mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
|
# Sumulogic mapping depends on customer configuration. Adapt to your context!
|
||
|
|
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
|
||
|
|
# supposing existing FER for service, EventChannel, EventID
|
||
|
|
logsources:
|
||
|
|
linux:
|
||
|
|
product: linux
|
||
|
|
index:
|
||
|
|
- _index=LINUX
|
||
|
|
linux-sshd:
|
||
|
|
product: linux
|
||
|
|
service: sshd
|
||
|
|
index:
|
||
|
|
- _index=LINUX
|
||
|
|
linux-auth:
|
||
|
|
product: linux
|
||
|
|
service: auth
|
||
|
|
index:
|
||
|
|
- _index=LINUX
|
||
|
|
linux-clamav:
|
||
|
|
product: linux
|
||
|
|
service: clamav
|
||
|
|
index:
|
||
|
|
- _index=LINUX
|
||
|
|
windows:
|
||
|
|
product: windows
|
||
|
|
index:
|
||
|
|
- _index=WINDOWS
|
||
|
|
windows-sysmon:
|
||
|
|
product: windows
|
||
|
|
service: sysmon
|
||
|
|
conditions:
|
||
|
|
EventChannel: Microsoft-Windows-Sysmon
|
||
|
|
index:
|
||
|
|
- _index=WINDOWS
|
||
|
|
windows-security:
|
||
|
|
product: windows
|
||
|
|
service: security
|
||
|
|
conditions:
|
||
|
|
EventChannel: Security
|
||
|
|
index:
|
||
|
|
- _index=WINDOWS
|
||
|
|
windows-powershell:
|
||
|
|
product: windows
|
||
|
|
service: powershell
|
||
|
|
conditions:
|
||
|
|
EventChannel: Microsoft-Windows-Powershell
|
||
|
|
index:
|
||
|
|
- _index=WINDOWS
|
||
|
|
windows-system:
|
||
|
|
product: windows
|
||
|
|
service: system
|
||
|
|
conditions:
|
||
|
|
EventChannel: System
|
||
|
|
index:
|
||
|
|
- _index=WINDOWS
|
||
|
|
apache:
|
||
|
|
product: apache
|
||
|
|
service: apache
|
||
|
|
index:
|
||
|
|
- _index=WEBSERVER
|
||
|
|
firewall:
|
||
|
|
product: firewall
|
||
|
|
index:
|
||
|
|
- _index=FIREWALL
|
||
|
|
# if no index, search in all indexes
|
||
|
|
defaultindex:
|
||
|
|
# all mappings depends either on FER or on query parsing
|
||
|
|
fieldmappings:
|