SigmaHQ/tools/config/netwitness.yml

title: NetWitness
order: 20
backends:
  - netwitness
logsources:
  linux:
    product: linux
    conditions:
      device.class: rhlinux
  linux-sshd:
    product: linux
    service: sshd
    conditions:
      device.class: rhlinux
      client: sshd
  linux-auth:
    product: linux
    service: auth
    conditions:
      device.class: rhlinux
  linux-clamav:
    product: linux
    service: clamav
    conditions:
      device.class: rhlinux
  windows-sys:
    product: windows
    service: sysmon
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-power:
    product: windows
    service: powershell
    conditions:
      device.type: winevent_nic
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-dhcp-server
  windows-sec:
    product: windows
    service: security
    conditions:
      device.type: winevent_nic
      event.source: microsoft-windows-security-auditing
  windows-system:
    product: windows
    service: system
    conditions:
      device.type: winevent_nic
fieldmappings:
  dst:
    - ip.dst
  dst_ip:
    - ip.dst
  src:
    - ip.src
  src_ip:
    - ip.src
  DestinationPort:
    - ip.dstport
  EventID:
    - reference.id
  NewProcessName:
    - process
  LogonType:
    - logon.type
  AccountName:
    - user.dst
  c-uri-extension:
    - extension
  c-useragent:
    - user.agent
  r-dns:
    - alias.host
  DestinationHostname:
    - alias.host
  cs-host:
    - alias.host
  c-uri-query:
    - web.page
  c-uri:
    - web.page
  cs-method:
    - action
  cs-cookie:
    - web.cookie
  SubjectUserName:
    - user.dst