From 5f0347d94d5fa2ffaeb2411d0f84fe7030628b96 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 2 Aug 2022 23:39:49 +0000 Subject: [PATCH] Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions --- tools/config/hawk.yml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index dcd45ca33..2930e0f25 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -93,7 +93,7 @@ logsources: msexchange-management: service: msexchange-management conditions: - channel: "MSExchange Management" + product_name: "MSExchange Management" windows: product: windows index: windows @@ -127,7 +127,7 @@ logsources: product: windows service: bits-client conditions: - channel: "Microsoft-Windows-Bits-Client/Operational" + event_channel: "Microsoft-Windows-Bits-Client/Operational" windows-network-connection: product: windows category: network_connection @@ -209,12 +209,12 @@ logsources: product: windows category: ldap_query conditions: - channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW" windows-ldap-debug: product: windows category: ldap_debug conditions: - channel: "Microsoft-Windows-LDAP-Client/Debug ETW" + event_channel: "Microsoft-Windows-LDAP-Client/Debug ETW" windows-driver-load: product: windows category: driver_load @@ -545,12 +545,14 @@ logsources: conditions: vendor_name: "Microsoft" product_name: "Azure" + product_source: "signInAudits" azure-auditlogs: product: azure service: auditlogs conditions: vendor_name: "Microsoft" product_name: "Azure" + product_source: "directoryAudits" azure-activitylogs: product: azure service: activitylogs @@ -567,22 +569,22 @@ logsources: product: windows service: microsoft-servicebus-client conditions: - channel: 'Microsoft-ServiceBus-Client' + event_channel: 'Microsoft-ServiceBus-Client' windows-application: product: windows service: application conditions: - channel: 'Application' + event_channel: 'Application' windows-security: product: windows service: security conditions: - channel: 'Security' + event_channel: 'Security' windows-system: product: windows service: system conditions: - channel: 'System' + event_channel: 'System' windows-sysmon: product: windows service: sysmon @@ -612,12 +614,12 @@ logsources: product: windows service: dns-server conditions: - channel: 'DNS Server' + product_name: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: - channel: 'DNS Server' + product_name: 'DNS Server' windows-driver-framework: product: windows service: driver-framework @@ -687,7 +689,7 @@ logsources: product: windows service: msexchange-management conditions: - channel: 'MSExchange Management' + product_name: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin @@ -865,10 +867,10 @@ fieldmappings: cs-referer: http_referer cs-host: http_host cs-method: http_method - c-uri: http_uri - c-uri-stem: http_uri - cs-uri: http_uri - cs-uri-stem: http_uri + c-uri: http_path + c-uri-stem: http_path + cs-uri: http_path + cs-uri-stem: http_path c-agent: http_user_agent cs-agent: http_user_agent c-useragent: http_user_agent