2019-05-16 23:33:51 +02:00
|
|
|
title: SumoLogic
|
2019-04-23 00:54:10 +02:00
|
|
|
order: 20
|
2019-05-20 01:00:33 +02:00
|
|
|
backends:
|
|
|
|
|
- sumologic
|
2020-12-28 16:46:32 -05:00
|
|
|
afl_fields:
|
|
|
|
|
- _index
|
|
|
|
|
- EventID
|
|
|
|
|
- CommandLine
|
|
|
|
|
- NewProcessName
|
|
|
|
|
- Image
|
|
|
|
|
- ParentImage
|
|
|
|
|
- ParentCommandLine
|
|
|
|
|
- ParentProcessName
|
2018-12-09 17:55:51 -05:00
|
|
|
# Sumulogic mapping depends on customer configuration. Adapt to your context!
|
|
|
|
|
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
|
|
|
|
|
# supposing existing FER for service, EventChannel, EventID
|
|
|
|
|
logsources:
|
2019-07-06 10:05:43 -04:00
|
|
|
unix:
|
|
|
|
|
product: unix
|
|
|
|
|
index: UNIX
|
2018-12-09 17:55:51 -05:00
|
|
|
linux:
|
|
|
|
|
product: linux
|
2018-12-10 22:37:39 +01:00
|
|
|
index: LINUX
|
2018-12-09 17:55:51 -05:00
|
|
|
linux-sshd:
|
|
|
|
|
product: linux
|
|
|
|
|
service: sshd
|
2018-12-10 22:37:39 +01:00
|
|
|
index: LINUX
|
2018-12-09 17:55:51 -05:00
|
|
|
linux-auth:
|
|
|
|
|
product: linux
|
|
|
|
|
service: auth
|
2018-12-10 22:37:39 +01:00
|
|
|
index: LINUX
|
2018-12-09 17:55:51 -05:00
|
|
|
linux-clamav:
|
|
|
|
|
product: linux
|
|
|
|
|
service: clamav
|
2018-12-10 22:37:39 +01:00
|
|
|
index: LINUX
|
2018-12-09 17:55:51 -05:00
|
|
|
windows:
|
|
|
|
|
product: windows
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WINDOWS
|
2018-12-09 17:55:51 -05:00
|
|
|
windows-sysmon:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: Microsoft-Windows-Sysmon
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WINDOWS
|
2018-12-09 17:55:51 -05:00
|
|
|
windows-security:
|
|
|
|
|
product: windows
|
|
|
|
|
service: security
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: Security
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WINDOWS
|
2018-12-09 17:55:51 -05:00
|
|
|
windows-powershell:
|
|
|
|
|
product: windows
|
|
|
|
|
service: powershell
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: Microsoft-Windows-Powershell
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WINDOWS
|
2018-12-09 17:55:51 -05:00
|
|
|
windows-system:
|
|
|
|
|
product: windows
|
|
|
|
|
service: system
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: System
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WINDOWS
|
2019-02-05 14:35:16 +01:00
|
|
|
windows-dhcp:
|
|
|
|
|
product: windows
|
|
|
|
|
service: dhcp
|
2019-12-07 00:23:30 +01:00
|
|
|
conditions:
|
2019-02-05 14:35:16 +01:00
|
|
|
EventChannel: Microsoft-Windows-DHCP-Server
|
|
|
|
|
index: WINDOWS
|
2020-07-02 23:20:36 +02:00
|
|
|
windows-ntlm:
|
|
|
|
|
product: windows
|
|
|
|
|
service: ntlm
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-NTLM/Operational'
|
2021-06-30 14:22:40 +02:00
|
|
|
windows-printservice-admin:
|
2021-06-30 14:09:44 +02:00
|
|
|
product: windows
|
2021-06-30 14:22:40 +02:00
|
|
|
service: printservice-admin
|
2021-06-30 14:09:44 +02:00
|
|
|
conditions:
|
2021-06-30 14:22:40 +02:00
|
|
|
EventChannel: 'Microsoft-Windows-PrintService/Admin'
|
2021-07-01 09:55:15 +02:00
|
|
|
windows-printservice-operational:
|
|
|
|
|
product: windows
|
|
|
|
|
service: printservice-operational
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-PrintService/Operational'
|
2022-01-20 09:44:36 +01:00
|
|
|
windows-codeintegrity-operational:
|
|
|
|
|
product: windows
|
|
|
|
|
service: codeintegrity-operational
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
|
2021-06-30 14:16:26 +02:00
|
|
|
windows-smbclient-security:
|
|
|
|
|
product: windows
|
|
|
|
|
service: smbclient-security
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-SmbClient/Security'
|
2021-03-20 08:49:59 +01:00
|
|
|
windows-msexchange-management:
|
|
|
|
|
product: windows
|
|
|
|
|
service: msexchange-management
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'MSExchange Management'
|
2022-02-19 10:18:49 +01:00
|
|
|
windows-firewall-advanced-security:
|
|
|
|
|
product: windows
|
|
|
|
|
service: firewall-as
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'
|
2022-03-03 06:27:00 +01:00
|
|
|
windows-bits-client:
|
|
|
|
|
product: windows
|
|
|
|
|
service: bits-client
|
|
|
|
|
conditions:
|
|
|
|
|
EventChannel: 'Microsoft-Windows-Bits-Client/Operational'
|
2018-12-09 17:55:51 -05:00
|
|
|
apache:
|
|
|
|
|
service: apache
|
2018-12-10 22:37:39 +01:00
|
|
|
index: WEBSERVER
|
2019-07-06 10:56:37 -04:00
|
|
|
apache2:
|
2022-03-22 17:58:29 +01:00
|
|
|
service: apache
|
2019-07-06 10:56:37 -04:00
|
|
|
index: WEBSERVER
|
2019-07-06 10:05:43 -04:00
|
|
|
webserver:
|
|
|
|
|
category: webserver
|
|
|
|
|
index: WEBSERVER
|
2018-12-09 17:55:51 -05:00
|
|
|
firewall:
|
2019-07-06 10:56:37 -04:00
|
|
|
category: firewall
|
|
|
|
|
index: FIREWALL
|
|
|
|
|
firewall2:
|
2018-12-09 17:55:51 -05:00
|
|
|
product: firewall
|
2018-12-10 22:37:39 +01:00
|
|
|
index: FIREWALL
|
2019-07-06 10:05:43 -04:00
|
|
|
network-dns:
|
2019-07-06 10:56:37 -04:00
|
|
|
category: dns
|
|
|
|
|
index: DNS
|
|
|
|
|
network-dns2:
|
2019-07-06 10:05:43 -04:00
|
|
|
product: dns
|
|
|
|
|
index: DNS
|
2019-07-06 10:56:37 -04:00
|
|
|
proxy:
|
|
|
|
|
category: proxy
|
|
|
|
|
index: PROXY
|
|
|
|
|
antivirus:
|
|
|
|
|
product: antivirus
|
|
|
|
|
index: ANTIVIRUS
|
2019-07-06 10:05:43 -04:00
|
|
|
application-sql:
|
|
|
|
|
product: sql
|
|
|
|
|
index: DATABASE
|
|
|
|
|
application-python:
|
|
|
|
|
product: python
|
|
|
|
|
index: APPLICATIONS
|
|
|
|
|
application-django:
|
|
|
|
|
product: django
|
|
|
|
|
index: DJANGO
|
|
|
|
|
application-rails:
|
|
|
|
|
product: rails
|
|
|
|
|
index: RAILS
|
|
|
|
|
application-spring:
|
|
|
|
|
product: spring
|
2019-07-06 10:56:37 -04:00
|
|
|
index: SPRING
|
2018-12-09 17:55:51 -05:00
|
|
|
# if no index, search in all indexes
|
