tools/config/arcsight.yml

title: ArcSight
order: 20
backends:
  - arcsight
logsources:
  linux:
    product: linux
    conditions:
      deviceVendor: Unix
  linux-sshd:
    product: linux
    service: sshd
    conditions:
      deviceVendor: Unix
  linux-auth:
    product: linux
    service: auth
    conditions:
      deviceVendor: Unix
  linux-clamav:
    product: linux
    service: clamav
    conditions:
      deviceVendor: Unix
  windows-dns:
    product: windows
    service: dns-server
    conditions:
      deviceVendor: Microsoft
      deviceProduct: DNS-Server
  windows-pc:
    product: windows
    service: powershell-classic
    conditions:
      deviceVendor: Microsoft
  windows-sys:
    product: windows
    service: sysmon
    conditions:
      deviceVendor: Microsoft
      deviceProduct: Sysmon
  windows-sec:
    product: windows
    service: security
    conditions:
      deviceVendor: Microsoft
      deviceProduct: Microsoft Windows
  windows-power:
    product: windows
    service: powershell
    conditions:
      deviceVendor: Microsoft
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      deviceVendor: Microsoft
  windows-system:
    product: windows
    service: system
    conditions:
      deviceVendor: Microsoft
  windows-driver:
    product: windows
    service: driver-framework
    conditions:
      deviceVendor: Microsoft
  windows-app:
    product: windows
    service: application
    conditions:
      deviceVendor: Microsoft
  proxy:
    category: proxy
    conditions:
      categoryDeviceGroup: /Proxy
  python:
    product: python
    conditions:
      deviceProduct: Python
      categoryDeviceGroup: /Application
  ruby_on_rails:
    product: ruby_on_rails
    conditions:
      deviceProduct: Ruby on Rails
      categoryDeviceGroup: /Application
  spring:
    product: spring
    conditions:
      deviceProduct: Spring
      categoryDeviceGroup: /Application
  apache:
    product: apache
    conditions:
      deviceProduct: Apache
      categoryDeviceGroup: /Application
  firewall:
    product: firewall
    conditions:
      categoryDeviceGroup: /Firewall

fieldmappings:
  EventID: externalId
  dst:
    - destinationAddress
  dst_ip:
    - destinationAddress
  src:
    - sourceAddress
  src_ip:
    - sourceAddress
Added title to all configurations 2019-05-16 23:33:51 +02:00			`title: ArcSight`
Configuration order checking 2019-04-23 00:54:10 +02:00			`order: 20`
Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00			`backends:`
			`- arcsight`
Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00			`logsources:`
			`linux:`
			`product: linux`
			`conditions:`
			`deviceVendor: Unix`
			`linux-sshd:`
			`product: linux`
			`service: sshd`
			`conditions:`
			`deviceVendor: Unix`
			`linux-auth:`
			`product: linux`
			`service: auth`
			`conditions:`
			`deviceVendor: Unix`
			`linux-clamav:`
			`product: linux`
			`service: clamav`
			`conditions:`
			`deviceVendor: Unix`
			`windows-dns:`
			`product: windows`
			`service: dns-server`
			`conditions:`
			`deviceVendor: Microsoft`
			`deviceProduct: DNS-Server`
			`windows-pc:`
			`product: windows`
			`service: powershell-classic`
			`conditions:`
			`deviceVendor: Microsoft`
			`windows-sys:`
			`product: windows`
			`service: sysmon`
			`conditions:`
			`deviceVendor: Microsoft`
			`deviceProduct: Sysmon`
			`windows-sec:`
			`product: windows`
			`service: security`
			`conditions:`
			`deviceVendor: Microsoft`
			`deviceProduct: Microsoft Windows`
			`windows-power:`
			`product: windows`
			`service: powershell`
			`conditions:`
			`deviceVendor: Microsoft`
DHCP log source in sigmac configs 2019-02-05 14:35:16 +01:00			`windows-dhcp:`
			`product: windows`
			`service: dhcp`
Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00			`conditions:`
DHCP log source in sigmac configs 2019-02-05 14:35:16 +01:00			`deviceVendor: Microsoft`
Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00			`windows-system:`
			`product: windows`
			`service: system`
			`conditions:`
			`deviceVendor: Microsoft`
			`windows-driver:`
			`product: windows`
			`service: driver-framework`
			`conditions:`
			`deviceVendor: Microsoft`
			`windows-app:`
			`product: windows`
			`service: application`
			`conditions:`
			`deviceVendor: Microsoft`
			`proxy:`
			`category: proxy`
			`conditions:`
			`categoryDeviceGroup: /Proxy`
			`python:`
			`product: python`
			`conditions:`
			`deviceProduct: Python`
			`categoryDeviceGroup: /Application`
			`ruby_on_rails:`
			`product: ruby_on_rails`
			`conditions:`
			`deviceProduct: Ruby on Rails`
			`categoryDeviceGroup: /Application`
			`spring:`
			`product: spring`
			`conditions:`
			`deviceProduct: Spring`
			`categoryDeviceGroup: /Application`
			`apache:`
			`product: apache`
			`conditions:`
			`deviceProduct: Apache`
			`categoryDeviceGroup: /Application`
Fix YAML errors reported by yamllint 2019-01-10 09:47:33 +01:00			`firewall:`
Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00			`product: firewall`
			`conditions:`
			`categoryDeviceGroup: /Firewall`

			`fieldmappings:`
			`EventID: externalId`
			`dst:`
			`- destinationAddress`
			`dst_ip:`
			`- destinationAddress`
			`src:`
			`- sourceAddress`
			`src_ip:`
			`- sourceAddress`