title: THOR order: 20 backends: - thor # this configuration differs from other configurations and can not be used # with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK. logsources: # log source configurations for generic sigma rules process_creation_1: category: process_creation product: windows conditions: EventID: 1 rewrite: product: windows service: sysmon process_creation_2: category: process_creation product: windows conditions: EventID: 4688 rewrite: product: windows service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName # target system configurations windows-application: product: windows service: application sources: - 'WinEventLog:Application' windows-security: product: windows service: security sources: - 'WinEventLog:Security' windows-system: product: windows service: system sources: - 'WinEventLog:System' windows-sysmon: product: windows service: sysmon sources: - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell sources: - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' windows-taskscheduler: product: windows service: taskscheduler sources: - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' windows-wmi: product: windows service: wmi sources: - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dhcp: product: windows service: dhcp sources: - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' windows-ntlm: product: windows service: ntlm sources: - 'Microsoft-Windows-NTLM/Operational' apache: category: webserver sources: - 'File:/var/log/apache/*.log' - 'File:/var/log/apache2/*.log' - 'File:/var/log/httpd/*.log' linux-auth: product: linux service: auth sources: - 'File:/var/log/auth.log' - 'File:/var/log/auth.log.?' linux-syslog: product: linux service: syslog sources: - 'File:/var/log/syslog' - 'File:/var/log/syslog.?' logfiles: category: logfile sources: - 'File:*.log'