title: NetWitness order: 20 backends: - netwitness-epl logsources: linux: product: linux conditions: device.class: rhlinux linux-sshd: product: linux service: sshd conditions: device.class: rhlinux client: sshd linux-auth: product: linux service: auth conditions: device.class: rhlinux linux-clamav: product: linux service: clamav conditions: device.class: rhlinux windows-sys: product: windows service: sysmon conditions: device.type: winevent_nic event.source: microsoft-windows-security-auditing windows-power: product: windows service: powershell conditions: device.type: winevent_nic windows-dhcp: product: windows service: dhcp conditions: device.type: winevent_nic event.source: microsoft-windows-dhcp-server windows-sec: product: windows service: security conditions: device.type: winevent_nic event.source: microsoft-windows-security-auditing windows-system: product: windows service: system conditions: device.type: winevent_nic fieldmappings: dst: - ip.dst dst_ip: - ip.dst src: - ip.src src_ip: - ip.src DestinationPort: - ip.dstport EventID: - reference.id NewProcessName: - process LogonType: - logon.type AccountName: - user.dst c-uri-extension: - extension c-useragent: - user.agent r-dns: - alias.host DestinationHostname: - alias.host cs-host: - alias.host c-uri-query: - web.page c-uri: - web.page cs-method: - action cs-cookie: - web.cookie SubjectUserName: - user.dst