refactor: first bigger log source refactoring

see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
parent a5281c0eaf
commit e91fc4486e
78 changed files with 103 additions and 106 deletions
@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS New Server
 id: 288a39fc-4914-4831-9ada-270e9dc12cb4
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
+  This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
  A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
  This can be done programmatically via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
  - https://o365blog.com/post/hybridhealthagent/
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  selection:
    CategoryValue: 'Administrative'
@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS Service Delete
 id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
+  This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
  A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
  The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
  - https://o365blog.com/post/hybridhealthagent/
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  selection:
    CategoryValue: 'Administrative'
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50053
@@ -8,7 +8,7 @@ references:
    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 'Update application - Certificates and secrets management'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
  selection:
    LoggedByService: 'Authentication Methods'
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -1,15 +1,15 @@
 title: Number Of Resource Creation Or Deployment Activities
 id: d2d901db-7a75-45a1-bc39-0cbf00812192
 status: test
-description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
+description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.Compute/virtualMachines/write
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
@@ -8,7 +8,7 @@ references:
    - https://attack.mitre.org/techniques/T1078
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
    selection:
        properties.message: Set federation settings on domain
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.Authorization/roleAssignments/write
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection1:
          properties.message|startswith:
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -11,7 +11,7 @@ references:
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
 logsource:
    product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
    selection1:
          properties.message|startswith:
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection_operation_name:
          properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection_operation_name:
          properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50057
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
 logsource:
    product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
    selection:
        eventSource: AzureActiveDirectory
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50074
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.DocumentDB/databaseAccounts/listKeys/action
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 'Add service principal'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: Remove service principal
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection1:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
 logsource:
  product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
  selection:
    Category: 'Administrative'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
    selection1:
          ResultType: 50097
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 53003
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message|startswith:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatDetection
+    service: threat_detection
    product: m365
 detection:
    selection:
@@ -9,7 +9,7 @@ references:
 date: 2020/07/06
 modified: 2021/11/27
 logsource:
-  category: ThreatManagement
+  service: threat_management
  product: m365
 detection:
  selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -11,7 +11,7 @@ references:
    - https://www.sygnia.co/golden-saml-advisory
    - https://o365blog.com/post/aadbackdoor/
 logsource:
-    category: Exchange
+    service: exchange
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -53,7 +53,7 @@ references:
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
 logsource:
-    product: netflow
+    service: netflow
 detection:
    selection:
        destination.port:
@@ -8,7 +8,7 @@ references:
 date: 2017/02/28
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
  keywords:
    - 'exit signal Segmentation Fault'
@@ -8,7 +8,7 @@ references:
 date: 2019/01/22
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
  keywords:
    - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
@@ -15,7 +15,6 @@ tags:
    - attack.persistence
    - attack.t1505.003
 logsource:
-    product: zoho_manageengine
    category: webserver
    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
 detection:
@@ -8,7 +8,7 @@ references:
    - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
    - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
 logsource:
-    product: apache
+    service: apache
 detection:
    keywords:
        - 'exited on signal 6 (core dumped)'
@@ -125,9 +125,9 @@ logsources:
      deviceProduct: Spring
      categoryDeviceGroup: /Application
  apache:
-    product: apache
+    service: apache
    conditions:
-      deviceProduct: Apache
+      deviceservice: apache
      categoryDeviceGroup: /Application
  firewall:
    product: firewall
@@ -10,7 +10,7 @@ logsources:
    category: proxy
    index: proxy.all.access
  apache:
-    product: apache
+    service: apache
    index: web.all.access
 fieldmappings:
  c-uri: url
@@ -6,6 +6,6 @@ backends:
 fieldmappings:
  category: azure.auditlogs.properties.category
  activityDisplayName: event.action
-  loggedByService: azure.auditlogs.properties.logged_by_service
+  loggedByservice: auditlogs.properties.logged_by_service
  result: event.outcome
  initiatedBy.user.userPrincipalName: azure.auditlogs.properties.initiated_by.user.userPrincipalName
@@ -116,7 +116,7 @@ logsources:
        category: firewall
        index: firewall
    connection:
-        category: netflow
+        service: netflow
        index: connection
    proxy:
        category: proxy
@@ -1,33 +1,33 @@
 title: Microsoft 365 Rules
 order: 10
 logsources:
-    ThreatManagement:
+    threat_management:
        product: m365
-        category: ThreatManagement
+        service: threat_management
        conditions:
            eventSource: SecurityComplianceCenter
-    AccessGovernance:
+    access_governance:
        product: m365
-        category: AccessGovernance
+        service: access_governance
        conditions:
            eventSource: SecurityComplianceCenter
-    CloudDiscovery:
+    cloud_discovery:
        product: m365
-        category: CloudDiscovery
+        service: cloud_discovery
        conditions:
            eventSource: SecurityComplianceCenter
-    DataLossPrevention:
+    data_loss_prevention:
        product: m365
-        category: DataLossPrevention
+        service: data_loss_prevention
        conditions:
            eventSource: SecurityComplianceCenter
-    ThreatDetection:
+    threat_detection:
        product: m365
-        category: ThreatDetection
+        service: threat_detection
        conditions:
            eventSource: SecurityComplianceCenter
-    SharingControl:
+            sharing_control:
        product: m365
-        category: SharingControl
+    service: sharing_control
        conditions:
            eventSource: SecurityComplianceCenter
@@ -8,7 +8,7 @@ logsources:
   conditions:
     vendor_type: 'Antivirus'
 apache:
-   product: apache
+   service: apache
   conditions:
     product_name: 
       - 'apache*'
@@ -41,13 +41,13 @@ logsources:
    vendor_name: "Microsoft"
    product_name: "Onelogin" 
 microsoft365:
-   category: ThreatManagement
+   service: threat_management
   service: Microsoft365
   conditions:
    vendor_name: "Microsoft"
    product_name: "365"
 m365:
-   category: ThreatManagement
+   service: threat_management
   service: m365
   conditions:
    vendor_name: "Microsoft"
@@ -218,22 +218,22 @@ logsources:
  conditions:
    vendor_name: "Zeek IDS"
 azure-signin:
-  service: azure.signinlogs
+  service: signinlogs
  conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-auditlogs:
-   service: azure.auditlogs
+   service: auditlogs
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-activitylogs:
-   service: azure.activitylogs
+   service: activitylogs
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-activity:
-   service: AzureActivity
+   service: azureactivity
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
@@ -382,7 +382,7 @@ logsources:
 qflow:
   product: qflow
 netflow:
-   product: netflow
+   service: netflow
 ipfix:
   product: ipfix
 flow:
@@ -8,4 +8,4 @@ logsources:
  linux:
    product: linux
  netflow:
-    product: netflow
+    service: netflow
@@ -4,7 +4,7 @@ backends:
 order: 20
 logsources:
 apache:
-   product: apache
+   service: apache
   index: apache
   conditions:
     LOGSOURCETYPENAME(devicetype): '*apache*'
@@ -17,7 +17,7 @@ logsources:
   product: qflow
   index: flows
 netflow:
-   product: netflow
+   service: netflow
   index: flows
 ipfix:
   product: ipfix
@@ -64,11 +64,10 @@ logsources:
    product: gsuite
    index: gsuite
  apache:
-    product: apache
    service: apache
    index: Apache
  apache2:
-    product: apache
+    service: apache
    index: Apache
  nginx:
    product: nginx
@@ -107,11 +107,10 @@ logsources:
    conditions:
      EventChannel: 'Microsoft-Windows-Bits-Client/Operational' 
  apache:
-    product: apache
    service: apache
    index: WEBSERVER
  apache2:
-    product: apache
+    service: apache
    index: WEBSERVER
  webserver:
    category: webserver