valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
26f73d60fa
SigmaHQ/tools/config/netwitness.yml
tuckner 26f73d60fa Added NetWitness backend and tests
2018-10-31 14:07:59 -05:00

83 lines
1.5 KiB
YAML
Raw Blame History

logsources:
linux:
product: linux
conditions:
device.class: rhlinux
linux-sshd:
product: linux
service: sshd
conditions:
device.class: rhlinux
client: sshd
linux-auth:
product: linux
service: auth
conditions:
device.class: rhlinux
linux-clamav:
product: linux
service: clamav
conditions:
device.class: rhlinux
windows-sys:
product: windows
service: sysmon
conditions:
device.type: winevent_nic
event.source: microsoft-windows-security-auditing
windows-power:
product: windows
service: powershell
conditions:
device.type: winevent_nic
windows-sec:
product: windows
service: security
conditions:
device.type: winevent_nic
event.source: microsoft-windows-security-auditing
windows-system:
product: windows
service: system
conditions:
device.type: winevent_nic
fieldmappings:
dst:
- ip.dst
dst_ip:
- ip.dst
src:
- ip.src
src_ip:
- ip.src
DestinationPort:
- ip.dstport
EventID:
- reference.id
NewProcessName:
- process
LogonType:
- logon.type
AccountName:
- user.dst
c-uri-extension:
- extension
UserAgent:
- user.agent
r-dns:
- alias.host
DestinationHostname:
- alias.host
Host:
- alias.host
c-uri-query:
- web.page
URL:
- web.page
HttpMethod:
- action
Cookie:
- web.cookie
SubjectUserName:
- user.dst
Reference in New Issue View Git Blame Copy Permalink