SigmaHQ/tools/config/netwitness-epl.yml

title: NetWitness
order: 20
backends:
  - netwitness-epl
logsources:
  linux:
    product: linux
    conditions:
      device.class: rhlinux
  linux-sshd:
    product: linux
    service: sshd
    conditions:
      device.class: rhlinux
      client: sshd
  linux-auth:
    product: linux
    service: auth
    conditions:
      device.class: rhlinux
  linux-clamav:
    product: linux
    service: clamav
    conditions:
      device.class: rhlinux
  windows-sys:
    product: windows
    service: sysmon
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-power:
    product: windows
    service: powershell
    conditions:
      device.type: winevent_nic
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-dhcp-server
  windows-sec:
    product: windows
    service: security
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-system:
    product: windows
    service: system
    conditions:
      device.type: winevent_nic
fieldmappings:
  dst:
    - ip.dst
  dst_ip:
    - ip.dst
  src:
    - ip.src
  src_ip:
    - ip.src
  DestinationPort:
    - ip.dstport
  EventID:
    - reference.id
  NewProcessName:
    - process
  LogonType:
    - logon.type
  AccountName:
    - user.dst
  c-uri-extension:
    - extension
  c-useragent:
    - user.agent
  r-dns:
    - alias.host
  DestinationHostname:
    - alias.host
  cs-host:
    - alias.host
  c-uri-query:
    - web.page
  c-uri:
    - web.page
  cs-method:
    - action
  cs-cookie:
    - web.cookie
  SubjectUserName:
    - user.dst
initial commit for Netwitness-EPL backend 2020-09-10 15:12:12 +00:00			`title: NetWitness`
			`order: 20`
			`backends:`
			`- netwitness-epl`
			`logsources:`
			`linux:`
			`product: linux`
			`conditions:`
			`device.class: rhlinux`
			`linux-sshd:`
			`product: linux`
			`service: sshd`
			`conditions:`
			`device.class: rhlinux`
			`client: sshd`
			`linux-auth:`
			`product: linux`
			`service: auth`
			`conditions:`
			`device.class: rhlinux`
			`linux-clamav:`
			`product: linux`
			`service: clamav`
			`conditions:`
			`device.class: rhlinux`
			`windows-sys:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`device.type: winevent_nic`
			`event.source: microsoft-windows-security-auditing`
			`windows-power:`
			`product: windows`
			`service: powershell`
			`conditions:`
			`device.type: winevent_nic`
			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
			`conditions:`
			`device.type: winevent_nic`
			`event.source: microsoft-windows-dhcp-server`
			`windows-sec:`
			`product: windows`
			`service: security`
			`conditions:`
			`device.type: winevent_nic`
			`event.source: microsoft-windows-security-auditing`
			`windows-system:`
			`product: windows`
			`service: system`
			`conditions:`
			`device.type: winevent_nic`
			`fieldmappings:`
			`dst:`
			`- ip.dst`
			`dst_ip:`
			`- ip.dst`
			`src:`
			`- ip.src`
			`src_ip:`
			`- ip.src`
			`DestinationPort:`
			`- ip.dstport`
			`EventID:`
			`- reference.id`
			`NewProcessName:`
			`- process`
			`LogonType:`
			`- logon.type`
			`AccountName:`
			`- user.dst`
			`c-uri-extension:`
			`- extension`
			`c-useragent:`
			`- user.agent`
			`r-dns:`
			`- alias.host`
			`DestinationHostname:`
			`- alias.host`
			`cs-host:`
			`- alias.host`
			`c-uri-query:`
			`- web.page`
			`c-uri:`
			`- web.page`
			`cs-method:`
			`- action`
			`cs-cookie:`
			`- web.cookie`
			`SubjectUserName:`
			`- user.dst`