title: QRadar
backends:
 - qradar
order: 20
logsources:
 apache:
   product: apache
   index: apache
   conditions:
     LOGSOURCETYPENAME(devicetype): '*apache*'
 windows:
   product: windows
   index: windows
   conditions:
     LOGSOURCETYPENAME(devicetype): '*Microsoft Windows Security Event Log*'
 qflow:
   product: qflow
   index: flows
 netflow:
   product: netflow
   index: flows
 ipfix:
   product: ipfix
   index: flows
 flow:
   category: flow
   index: flows
fieldmappings:
 event_id: EventID
 EventID: EventID
 dst: destinationip
 dst_ip: destinationip
 src: sourceip
 src_ip: sourceip
 c-ip: sourceip
 cs-ip: sourceip
 c-uri: URL
 c-uri-extension: URL
 c-useragent: user_agent
 c-uri-query: uri_query
 cs-method: Method
 r-dns: FQDN
 ClientIP: sourceip
 ServiceFileName: ServiceFileName
 event_data.CommandLine: Process CommandLine
 CommandLine: Process CommandLine
 file_hash: File Hash
 hash: File Hash
 #Message: search_payload
 Event-ID: EventID
 Event_ID: EventID
 eventId: EventID
 event-id: EventID
 eventid: EventID
 hashes: File Hash
 url.query: URL
 resource.URL: URL
 event_data.CallingProcessName: CallingProcessName
 event_data.ComputerName: Hostname/HOSTNAME
 ComputerName: Hostname/HOSTNAME
 event_data.DestinationHostname: Hostname/HOSTNAME
 DestinationHostname: Hostname/HOSTNAME
 event_data.DestinationIp: destinationip
 event_data.DestinationPort: destinationip
 event_data.Details: Target Details
 Details: Target Details
 event_data.FileName: Filename
 event_data.Hashes: File Hash
 Hashes: File Hash
 event_data.Image: Image
 event_data.ImageLoaded: LoadedImage
 event_data.ImagePath: SourceImage
 ImagePath: Image
 event_data.Imphash: IMP Hash
 Imphash: IMP Hash
 event_data.ParentCommandLine: ParentCommandLine
 event_data.ParentImage: ParentImage
 event_data.ParentProcessName: ParentImageName
 event_data.Path: File Path
 Path: File Path
 event_data.PipeName: PipeName
 event_data.ProcessCommandLine: Process CommandLine
 ProcessCommandLine: Process CommandLine
 event_data.ServiceFileName: ServiceFileName
 event_data.ShareName: ShareName
 event_data.Signature: Signature
 event_data.SourceImage: SourceImage
 event_data.StartModule: StartModule
 event_data.SubjectUserName: username
 event_data.SubjectUserSid: SubjectUserSid
 event_data.TargetFilename: Filename
 TargetFilename: Filename
 event_data.TargetImage: TargetImage
 TargetImage: TargetImage
 event_data.TicketOptions: TicketOptions
 event_data.User: username
 User: username
 user: username