8"?>
|
|
<AssetCollection xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
<Metadata>
|
|
<UniqueId>9a551254-a7b2-4f23-b5ee-133cb8595000</UniqueId>
|
|
<GroupId>9a551254-a7b2-4f23-b5ee-133cb8595000</GroupId>
|
|
<Name>Message Analyzer Correlations</Name>
|
|
<AssetType>CorrelationAsset</AssetType>
|
|
<VersionNumber>1</VersionNumber>
|
|
<Author>Message Analyzer</Author>
|
|
<Corporation>Microsoft</Corporation>
|
|
<PublishedDate>2014-08-01T00:00:00</PublishedDate>
|
|
<ModifiedDate>2015-02-12T00:00:00</ModifiedDate>
|
|
<Revision>4</Revision>
|
|
<Description>The official release of unions from the Message Analyzer Team. Download and sync this set to get periodic updates.</Description>
|
|
<Rating>0</Rating>
|
|
</Metadata>
|
|
<Assets>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>525580f0-dc72-400f-8006-98f8615f560b</UniqueId>
|
|
<Category>File Sharing</Category>
|
|
<Name>SMBCommand</Name>
|
|
<Description>Correlates SMB commands with SambaSysLog commands.</Description>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>SMBCommand</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>SMB.Command</DeclarationName>
|
|
<SelectorPath>Command</SelectorPath>
|
|
<TypeName>byte</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>SambaSysLog.smb_command.command.smb_com</DeclarationName>
|
|
<SelectorPath>command.smb_com</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>uint</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>cbfc11e6-ab1b-4d12-851c-97cb89b08d7d</UniqueId>
|
|
<Name>PID</Name>
|
|
<Description>Correlates Process IDs between text logs and ETW logs.</Description>
|
|
<Category>Common</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>PID</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>ProcessId</DeclarationName>
|
|
<SelectorPath>ProcessId</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>Etw.EtwProviderMsg.EventRecord.Header.ProcessId</DeclarationName>
|
|
<SelectorPath>EventRecord.Header.ProcessId</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>uint</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>4571e78d-db81-47db-b379-e703cf884e61</UniqueId>
|
|
<Name>AddressPair</Name>
|
|
<Description>Allows aggregation of addresses for TopTalkers.</Description>
|
|
<Category>Common</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>AddressPair</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>Ethernet.Frame.Source</DeclarationName>
|
|
<SelectorPath>Source</SelectorPath>
|
|
<TypeName>Utility.MacAddress</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>Ethernet.Frame.Destination</DeclarationName>
|
|
<SelectorPath>Destination</SelectorPath>
|
|
<TypeName>Utility.MacAddress</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>IPv4.Datagram.Destination</DeclarationName>
|
|
<SelectorPath>Destination</SelectorPath>
|
|
<TypeName>Utility.IPv4Address</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>IPv4.Datagram.Source</DeclarationName>
|
|
<SelectorPath>Source</SelectorPath>
|
|
<TypeName>Utility.IPv4Address</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>IPv6.Datagram.Destination</DeclarationName>
|
|
<SelectorPath>Destination</SelectorPath>
|
|
<TypeName>Utility.IPv6Address</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>IPv6.Datagram.Source</DeclarationName>
|
|
<SelectorPath>Source</SelectorPath>
|
|
<TypeName>Utility.IPv6Address</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>any</Shape>
|
|
<Type>Set</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>d8c20554-10c1-49d9-af1a-0e7a20cb1593</UniqueId>
|
|
<Category>File Sharing</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>SMBTID</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>SMB.SmbHeader.Tid</DeclarationName>
|
|
<SelectorPath>Tid</SelectorPath>
|
|
<TypeName>ushort</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>SMB2.SMB2Request.Header.TreeId</DeclarationName>
|
|
<SelectorPath>Header.TreeId</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>SambaSysLog.smb_command.command.smb_tid</DeclarationName>
|
|
<SelectorPath>command.smb_tid</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>uint</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>820deb4d-af0d-4e30-b2f1-1ede8d04c42c</UniqueId>
|
|
<Category>File Sharing</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>SMBMID</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>SambaSysLog.smb_command.command.smb_mid</DeclarationName>
|
|
<SelectorPath>command.smb_mid</SelectorPath>
|
|
<TypeName>uint</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>SMB2.ReadRequest.Header.MessageId</DeclarationName>
|
|
<SelectorPath>Header.MessageId</SelectorPath>
|
|
<TypeName>ulong</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>SMB.SmbHeader.Mid</DeclarationName>
|
|
<SelectorPath>Mid</SelectorPath>
|
|
<TypeName>ushort</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>ulong</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>03f85efc-3634-45b9-a85f-d4b91b28b4ea</UniqueId>
|
|
<Category>SharePoint</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content xsi:type="CorrelationAsset">
|
|
<Name>SharePointCorrelation</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>ULS.EventHeader.Correlation</DeclarationName>
|
|
<SelectorPath>Correlation</SelectorPath>
|
|
<TypeName>string</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>HTTP.Request.Headers.SPRequestGuid</DeclarationName>
|
|
<SelectorPath>Headers.SPRequestGuid</SelectorPath>
|
|
<TypeName>string</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>string</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
<Asset>
|
|
<Metadata>
|
|
<UniqueId>9127362c-17e3-4c96-948f-412867ab6149</UniqueId>
|
|
<Category>HTTP</Category>
|
|
<Properties />
|
|
</Metadata>
|
|
<Content
|
|
xsi:type="CorrelationAsset">
|
|
<Name>HTTPContentType</Name>
|
|
<CorrelatedFields>
|
|
<CorrelateField>
|
|
<DeclarationName>HTTP.HttpContract.Request.HTTPContentType</DeclarationName>
|
|
<SelectorPath>HTTPContentType</SelectorPath>
|
|
<TypeName>HTTP.HeaderFieldType</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>HTTP.HttpContract.Response.HTTPContentType</DeclarationName>
|
|
<SelectorPath>HTTPContentType</SelectorPath>
|
|
<TypeName>HTTP.HeaderFieldType</TypeName>
|
|
</CorrelateField>
|
|
<CorrelateField>
|
|
<DeclarationName>HTTP.HttpContract.Operation.ContentType</DeclarationName>
|
|
<SelectorPath>ContentType</SelectorPath>
|
|
<TypeName>string</TypeName>
|
|
</CorrelateField>
|
|
</CorrelatedFields>
|
|
<Shape>any</Shape>
|
|
<Type>Normal</Type>
|
|
</Content>
|
|
<Properties />
|
|
</Asset>
|
|
</Assets>
|
|
<Properties />
|
|
</AssetCollection>
|