valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4ee2c2762e
SigmaHQ/tools/config/arcsight.yml

352 lines
6.7 KiB
YAML
Raw Blame History

title: ArcSight
order: 20
backends:
- arcsight
- arcsight-esm
logsources:
linux:
product: linux
conditions:
deviceVendor: Unix
linux-sshd:
product: linux
service: sshd
conditions:
deviceVendor: Unix
linux-vsftpd:
product: linux
service: vsftpd
conditions:
deviceVendor: Unix
linux-auth:
product: linux
service: auth
conditions:
deviceVendor: Unix
linux-clamav:
product: linux
service: clamav
conditions:
deviceVendor: Unix
antivirus:
product: antivirus
conditions:
categoryDeviceGroup: /IDS/Host/AntiVirus
windows-dns:
product: windows
service: dns-server
conditions:
deviceVendor: Microsoft
deviceProduct: DNS-Server
windows-pc:
product: windows
service: powershell-classic
conditions:
deviceVendor: Microsoft
windows-sys:
product: windows
service: sysmon
conditions:
deviceVendor: Microsoft
deviceProduct: Sysmon
windows-sec:
product: windows
service: security
conditions:
deviceVendor: Microsoft
deviceProduct: Microsoft Windows
windows-power:
product: windows
service: powershell
conditions:
deviceVendor: Microsoft
windows-dhcp:
product: windows
service: dhcp
conditions:
deviceVendor: Microsoft
windows-system:
product: windows
service: system
conditions:
deviceVendor: Microsoft
windows-wmi:
product: windows
service: wmi
conditions:
deviceVendor: Microsoft
windows-driver-framework:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-defender:
product: windows_defender
conditions:
deviceVendor: Microsoft
windows-driver:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-app:
product: windows
service: application
conditions:
deviceVendor: Microsoft
proxy:
category: proxy
conditions:
categoryDeviceGroup: /Proxy
python:
product: python
conditions:
deviceProduct: Python
categoryDeviceGroup: /Application
ruby_on_rails:
product: ruby_on_rails
conditions:
deviceProduct: Ruby on Rails
categoryDeviceGroup: /Application
spring:
product: spring
conditions:
deviceProduct: Spring
categoryDeviceGroup: /Application
apache:
product: apache
conditions:
deviceProduct: Apache
categoryDeviceGroup: /Application
firewall:
product: firewall
conditions:
categoryDeviceGroup: /Firewall
fieldmappings:
EventID: externalId
Event-ID: externalId
Event_ID: externalId
eventId: externalId
event_id: externalId
event-id: externalId
eventid: externalId
dst:
- destinationAddress
dst_ip:
- destinationAddress
dst-ip:
- destinationAddress
src:
- sourceAddress
src_ip:
- sourceAddress
src-ip:
- sourceAddress
TargetImage:
- destinationProcessName
- filePath
ImageLoaded:
- destinationProcessName
- deviceCustomString1
- filePath
- destinationProcessName
Image:
- deviceProcessName
- destinationProcessName
- sourceProcessName
ParentImage:
- sourceProcessName
LogonProcessName:
- destinationProcessName
- sourceProcessName
TargetProcessId:
- destinationProcessId
User:
- sourceUserName
TargetUserName:
- destinationUserName
LogonId:
- sourceUserId
SourceIp:
- sourceAddress
SourceNetworkAddress:
- sourceAddress
SourcePort:
- sourcePort
SourceHostname:
- sourceHostName
ParentProcessId:
- sourceProcessId
SourceProcessId:
- sourceProcessId
ProcessId:
- deviceProcessId
- destinationProcessId
DestinationPort:
- destinationPort
DestinationIp:
- destinationAddress
DestinationHostname:
- destinationHostName
DestinationIsIpv6:
- destinationIsIpv6
SourcePortName:
- sourcePortName
DestinationPortName:
- destinationPortName
SourceIsIpv6:
- sourceIsIpv6
FileVersion:
- fileId
Protocol:
- transportProtocol
TargetFilename:
- filePath
TargetFileName:
- filePath
Hashes:
- fileHash
Hash:
- fileHash
file_hash:
- fileHash
State:
- deviceAction
EventType:
- deviceAction
RuleName:
- deviceFacility
- reason
SourceImage:
- sourceProcessName
TerminalSessionId:
- deviceCustomNumber2
SequenceNumber:
- deviceCustomNumber3
Initiated:
- deviceCustomString4
IntegrityLevel:
- deviceCustomString1
- deviceCustomString5
ProcessGuid:
- fileId
- deviceCustomString6
SourceProcessGUID:
- flexString1
TargetProcessGUID:
- fileId
- flexString2
ParentProcessGuid:
- oldFileId
- deviceCustomString4
Product:
- destinationServiceName
OriginalFileName:
- oldFilePath
Version:
- deviceCustomString1
SchemaVersion:
- deviceCustomString2
Signed:
- fileType
- deviceCustomString1
Signature:
- deviceCustomString2
SignatureStatus:
- filePermission
- deviceCustomString3
NewThreadId:
- deviceCustomString1
StartAddress:
- deviceCustomString2
StartModule:
- deviceCustomString3
StartFunction:
- deviceCustomString4
Device:
- deviceCustomString5
- deviceCustomString1
GrantedAccess:
- deviceCustomString1
- deviceCustomString2
CallTrace:
- oldFilePath
- deviceCustomString3
TargetObject:
- filePath
Details:
- deviceCustomString4
- deviceCustomString1
NewName:
- filePath
Configuration:
- filePath
PipeName:
- deviceCustomString6
- fileName
Name:
- deviceCustomString1
Operation:
- deviceCustomString2
EventNamespace:
- deviceCustomString3
Query:
- deviceCustomString4
Type:
- deviceCustomString3
Destination:
- fileName
Consumer:
- deviceCustomString1
Filter:
- deviceCustomString3
QueryName:
- destinationHostName
- requestUrl
QueryResults:
- deviceCustomString4
- deviceCustomString1
ID:
- deviceCustomString1
Description:
- message
CommandLine:
- destinationServiceName
- deviceCustomString1
ParentCommandLine:
- deviceCustomString2
- sourceServiceName
CurrentDirectory:
- oldFilePath
LogonGuid:
- deviceCustomString6
UserAgent:
- requestClientApplication
URL:
- requestUrl
- requestUrlQuery
FileName:
- fileName
- filePath
cs-uri-extension:
- fileType
c-uri-extension:
- fileType
s-dns:
- destinationDnsDomain
- destinationHost
r-dns:
- destinationDnsDomain
- destinationHost
event.name:
- name
http.request.body.content:
- requestUrl
url.query:
- requestUrl
cs-uri-path:
- filePath
keywords:
- deviceCustomString1
ScriptBlockText:
- deviceCustomString1
Reference in New Issue View Git Blame Copy Permalink