valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7037e77569
SigmaHQ/tools/config/ala.yml

102 lines
3.3 KiB
YAML
Raw Blame History

title: Azure Sentinel
order: 20
backends:
- ala
- ala-rule
fieldmappings:
ComputerName: Computer
Event-ID: EventID
Event_ID: EventID
eventId: EventID
event_id: EventID
event-id: EventID
eventid: EventID
hashes: Hashes
file_hash: Hashes
url.query: URL
resource.URL: URL
src_ip: SourceIp
source.ip: SourceIp
FileName: TargetFilename
dst_ip: DestinationIP
destination.ip: DestinationIP
event_data.AccessMask: AccessMask
event_data.AllowedToDelegateTo: AllowedToDelegateTo
event_data.AttributeLDAPDisplayName: AttributeLDAPDisplayName
event_data.AuditPolicyChanges: AuditPolicyChanges
event_data.AuthenticationPackageName: AuthenticationPackageName
event_data.CallingProcessName: CallingProcessName
event_data.CallTrace": CallTrace
event_data.CommandLine: CommandLine
Commandline: CommandLine
cmd: CommandLine
event_data.ComputerName: ComputerName
event_data.CurrentDirectory: CurrentDirectory
event_data.Description: Description
event_data.DestinationHostname: DestinationHostname
event_data.DestinationIp: DestinationIp
event_data.DestinationPort: DestinationPort
event_data.Details: Details
event_data.EngineVersion: EngineVersion
event_data.EventType: EventType
event_data.FailureCode: FailureCode
event_data.FileName: FileName
event_data.GrantedAccess: GrantedAccess
event_data.GroupName: GroupName
event_data.GroupSid: GroupSid
event_data.Hashes: Hashes
event_data.HiveName: HiveName
event_data.HostVersion: HostVersion
Image:
service=security: Process
category=process_creation: NewProcessName
default: Image
event_data.Image:
service=security: Process
category=process_creation: NewProcessName
default: Image
event_data.ImageLoaded": ImageLoaded
event_data.ImagePath: ImagePath
event_data.Imphash: Imphash
event_data.IpAddress: IpAddress
event_data.KeyLength: KeyLength
event_data.LogonProcessName: LogonProcessName
event_data.LogonType: LogonType
event_data.NewProcessName: NewProcessName
event_data.ObjectClass: ObjectClass
event_data.ObjectName: ObjectName
event_data.ObjectType: ObjectType
event_data.ObjectValueName: ObjectValueName
event_data.ParentCommandLine: ParentCommandLine
event_data.ParentImage:
category=process_creation: ParentProcessName
default: ParentImage
ParentImage:
category=process_creation: ParentProcessName
default: ParentImage
event_data.ParentProcessName: ParentProcessName
event_data.Path: Path
event_data.PipeName: PipeName
event_data.ProcessCommandLine: CommanProcessCommandLinedLine
event_data.ProcessName: ProcessName
event_data.Properties: Properties
event_data.SecurityID: SecurityID
event_data.ServiceFileName: ServiceFileName
event_data.ServiceName: ServiceName
event_data.ShareName: ShareName
event_data.Signature: Signature
event_data.Source: Source
event_data.SourceImage: SourceImage
event_data.StartModule: StartModule
event_data.Status: Status
event_data.SubjectUserName: SubjectUserName
event_data.SubjectUserSid: SubjectUserSid
event_data.TargetFilename: TargetFilename
event_data.TargetImage: TargetImage
event_data.TargetObject: TargetObject
event_data.TicketEncryptionType: TicketEncryptionType
event_data.TicketOptions: TicketOptions
event_data.User: User
event_data.WorkstationName: WorkstationName
Reference in New Issue View Git Blame Copy Permalink