title: FireEye Helix order: 20 backends: - fireeye-helix logsources: windows: product: windows index: windows windows-application: product: windows index: windows service: application conditions: channel: Application windows-security: product: windows index: windows service: security conditions: channel: Security windows-sysmon: product: windows index: windows service: sysmon conditions: channel: Microsoft-Windows-Sysmon windows-dns-server: product: windows index: windows service: dns-server conditions: channel: 'DNS Server' windows-driver-framework: product: windows index: windows service: driver-framework conditions: channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-dhcp: product: windows index: windows service: dhcp conditions: channel: 'Microsoft-Windows-DHCP-Server/Operational' windows-defender: product: windows index: windows service: windefend conditions: channel: 'Microsoft-Windows-Windows Defender/Operational' windows-ntlm: product: windows index: windows service: ntlm conditions: channel: 'Microsoft-Windows-NTLM/Operational' windows-applocker: product: windows index: windows service: applocker conditions: channel: - 'Microsoft-Windows-AppLocker/MSI and Script' - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' windows-msexchange-management: product: windows index: windows service: msexchange-management conditions: channel: 'MSExchange Management' windows-printservice-admin: product: windows index: windows service: printservice-admin conditions: channel: 'Microsoft-Windows-PrintService/Admin' windows-printservice-operational: product: windows service: printservice-operational conditions: channel: 'Microsoft-Windows-PrintService/Operational' windows-smbclient-security: product: windows index: windows service: smbclient-security conditions: channel: 'Microsoft-Windows-SmbClient/Security' windows-powershell: product: windows index: windows service: powershell conditions: channel: 'Microsoft-Windows-Powershell' linux: product: linux index: posix unix: product: unix index: posix dns: category: dns index: dns firewall: category: firewall index: firewall connection: category: netflow index: connection proxy: category: proxy index: http_proxy antivirus: product: antivirus index: antivirus webserver: category: webserver index: http_server fieldmappings: AccessMask: accessmask AccountName: username cs-host: domain cs-method: method c-uri: url c-uri-extension: uri c-uri-path: uri c-uri-query: uri c-uri-stem: url c-useragent: useragent ClientAddress: ~srcipv4 ClientIPAddress: ~srcipv4 ClientIP: ~srcipv4 CommandLine: args ComputerName: username CurrentDirectory: cwd DestAddress: ~dstipv4 DestinationHostname: dsthost DestinationIp: ~dstipv4 DestinationPort: dstport destination.port: dstport dst: ~dstipv4 dst_ip: ~dstipv4 dst_port: dstport EventID: eventid EventType: eventtype file_hash: ~hash FileName: filename FileVersion: version HostVersion: version Image: process Imphash: imphash ipAddress: ~dstipv4 IpAddress: ~srcipv4 IPString: ~srcipv4 LogonType: logontype NewProcessName: process ObjectName: object ObjectType: object_type ParentImage: pprocess ParentProcessName: pprocess Path: filepath ProcessName: process ProcessCommandLine: args Product: product r-dns: domain sc-status: status ServiceFileName: filepath ShareName: filename SourceAddress: ~srcipv4 SourceHostname: srchost SourceImage: process SourceIp: ~srcipv4 SourcePort: srcport src: ~srcipv4 src_ip: ~srcipv4 src_port: srcport Status: status SubjectUserName: username TargetServer: ~dstipv4 TaskName: task TargetFilename: filepath TargetImage: filepath TargetObject: object USER: username User: accountname UserAgent: useragent UserName: username username: username Version: version Workstation: srchost WorkstationName: srchost