SigmaHQ/tools/config/qradar.yml

title: QRadar
backends:
 - qradar
order: 20
logsources:
 apache:
   product: apache
   index: apache
   conditions:
     LOGSOURCETYPENAME(devicetype): '*apache*'
 windows:
   product: windows
   index: windows
   conditions:
     LOGSOURCETYPENAME(devicetype): '*Microsoft Windows Security Event Log*'
 qflow:
   product: qflow
   index: flows
 netflow:
   product: netflow
   index: flows
 ipfix:
   product: ipfix
   index: flows
 flow:
   category: flow
   index: flows
fieldmappings:
 event_id: EventID
 EventID: EventID
 dst: destinationip
 dst_ip: destinationip
 src: sourceip
 src_ip: sourceip
 c-ip: sourceip
 cs-ip: sourceip
 c-uri: URL
 c-uri-extension: URL
 c-useragent: user_agent
 c-uri-query: uri_query
 cs-method: Method
 r-dns: FQDN
 ClientIP: sourceip
 ServiceFileName: ServiceFileName
 event_data.CommandLine: Process CommandLine
 CommandLine: Process CommandLine
 file_hash: File Hash
 hash: File Hash
 #Message: search_payload
 Event-ID: EventID
 Event_ID: EventID
 eventId: EventID
 event-id: EventID
 eventid: EventID
 hashes: File Hash
 url.query: URL
 resource.URL: URL
 event_data.CallingProcessName: CallingProcessName
 event_data.ComputerName: Hostname/HOSTNAME
 ComputerName: Hostname/HOSTNAME
 event_data.DestinationHostname: Hostname/HOSTNAME
 DestinationHostname: Hostname/HOSTNAME
 event_data.DestinationIp: destinationip
 event_data.DestinationPort: destinationip
 event_data.Details: Target Details
 Details: Target Details
 event_data.FileName: Filename
 event_data.Hashes: File Hash
 Hashes: File Hash
 event_data.Image: Image
 event_data.ImageLoaded: LoadedImage
 event_data.ImagePath: SourceImage
 ImagePath: Image
 event_data.Imphash: IMP Hash
 Imphash: IMP Hash
 event_data.ParentCommandLine: ParentCommandLine
 event_data.ParentImage: ParentImage
 event_data.ParentProcessName: ParentImageName
 event_data.Path: File Path
 Path: File Path
 event_data.PipeName: PipeName
 event_data.ProcessCommandLine: Process CommandLine
 ProcessCommandLine: Process CommandLine
 event_data.ServiceFileName: ServiceFileName
 event_data.ShareName: ShareName
 event_data.Signature: Signature
 event_data.SourceImage: SourceImage
 event_data.StartModule: StartModule
 event_data.SubjectUserName: username
 event_data.SubjectUserSid: SubjectUserSid
 event_data.TargetFilename: Filename
 TargetFilename: Filename
 event_data.TargetImage: TargetImage
 TargetImage: TargetImage
 event_data.TicketOptions: TicketOptions
 event_data.User: username
 User: username
 user: username
Added title to all configurations 2019-05-16 21:33:51 +00:00			`title: QRadar`
Check for valid configuration/backend combinations 2019-05-19 23:00:33 +00:00			`backends:`
Updated config 2020-05-20 09:35:00 +00:00			`- qradar`
Configuration order checking 2019-04-22 22:54:10 +00:00			`order: 20`
Added Qradar backend 2018-07-17 12:25:06 +00:00			`logsources:`
Updated config 2020-05-20 09:35:00 +00:00			`apache:`
			`product: apache`
			`index: apache`
			`conditions:`
			`LOGSOURCETYPENAME(devicetype): 'apache'`
			`windows:`
			`product: windows`
			`index: windows`
			`conditions:`
			`LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log'`
			`qflow:`
			`product: qflow`
			`index: flows`
			`netflow:`
			`product: netflow`
			`index: flows`
			`ipfix:`
			`product: ipfix`
			`index: flows`
			`flow:`
			`category: flow`
			`index: flows`
Added Qradar backend 2018-07-17 12:25:06 +00:00			`fieldmappings:`
Updated config 2020-05-20 09:35:00 +00:00			`event_id: EventID`
			`EventID: EventID`
			`dst: destinationip`
			`dst_ip: destinationip`
			`src: sourceip`
			`src_ip: sourceip`
			`c-ip: sourceip`
			`cs-ip: sourceip`
			`c-uri: URL`
			`c-uri-extension: URL`
			`c-useragent: user_agent`
			`c-uri-query: uri_query`
			`cs-method: Method`
			`r-dns: FQDN`
			`ClientIP: sourceip`
			`ServiceFileName: ServiceFileName`
			`event_data.CommandLine: Process CommandLine`
			`CommandLine: Process CommandLine`
			`file_hash: File Hash`
			`hash: File Hash`
			`#Message: search_payload`
			`Event-ID: EventID`
			`Event_ID: EventID`
			`eventId: EventID`
			`event-id: EventID`
			`eventid: EventID`
			`hashes: File Hash`
			`url.query: URL`
			`resource.URL: URL`
			`event_data.CallingProcessName: CallingProcessName`
			`event_data.ComputerName: Hostname/HOSTNAME`
			`ComputerName: Hostname/HOSTNAME`
			`event_data.DestinationHostname: Hostname/HOSTNAME`
			`DestinationHostname: Hostname/HOSTNAME`
			`event_data.DestinationIp: destinationip`
			`event_data.DestinationPort: destinationip`
			`event_data.Details: Target Details`
			`Details: Target Details`
			`event_data.FileName: Filename`
			`event_data.Hashes: File Hash`
			`Hashes: File Hash`
			`event_data.Image: Image`
			`event_data.ImageLoaded: LoadedImage`
			`event_data.ImagePath: SourceImage`
			`ImagePath: Image`
			`event_data.Imphash: IMP Hash`
			`Imphash: IMP Hash`
			`event_data.ParentCommandLine: ParentCommandLine`
			`event_data.ParentImage: ParentImage`
			`event_data.ParentProcessName: ParentImageName`
			`event_data.Path: File Path`
			`Path: File Path`
			`event_data.PipeName: PipeName`
			`event_data.ProcessCommandLine: Process CommandLine`
			`ProcessCommandLine: Process CommandLine`
			`event_data.ServiceFileName: ServiceFileName`
			`event_data.ShareName: ShareName`
			`event_data.Signature: Signature`
			`event_data.SourceImage: SourceImage`
			`event_data.StartModule: StartModule`
			`event_data.SubjectUserName: username`
			`event_data.SubjectUserSid: SubjectUserSid`
			`event_data.TargetFilename: Filename`
			`TargetFilename: Filename`
			`event_data.TargetImage: TargetImage`
			`TargetImage: TargetImage`
			`event_data.TicketOptions: TicketOptions`
			`event_data.User: username`
			`User: username`
			`user: username`