SigmaHQ/tools/config/netwitness.yml

title: NetWitness
order: 20
backends:
  - netwitness
logsources:
  linux:
    product: linux
    conditions:
      device.class: rhlinux
  linux-sshd:
    product: linux
    service: sshd
    conditions:
      device.class: rhlinux
      client: sshd
  linux-auth:
    product: linux
    service: auth
    conditions:
      device.class: rhlinux
  linux-clamav:
    product: linux
    service: clamav
    conditions:
      device.class: rhlinux
  windows-sys:
    product: windows
    service: sysmon
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-power:
    product: windows
    service: powershell
    conditions:
      device.type: winevent_nic
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-dhcp-server
  windows-sec:
    product: windows
    service: security
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-system:
    product: windows
    service: system
    conditions:
      device.type: winevent_nic
fieldmappings:
  dst:
    - ip.dst
  dst_ip:
    - ip.dst
  src:
    - ip.src
  src_ip:
    - ip.src
  DestinationPort:
    - ip.dstport
  EventID:
    - reference.id
  NewProcessName:
    - process
  LogonType:
    - logon.type
  AccountName:
    - user.dst
  c-uri-extension:
    - extension
  c-useragent:
    - user.agent
  r-dns:
    - alias.host
  DestinationHostname:
    - alias.host
  cs-host:
    - alias.host
  c-uri-query:
    - web.page
  c-uri:
    - web.page
  cs-method:
    - action
  cs-cookie:
    - web.cookie
  SubjectUserName:
    - user.dst
Added title to all configurations 2019-05-16 21:33:51 +00:00			`title: NetWitness`
Configuration order checking 2019-04-22 22:54:10 +00:00			`order: 20`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`backends:`
			`- netwitness`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`logsources:`
			`linux:`
			`product: linux`
			`conditions:`
			`device.class: rhlinux`
			`linux-sshd:`
			`product: linux`
			`service: sshd`
			`conditions:`
			`device.class: rhlinux`
			`client: sshd`
			`linux-auth:`
			`product: linux`
			`service: auth`
			`conditions:`
			`device.class: rhlinux`
			`linux-clamav:`
			`product: linux`
			`service: clamav`
			`conditions:`
			`device.class: rhlinux`
			`windows-sys:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`device.type: winevent_nic`
			`event.source: microsoft-windows-security-auditing`
			`windows-power:`
			`product: windows`
			`service: powershell`
			`conditions:`
			`device.type: winevent_nic`
DHCP log source in sigmac configs 2019-02-05 13:35:16 +00:00			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`conditions:`
DHCP log source in sigmac configs 2019-02-05 13:35:16 +00:00			`device.type: winevent_nic`
			`event.source: microsoft-windows-dhcp-server`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`windows-sec:`
			`product: windows`
			`service: security`
			`conditions:`
			`device.type: winevent_nic`
			`event.source: microsoft-windows-security-auditing`
			`windows-system:`
			`product: windows`
			`service: system`
			`conditions:`
			`device.type: winevent_nic`
			`fieldmappings:`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`dst:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- ip.dst`
			`dst_ip:`
			`- ip.dst`
			`src:`
			`- ip.src`
			`src_ip:`
			`- ip.src`
			`DestinationPort:`
			`- ip.dstport`
			`EventID:`
			`- reference.id`
			`NewProcessName:`
			`- process`
			`LogonType:`
			`- logon.type`
			`AccountName:`
			`- user.dst`
			`c-uri-extension:`
			`- extension`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`c-useragent:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- user.agent`
			`r-dns:`
			`- alias.host`
			`DestinationHostname:`
			`- alias.host`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`cs-host:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- alias.host`
			`c-uri-query:`
			`- web.page`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`c-uri:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- web.page`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`cs-method:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- action`
Further proxy field name fixes (config + rules) 2019-12-06 23:23:30 +00:00			`cs-cookie:`
Added NetWitness backend and tests 2018-10-31 19:07:59 +00:00			`- web.cookie`
			`SubjectUserName:`
			`- user.dst`