Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions
This commit is contained in:
Tim Shelton
+17
-15
@@ -93,7 +93,7 @@ logsources:
|
||||
msexchange-management:
|
||||
service: msexchange-management
|
||||
conditions:
|
||||
channel: "MSExchange Management"
|
||||
product_name: "MSExchange Management"
|
||||
windows:
|
||||
product: windows
|
||||
index: windows
|
||||
@@ -127,7 +127,7 @@ logsources:
|
||||
product: windows
|
||||
service: bits-client
|
||||
conditions:
|
||||
channel: "Microsoft-Windows-Bits-Client/Operational"
|
||||
event_channel: "Microsoft-Windows-Bits-Client/Operational"
|
||||
windows-network-connection:
|
||||
product: windows
|
||||
category: network_connection
|
||||
@@ -209,12 +209,12 @@ logsources:
|
||||
product: windows
|
||||
category: ldap_query
|
||||
conditions:
|
||||
channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
|
||||
event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
|
||||
windows-ldap-debug:
|
||||
product: windows
|
||||
category: ldap_debug
|
||||
conditions:
|
||||
channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
|
||||
event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
|
||||
windows-driver-load:
|
||||
product: windows
|
||||
category: driver_load
|
||||
@@ -545,12 +545,14 @@ logsources:
|
||||
conditions:
|
||||
vendor_name: "Microsoft"
|
||||
product_name: "Azure"
|
||||
product_source: "signInAudits"
|
||||
azure-auditlogs:
|
||||
product: azure
|
||||
service: auditlogs
|
||||
conditions:
|
||||
vendor_name: "Microsoft"
|
||||
product_name: "Azure"
|
||||
product_source: "directoryAudits"
|
||||
azure-activitylogs:
|
||||
product: azure
|
||||
service: activitylogs
|
||||
@@ -567,22 +569,22 @@ logsources:
|
||||
product: windows
|
||||
service: microsoft-servicebus-client
|
||||
conditions:
|
||||
channel: 'Microsoft-ServiceBus-Client'
|
||||
event_channel: 'Microsoft-ServiceBus-Client'
|
||||
windows-application:
|
||||
product: windows
|
||||
service: application
|
||||
conditions:
|
||||
channel: 'Application'
|
||||
event_channel: 'Application'
|
||||
windows-security:
|
||||
product: windows
|
||||
service: security
|
||||
conditions:
|
||||
channel: 'Security'
|
||||
event_channel: 'Security'
|
||||
windows-system:
|
||||
product: windows
|
||||
service: system
|
||||
conditions:
|
||||
channel: 'System'
|
||||
event_channel: 'System'
|
||||
windows-sysmon:
|
||||
product: windows
|
||||
service: sysmon
|
||||
@@ -612,12 +614,12 @@ logsources:
|
||||
product: windows
|
||||
service: dns-server
|
||||
conditions:
|
||||
channel: 'DNS Server'
|
||||
product_name: 'DNS Server'
|
||||
windows-dns-server-audit:
|
||||
product: windows
|
||||
service: dns-server-audit
|
||||
conditions:
|
||||
channel: 'DNS Server'
|
||||
product_name: 'DNS Server'
|
||||
windows-driver-framework:
|
||||
product: windows
|
||||
service: driver-framework
|
||||
@@ -687,7 +689,7 @@ logsources:
|
||||
product: windows
|
||||
service: msexchange-management
|
||||
conditions:
|
||||
channel: 'MSExchange Management'
|
||||
product_name: 'MSExchange Management'
|
||||
windows-printservice-admin:
|
||||
product: windows
|
||||
service: printservice-admin
|
||||
@@ -865,10 +867,10 @@ fieldmappings:
|
||||
cs-referer: http_referer
|
||||
cs-host: http_host
|
||||
cs-method: http_method
|
||||
c-uri: http_uri
|
||||
c-uri-stem: http_uri
|
||||
cs-uri: http_uri
|
||||
cs-uri-stem: http_uri
|
||||
c-uri: http_path
|
||||
c-uri-stem: http_path
|
||||
cs-uri: http_path
|
||||
cs-uri-stem: http_path
|
||||
c-agent: http_user_agent
|
||||
cs-agent: http_user_agent
|
||||
c-useragent: http_user_agent
|
||||
|
||||
Reference in New Issue
Block a user