valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
cce8d945a0
SigmaHQ/tools/config/sumologic-cse.yml
vh 51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
2020-10-06 15:07:52 +03:00

186 lines
3.7 KiB
YAML
Raw Blame History

title: SumoLogic
order: 20
backends:
- sumologic-cse
- sumologic-cse-rule
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, metdata_vendor, EventID
logsources:
unix:
product: unix
index: UNIX
linux:
product: linux
index: Linux
linux-sshd:
product: linux
service: sshd
index: Linux
linux-auth:
product: linux
service: auth
index: Linux
linux-clamav:
product: linux
service: clamav
index: Linux
windows:
product: windows
index: Windows
conditions:
metdata_vendor: Microsoft
windows-sysmon:
product: windows
service: sysmon
conditions:
metdata_vendor: Microsoft
index: Windows
windows-security:
product: windows
service: security
conditions:
metdata_vendor: Microsoft
index: Security
windows-powershell:
product: windows
service: powershell
conditions:
metdata_vendor: Microsoft
index: Powershell
windows-system:
product: windows
service: system
conditions:
metdata_vendor: Microsoft
index: Windows
windows-dhcp:
product: windows
service: dhcp
conditions:
metdata_vendor: Microsoft
index: Windows
microsoft:
product: gsuite
index: gsuite
apache:
product: apache
service: apache
index: Apache
apache2:
product: apache
index: Apache
nginx:
product: nginx
index: Nginx
cisco:
product: cisco
index: Cisco
webserver:
category: webserver
index: WEBSERVER
firewall:
category: firewall
index: FIREWALL
firewall2:
product: firewall
index: FIREWALL
network-dns:
category: dns
index: DNS
network-dns2:
product: dns
index: DNS
proxy:
category: proxy
index: PROXY
vpn:
product: vpn
index: network
antivirus:
product: antivirus
index: ANTIVIRUS
azure:
product: azure
index: Azure
conditions:
metdata_vendor: Microsoft
azuread:
product: azuread
index: Azure AD
conditions:
metdata_vendor: Microsoft
zeek:
product: zeek
index: zeek
application-sql:
product: sql
index: DATABASE
application-python:
product: python
index: APPLICATIONS
application-django:
product: django
index: Django
application-rails:
product: rails
index: RAILS
application-spring:
product: spring
index: SPRING
# if no index, search in all indexes
fieldmappings:
EventID: metadata_deviceEventId
event_id: metadata_deviceEventId
Image: baseImage
event_data.Image: baseImage
TargetImage: changeTarget
EventType: changeType
CommandLine: commandLine
Commandline: commandLine
process.args: commandLine
event_data.CommandLine: commandLine
Description: description
DestinationHostname: dstDevice_hostname
DestinationIp: dstDevice_ip
dst_ip: dstDevice_ip
dst_mac: dstDevice_mac
DestinationPort: dstPort
dst_port: dstPort
FileName: file_basename
Imphash: file_hash_imphash
hash: file_hash_imphash
file_hash: file_hash_imphash
# :file_hash_md5
# :file_hash_sha1
# :file_hash_sha256
Path: file_path
path: file_path
LogonType: logonType
ModuleType: moduleType
ObjectType: objectType
ParentImage: parentBaseImage
event_data.ParentImage: parentBaseImage
ParentCommandLine: parentCommandLine
ParentProcessName: parentPid
SourceHostname: srcDevice_hostname
SourceIp: srcDevice_ip
src_ip: srcDevice_ip
src_mac: srcDevice_mac
SourcePort: srcPort
src_port: srcPort
User: user_username
User-Agent: http_userAgent
Protocol: http_url_protocol
destination.domain: http_url_rootDomain
domain: http_url_rootDomain
Reference in New Issue View Git Blame Copy Permalink