SigmaHQ/tools/config/sumologic.yml

title: SumoLogic
order: 20
backends:
  - sumologic
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, EventChannel, EventID
logsources:
  linux:
    product: linux
    index: LINUX
  linux-sshd:
    product: linux
    service: sshd
    index: LINUX
  linux-auth:
    product: linux
    service: auth
    index: LINUX
  linux-clamav:
    product: linux
    service: clamav
    index: LINUX
  windows:
    product: windows
    index: WINDOWS
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      EventChannel: Microsoft-Windows-Sysmon
    index: WINDOWS
  windows-security:
    product: windows
    service: security
    conditions:
      EventChannel: Security
    index: WINDOWS
  windows-powershell:
    product: windows
    service: powershell
    conditions:
      EventChannel: Microsoft-Windows-Powershell
    index: WINDOWS
  windows-system:
    product: windows
    service: system
    conditions:
      EventChannel: System
    index: WINDOWS
  windows-dhcp:
    product: windows
    service: dhcp
    conditions: 
      EventChannel: Microsoft-Windows-DHCP-Server
    index: WINDOWS
  apache:
    product: apache
    service: apache
    index: WEBSERVER
  firewall:
    product: firewall
    index: FIREWALL
# if no index, search in all indexes
Added title to all configurations 2019-05-16 21:33:51 +00:00			`title: SumoLogic`
Configuration order checking 2019-04-22 22:54:10 +00:00			`order: 20`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`backends:`
			`- sumologic`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`# Sumulogic mapping depends on customer configuration. Adapt to your context!`
			`# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)`
			`# supposing existing FER for service, EventChannel, EventID`
			`logsources:`
			`linux:`
			`product: linux`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: LINUX`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`linux-sshd:`
			`product: linux`
			`service: sshd`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: LINUX`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`linux-auth:`
			`product: linux`
			`service: auth`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: LINUX`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`linux-clamav:`
			`product: linux`
			`service: clamav`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: LINUX`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`windows:`
			`product: windows`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WINDOWS`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`windows-sysmon:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`EventChannel: Microsoft-Windows-Sysmon`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WINDOWS`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`windows-security:`
			`product: windows`
			`service: security`
			`conditions:`
			`EventChannel: Security`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WINDOWS`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`windows-powershell:`
			`product: windows`
			`service: powershell`
			`conditions:`
			`EventChannel: Microsoft-Windows-Powershell`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WINDOWS`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`windows-system:`
			`product: windows`
			`service: system`
			`conditions:`
			`EventChannel: System`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WINDOWS`
DHCP log source in sigmac configs 2019-02-05 13:35:16 +00:00			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
			`conditions:`
			`EventChannel: Microsoft-Windows-DHCP-Server`
			`index: WINDOWS`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`apache:`
			`product: apache`
			`service: apache`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: WEBSERVER`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`firewall:`
			`product: firewall`
Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config 2018-12-10 21:37:39 +00:00			`index: FIREWALL`
Adding Sumologic backend 2018-12-09 22:55:51 +00:00			`# if no index, search in all indexes`