mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
192 lines
4.9 KiB
YAML
192 lines
4.9 KiB
YAML
title: FireEye Helix
|
|
order: 20
|
|
backends:
|
|
- fireeye-helix
|
|
logsources:
|
|
windows:
|
|
product: windows
|
|
index: windows
|
|
windows-application:
|
|
product: windows
|
|
index: windows
|
|
service: application
|
|
conditions:
|
|
channel: Application
|
|
windows-security:
|
|
product: windows
|
|
index: windows
|
|
service: security
|
|
conditions:
|
|
channel: Security
|
|
windows-sysmon:
|
|
product: windows
|
|
index: windows
|
|
service: sysmon
|
|
conditions:
|
|
channel: Microsoft-Windows-Sysmon
|
|
windows-dns-server:
|
|
product: windows
|
|
index: windows
|
|
service: dns-server
|
|
conditions:
|
|
channel: 'DNS Server'
|
|
windows-driver-framework:
|
|
product: windows
|
|
index: windows
|
|
service: driver-framework
|
|
conditions:
|
|
channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
|
|
windows-dhcp:
|
|
product: windows
|
|
index: windows
|
|
service: dhcp
|
|
conditions:
|
|
channel: 'Microsoft-Windows-DHCP-Server/Operational'
|
|
windows-defender:
|
|
product: windows
|
|
index: windows
|
|
service: windefend
|
|
conditions:
|
|
channel: 'Microsoft-Windows-Windows Defender/Operational'
|
|
windows-ntlm:
|
|
product: windows
|
|
index: windows
|
|
service: ntlm
|
|
conditions:
|
|
channel: 'Microsoft-Windows-NTLM/Operational'
|
|
windows-applocker:
|
|
product: windows
|
|
index: windows
|
|
service: applocker
|
|
conditions:
|
|
channel:
|
|
- 'Microsoft-Windows-AppLocker/MSI and Script'
|
|
- 'Microsoft-Windows-AppLocker/EXE and DLL'
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
|
|
- 'Microsoft-Windows-AppLocker/Packaged app-Execution'
|
|
windows-msexchange-management:
|
|
product: windows
|
|
index: windows
|
|
service: msexchange-management
|
|
conditions:
|
|
channel: 'MSExchange Management'
|
|
windows-printservice-admin:
|
|
product: windows
|
|
index: windows
|
|
service: printservice-admin
|
|
conditions:
|
|
channel: 'Microsoft-Windows-PrintService/Admin'
|
|
windows-printservice-operational:
|
|
product: windows
|
|
service: printservice-operational
|
|
conditions:
|
|
channel: 'Microsoft-Windows-PrintService/Operational'
|
|
windows-smbclient-security:
|
|
product: windows
|
|
index: windows
|
|
service: smbclient-security
|
|
conditions:
|
|
channel: 'Microsoft-Windows-SmbClient/Security'
|
|
windows-powershell:
|
|
product: windows
|
|
index: windows
|
|
service: powershell
|
|
conditions:
|
|
channel: 'Microsoft-Windows-Powershell'
|
|
linux:
|
|
product: linux
|
|
index: posix
|
|
unix:
|
|
product: unix
|
|
index: posix
|
|
dns:
|
|
category: dns
|
|
index: dns
|
|
firewall:
|
|
category: firewall
|
|
index: firewall
|
|
connection:
|
|
category: netflow
|
|
index: connection
|
|
proxy:
|
|
category: proxy
|
|
index: http_proxy
|
|
antivirus:
|
|
product: antivirus
|
|
index: antivirus
|
|
webserver:
|
|
category: webserver
|
|
index: http_server
|
|
fieldmappings:
|
|
AccessMask: accessmask
|
|
AccountName: username
|
|
cs-host: domain
|
|
cs-method: method
|
|
c-uri: url
|
|
c-uri-extension: uri
|
|
c-uri-path: uri
|
|
c-uri-query: uri
|
|
c-uri-stem: url
|
|
c-useragent: useragent
|
|
ClientAddress: ~srcipv4
|
|
ClientIPAddress: ~srcipv4
|
|
ClientIP: ~srcipv4
|
|
CommandLine: args
|
|
ComputerName: username
|
|
CurrentDirectory: cwd
|
|
DestAddress: ~dstipv4
|
|
DestinationHostname: dsthost
|
|
DestinationIp: ~dstipv4
|
|
DestinationPort: dstport
|
|
destination.port: dstport
|
|
dst: ~dstipv4
|
|
dst_ip: ~dstipv4
|
|
dst_port: dstport
|
|
EventID: eventid
|
|
EventType: eventtype
|
|
file_hash: ~hash
|
|
FileName: filename
|
|
FileVersion: version
|
|
HostVersion: version
|
|
Image: process
|
|
Imphash: imphash
|
|
ipAddress: ~dstipv4
|
|
IpAddress: ~srcipv4
|
|
IPString: ~srcipv4
|
|
LogonType: logontype
|
|
NewProcessName: process
|
|
ObjectName: object
|
|
ObjectType: object_type
|
|
ParentImage: pprocess
|
|
ParentProcessName: pprocess
|
|
Path: filepath
|
|
ProcessName: process
|
|
ProcessCommandLine: args
|
|
Product: product
|
|
r-dns: domain
|
|
sc-status: status
|
|
ServiceFileName: filepath
|
|
ShareName: filename
|
|
SourceAddress: ~srcipv4
|
|
SourceHostname: srchost
|
|
SourceImage: process
|
|
SourceIp: ~srcipv4
|
|
SourcePort: srcport
|
|
src: ~srcipv4
|
|
src_ip: ~srcipv4
|
|
src_port: srcport
|
|
Status: status
|
|
SubjectUserName: username
|
|
TargetServer: ~dstipv4
|
|
TaskName: task
|
|
TargetFilename: filepath
|
|
TargetImage: filepath
|
|
TargetObject: object
|
|
USER: username
|
|
User: accountname
|
|
UserAgent: useragent
|
|
UserName: username
|
|
username: username
|
|
Version: version
|
|
Workstation: srchost
|
|
WorkstationName: srchost |