valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b31ed47ccf
SigmaHQ/tools/config/stix.yml

176 lines
3.9 KiB
YAML
Raw Blame History

title: Basic STIX
backends:
- stix
order: 20
fieldmappings:
action:
- x-event:action
User:
- user-account:user_id
c-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
cs-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
destinationip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
destinationmac:
- mac-addr:value
- network-traffic:dst_ref.value
destinationport:
- network-traffic:dst_port
dst_port:
- network-traffic:dst_port
domainname:
- domain-name:value
dst:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
dst_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
endtime:
- network-traffic:end
event_data.DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
event_data.DestinationPort:
- network-traffic:dst_port
DestinationPort:
- network-traffic:dst_port
destination.port:
- network-traffic:dst_port
event_data.SubjectUserName:
- user-account:user_id
event_data.User:
- user-account:user_id
filehash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
filename:
- file:name
filepath:
- file:parent_directory_ref
- directory:path
identityip:
- ipv4-addr:value
protocolid:
- network-traffic:protocols[*]
sourceip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
sourcemac:
- mac-addr:value
- network-traffic:src_ref.value
sourceport:
- network-traffic:src_port
SourcePort:
- network-traffic:src_port
src:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
src_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
starttime:
- network-traffic:start
url:
- url:value
user:
- user-account:user_id
username:
- user-account:user_id
utf8_payload:
- artifact:payload_bin
# Web + Proxy mapping
c-uri:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-query:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
c-uri-stem:
- network-traffic:extensions.'http-request-ext'.request_value
- url:value
keywords:
- artifact:payload_bin
cs-method:
- network-traffic:extensions.'http-request-ext'.request_method
sc-status:
- x-web:status_code
clientip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
c-useragent:
- network-traffic:extensions.'http-request-ext'.request_header.'User-Agent'
r-dns:
- domain-name:value
- url:value
- x-dns:query
cs-host:
- x-host:name
- domain-name:value
cs-cookie:
- network-traffic:extensions.'http-request-ext'.request_header.Cookie
query:
- domain-name:value
- url:value
- x-dns:query
record_type:
- x-dns:record_type
operation:
- x-event:action
# Compliance mapping
event.category:
- x-event:action
host.scan.vuln_name:
- vulnerability:name
host.scan.vuln:
- vulnerability:external_references[*].external_id
# Cloud mapping
eventSource:
- x-host:name
eventName:
- x-event:action
requestParameters.attribute:
- x-cloud:request_parameters
responseElements.publiclyAccessible:
- x-cloud:publicly_accessible
errorMessage:
- x-error:message
errorCode:
- x-error:code
responseElements:
- x-cloud:response_elements
requestParameters.userData:
- x-cloud:request_parameters
userIdentity.type:
- user-account:account_login
eventType:
- x-event:action
userIdentity.arn:
- user-account:account_login
- user-account:display_name
responseElements.pendingModifiedValues.masterUserPassword:
- user-account:credential
Reference in New Issue View Git Blame Copy Permalink