valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
80639afd43
SigmaHQ/tools/config/arcsight.yml
Thomas Patzke 43e5ae5d24 Added Windows NTLM log source + fixes
2020-07-02 23:20:36 +02:00

486 lines
12 KiB
YAML
Raw Blame History

title: ArcSight
order: 20
backends:
- arcsight
- arcsight-esm
logsources:
linux:
product: linux
conditions:
deviceVendor: Unix
linux-sshd:
product: linux
service: sshd
conditions:
deviceVendor: Unix
linux-vsftpd:
product: linux
service: vsftpd
conditions:
deviceVendor: Unix
linux-auth:
product: linux
service: auth
conditions:
deviceVendor: Unix
linux-clamav:
product: linux
service: clamav
conditions:
deviceVendor: Unix
antivirus:
product: antivirus
conditions:
categoryDeviceGroup: /IDS/Host/AntiVirus
windows-dns:
product: windows
service: dns-server
conditions:
deviceVendor: Microsoft
deviceProduct: DNS-Server
windows-pc:
product: windows
service: powershell-classic
conditions:
deviceVendor: Microsoft
windows-sys:
product: windows
service: sysmon
conditions:
deviceVendor: Microsoft
deviceProduct: Sysmon
windows-sec:
product: windows
service: security
conditions:
deviceVendor: Microsoft
deviceProduct: Microsoft Windows
windows-power:
product: windows
service: powershell
conditions:
deviceVendor: Microsoft
windows-ntlm:
product: windows
service: ntlm
conditions:
deviceVendor: Microsoft
windows-dhcp:
product: windows
service: dhcp
conditions:
deviceVendor: Microsoft
windows-system:
product: windows
service: system
conditions:
deviceVendor: Microsoft
windows-wmi:
product: windows
service: wmi
conditions:
deviceVendor: Microsoft
windows-driver-framework:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-defender:
product: windows_defender
conditions:
deviceVendor: Microsoft
windows-driver:
product: windows
service: driver-framework
conditions:
deviceVendor: Microsoft
windows-app:
product: windows
service: application
conditions:
deviceVendor: Microsoft
proxy:
category: proxy
conditions:
categoryDeviceGroup: /Proxy
python:
product: python
conditions:
deviceProduct: Python
categoryDeviceGroup: /Application
ruby_on_rails:
product: ruby_on_rails
conditions:
deviceProduct: Ruby on Rails
categoryDeviceGroup: /Application
spring:
product: spring
conditions:
deviceProduct: Spring
categoryDeviceGroup: /Application
apache:
product: apache
conditions:
deviceProduct: Apache
categoryDeviceGroup: /Application
firewall:
product: firewall
conditions:
categoryDeviceGroup: /Firewall
fieldmappings:
EventID: externalId
Event-ID: externalId
Event_ID: externalId
eventId: externalId
event_id: externalId
event-id: externalId
eventid: externalId
dst:
- destinationAddress
dst_ip:
- destinationAddress
dst-ip:
- destinationAddress
src:
- sourceAddress
src_ip:
- sourceAddress
src-ip:
- sourceAddress
TargetImage:
- destinationProcessName
- filePath
ImageLoaded:
- destinationProcessName
- deviceCustomString1
- filePath
- destinationProcessName
Image:
- deviceProcessName
- destinationProcessName
- sourceProcessName
ParentImage:
- sourceProcessName
LogonProcessName:
- destinationProcessName
- sourceProcessName
TargetProcessId:
- destinationProcessId
User:
- sourceUserName
TargetUserName:
- destinationUserName
LogonId:
- sourceUserId
SourceIp:
- sourceAddress
SourceNetworkAddress:
- sourceAddress
SourcePort:
- sourcePort
SourceHostname:
- sourceHostName
ParentProcessId:
- sourceProcessId
SourceProcessId:
- sourceProcessId
ProcessId:
- deviceProcessId
- destinationProcessId
DestinationPort:
- destinationPort
DestinationIp:
- destinationAddress
DestinationHostname:
- destinationHostName
DestinationIsIpv6:
- destinationIsIpv6
SourcePortName:
- sourcePortName
DestinationPortName:
- destinationPortName
SourceIsIpv6:
- sourceIsIpv6
FileVersion:
- fileId
Protocol:
- transportProtocol
TargetFilename:
- filePath
TargetFileName:
- filePath
Hashes:
- fileHash
Hash:
- fileHash
file_hash:
- fileHash
State:
- deviceAction
EventType:
- deviceAction
RuleName:
- deviceFacility
- reason
SourceImage:
- sourceProcessName
TerminalSessionId:
- deviceCustomNumber2
SequenceNumber:
- deviceCustomNumber3
Initiated:
- deviceCustomString4
IntegrityLevel:
- deviceCustomString1
- deviceCustomString5
ProcessGuid:
- fileId
- deviceCustomString6
SourceProcessGUID:
- flexString1
TargetProcessGUID:
- fileId
- flexString2
ParentProcessGuid:
- oldFileId
- deviceCustomString4
Product:
- destinationServiceName
OriginalFileName:
- oldFilePath
Version:
- deviceCustomString1
SchemaVersion:
- deviceCustomString2
Signed:
- fileType
- deviceCustomString1
Signature:
- deviceCustomString2
SignatureStatus:
- filePermission
- deviceCustomString3
NewThreadId:
- deviceCustomString1
StartAddress:
- deviceCustomString2
StartModule:
- deviceCustomString3
StartFunction:
- deviceCustomString4
Device:
- deviceCustomString5
- deviceCustomString1
GrantedAccess:
- deviceCustomString1
- deviceCustomString2
CallTrace:
- oldFilePath
- deviceCustomString3
TargetObject:
- filePath
Details:
- deviceCustomString4
- deviceCustomString1
NewName:
- filePath
Configuration:
- filePath
PipeName:
- deviceCustomString6
- fileName
Name:
- deviceCustomString1
Operation:
- deviceCustomString2
EventNamespace:
- deviceCustomString3
Query:
- deviceCustomString4
Type:
- deviceCustomString3
Destination:
- fileName
Consumer:
- deviceCustomString1
Filter:
- deviceCustomString3
QueryName:
- destinationHostName
- requestUrl
QueryResults:
- deviceCustomString4
- deviceCustomString1
ID:
- deviceCustomString1
Description:
- message
CommandLine:
- destinationServiceName
- deviceCustomString1
ParentCommandLine:
- deviceCustomString2
- sourceServiceName
CurrentDirectory:
- oldFilePath
LogonGuid:
- deviceCustomString6
UserAgent:
- requestClientApplication
URL:
- requestUrl
- requestUrlQuery
FileName:
- fileName
- filePath
cs-uri-extension:
- fileType
c-uri-extension:
- fileType
s-dns:
- destinationDnsDomain
- destinationHost
r-dns:
- destinationDnsDomain
- destinationHost
event.name:
- name
http.request.body.content:
- requestUrl
url.query:
- requestUrl
cs-uri-path:
- filePath
keywords:
- deviceCustomString1
ScriptBlockText:
- deviceCustomString1
AccessMask: deviceCustomString1
AccountName: deviceCustomString1
AllowedToDelegateTo: deviceCustomString1
AttributeLDAPDisplayName: deviceCustomString1
AuditPolicyChanges: deviceCustomString1
AuthenticationPackageName: deviceCustomString1
CallingProcessName: deviceCustomString1
Command: deviceCustomString1
Command_Line: deviceCustomString1
ComputerName: deviceCustomString1
destination.domain: deviceCustomString1
DestinationIP: deviceCustomString1
EngineVersion: deviceCustomString1
Event: deviceCustomString1
event.category: deviceCustomString1
event.raw: deviceCustomString1
event_data.AccessMask: deviceCustomString1
event_data.AccountName: deviceCustomString1
event_data.AllowedToDelegateTo: deviceCustomString1
event_data.AttributeLDAPDisplayName: deviceCustomString1
event_data.AuditPolicyChanges: deviceCustomString1
event_data.AuthenticationPackageName: deviceCustomString1
event_data.CallingProcessName: deviceCustomString1
event_data.CallTrace: deviceCustomString1
event_data.CommandLine: deviceCustomString1
event_data.ComputerName: deviceCustomString1
event_data.CurrentDirectory: deviceCustomString1
event_data.Description: deviceCustomString1
event_data.DestinationHostname: deviceCustomString1
event_data.DestinationIp: deviceCustomString1
event_data.DestinationIsIpv6: deviceCustomString1
event_data.DestinationPort: deviceCustomString1
event_data.Details: deviceCustomString1
event_data.EngineVersion: deviceCustomString1
event_data.EventType: deviceCustomString1
event_data.FailureCode: deviceCustomString1
event_data.FileName: deviceCustomString1
event_data.GrantedAccess: deviceCustomString1
event_data.GroupName: deviceCustomString1
event_data.GroupSid: deviceCustomString1
event_data.Hashes: deviceCustomString1
event_data.HiveName: deviceCustomString1
event_data.HostVersion: deviceCustomString1
event_data.Image: deviceCustomString1
event_data.ImageLoaded: deviceCustomString1
event_data.ImagePath: deviceCustomString1
event_data.Imphash: deviceCustomString1
event_data.IpAddress: deviceCustomString1
event_data.KeyLength: deviceCustomString1
event_data.LogonProcessName: deviceCustomString1
event_data.LogonType: deviceCustomString1
event_data.NewProcessName: deviceCustomString1
event_data.ObjectClass: deviceCustomString1
event_data.ObjectName: deviceCustomString1
event_data.ObjectType: deviceCustomString1
event_data.ObjectValueName: deviceCustomString1
event_data.ParentCommandLine: deviceCustomString1
event_data.ParentImage: deviceCustomString1
event_data.ParentProcessName: deviceCustomString1
event_data.Path: deviceCustomString1
event_data.PipeName: deviceCustomString1
event_data.ProcessCommandLine: deviceCustomString1
event_data.ProcessName: deviceCustomString1
event_data.Properties: deviceCustomString1
event_data.SecurityID: deviceCustomString1
event_data.ServiceFileName: deviceCustomString1
event_data.ServiceName: deviceCustomString1
event_data.ShareName: deviceCustomString1
event_data.Signature: deviceCustomString1
event_data.Source: deviceCustomString1
event_data.SourceImage: deviceCustomString1
event_data.StartModule: deviceCustomString1
event_data.Status: deviceCustomString1
event_data.SubjectUserName: deviceCustomString1
event_data.SubjectUserSid: deviceCustomString1
event_data.TargetFilename: deviceCustomString1
event_data.TargetImage: deviceCustomString1
event_data.TargetObject: deviceCustomString1
event_data.TicketEncryptionType: deviceCustomString1
event_data.TicketOptions: deviceCustomString1
event_data.User: deviceCustomString1
event_data.WorkstationName: deviceCustomString1
FailureCode: deviceCustomString1
GroupName: deviceCustomString1
GroupSid: deviceCustomString1
hashes: deviceCustomString1
Header.Accept: deviceCustomString1
HiveName: deviceCustomString1
host.scan.vuln_name: deviceCustomString1
HostVersion: deviceCustomString1
ImagePath: deviceCustomString1
Imphash: deviceCustomString1
IpAddress: deviceCustomString1
IpPort: deviceCustomString1
KeyLength: deviceCustomString1
log_name: deviceCustomString1
LogonType: deviceCustomString1
NewProcessName: deviceCustomString1
ObjectClass: deviceCustomString1
ObjectName: deviceCustomString1
ObjectType: deviceCustomString1
ObjectValueName: deviceCustomString1
ParentProcessName: deviceCustomString1
Path: deviceCustomString1
ProcessCommandLine: deviceCustomString1
ProcessName: deviceCustomString1
Properties: deviceCustomString1
resource.URL: deviceCustomString1
SecurityEvent: deviceCustomString1
SecurityID: deviceCustomString1
SelectionURL: deviceCustomString1
ServiceFileName: deviceCustomString1
ServiceName: deviceCustomString1
ShareName: deviceCustomString1
Source: deviceCustomString1
source_name: deviceCustomString1
SourceIP: deviceCustomString1
Status: deviceCustomString1
SubjectDomainName: deviceCustomString1
SubjectUserName: deviceCustomString1
SubjectUserSid: deviceCustomString1
SysmonEvent: deviceCustomString1
TargetDomainName: deviceCustomString1
TargetUserSid: deviceCustomString1
TicketEncryptionType: deviceCustomString1
TicketOptions: deviceCustomString1
winlog.channel: deviceCustomString1
WorkstationName: deviceCustomString1
Reference in New Issue View Git Blame Copy Permalink