mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
55 lines
925 B
YAML
55 lines
925 B
YAML
title: QRadar
|
|
backends:
|
|
- qradar
|
|
order: 20
|
|
logsources:
|
|
apache:
|
|
product: apache
|
|
conditions:
|
|
LOGSOURCETYPENAME(devicetype): ilike '%apache%'
|
|
|
|
windows:
|
|
product: windows
|
|
conditions:
|
|
LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log'
|
|
|
|
qflow:
|
|
product: qflow
|
|
index: flows
|
|
|
|
netflow:
|
|
product: netflow
|
|
index: flows
|
|
|
|
ipfix:
|
|
product: ipfix
|
|
index: flows
|
|
|
|
flow:
|
|
category: flow
|
|
index: flows
|
|
|
|
fieldmappings:
|
|
EventID:
|
|
- Event ID Code
|
|
dst:
|
|
- destinationIP
|
|
dst_ip:
|
|
- destinationIP
|
|
src:
|
|
- sourceIP
|
|
src_ip:
|
|
- sourceIP
|
|
c-ip: sourceIP
|
|
cs-ip: sourceIP
|
|
cs-uri: url
|
|
c-uri: sourceIP
|
|
c-uri-extension: file_extension
|
|
UserAgent: user_agent
|
|
c-uri-query: uri_query
|
|
HttpMethod: Method
|
|
URL: URL
|
|
r-dns: FQDN
|
|
ClientIP: sourceIP
|
|
ServiceFileName: Service Name
|