diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml index 37eef2bdb..8088ce3d7 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml @@ -1,7 +1,7 @@ title: Azure Active Directory Hybrid Health AD FS New Server id: 288a39fc-4914-4831-9ada-270e9dc12cb4 description: | - This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. + This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. status: experimental @@ -14,7 +14,7 @@ references: - https://o365blog.com/post/hybridhealthagent/ logsource: product: azure - service: AzureActivity + service: azureactivity detection: selection: CategoryValue: 'Administrative' diff --git a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml index 1db77b37a..6fc97a25f 100644 --- a/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml +++ b/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml @@ -1,7 +1,7 @@ title: Azure Active Directory Hybrid Health AD FS Service Delete id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff description: | - This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. + This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. status: experimental @@ -14,7 +14,7 @@ references: - https://o365blog.com/post/hybridhealthagent/ logsource: product: azure - service: AzureActivity + service: azureactivity detection: selection: CategoryValue: 'Administrative' diff --git a/rules/cloud/azure/azure_account_lockout.yml b/rules/cloud/azure/azure_account_lockout.yml index 3f65b7eeb..4a13747c1 100644 --- a/rules/cloud/azure/azure_account_lockout.yml +++ b/rules/cloud/azure/azure_account_lockout.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection: ResultType: 50053 diff --git a/rules/cloud/azure/azure_app_credential_modification.yml b/rules/cloud/azure/azure_app_credential_modification.yml index ea55bf75a..bca556a2e 100644 --- a/rules/cloud/azure/azure_app_credential_modification.yml +++ b/rules/cloud/azure/azure_app_credential_modification.yml @@ -8,7 +8,7 @@ references: - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: 'Update application - Certificates and secrets management' diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index d92172000..6d3ee5b0d 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index 0dd456f31..dab3bf97c 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index 24dd86b99..a770842d0 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_change_to_authentication_method.yml b/rules/cloud/azure/azure_change_to_authentication_method.yml index f84820f90..812357a27 100644 --- a/rules/cloud/azure/azure_change_to_authentication_method.yml +++ b/rules/cloud/azure/azure_change_to_authentication_method.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.auditlogs + service: auditlogs detection: selection: LoggedByService: 'Authentication Methods' diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index 19cd8c917..b394ce894 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml index 9537454f2..04c3ed96e 100644 --- a/rules/cloud/azure/azure_creating_number_of_resources_detection.yml +++ b/rules/cloud/azure/azure_creating_number_of_resources_detection.yml @@ -1,15 +1,15 @@ title: Number Of Resource Creation Or Deployment Activities id: d2d901db-7a75-45a1-bc39-0cbf00812192 status: test -description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log. +description: Number of VM creations or deployment activities occur in Azure via the azureactivity log. author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml date: 2020/05/07 modified: 2021/11/27 logsource: product: azure - service: AzureActivity + service: azureactivity detection: keywords: - Microsoft.Compute/virtualMachines/write diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index c60bde66c..0c33bda86 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index 972a3dd95..cc5aa33d2 100644 --- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 9831b9a1b..80d55642b 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message|startswith: MICROSOFT.NETWORK/DNSZONES diff --git a/rules/cloud/azure/azure_federation_modified.yml b/rules/cloud/azure/azure_federation_modified.yml index b1902b278..d3818c37e 100644 --- a/rules/cloud/azure/azure_federation_modified.yml +++ b/rules/cloud/azure/azure_federation_modified.yml @@ -8,7 +8,7 @@ references: - https://attack.mitre.org/techniques/T1078 logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection: properties.message: Set federation settings on domain diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 468ee7155..2d09758ae 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index a28556c8b..30281498e 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_granting_permission_detection.yml b/rules/cloud/azure/azure_granting_permission_detection.yml index 060207576..d1fb9dfd4 100644 --- a/rules/cloud/azure/azure_granting_permission_detection.yml +++ b/rules/cloud/azure/azure_granting_permission_detection.yml @@ -4,12 +4,12 @@ status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml date: 2020/05/07 modified: 2021/11/27 logsource: product: azure - service: AzureActivity + service: azureactivity detection: keywords: - Microsoft.Authorization/roleAssignments/write diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index 77c69fadb..fe2af9ae7 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index d5955a8ca..d50c76cc4 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 1796669a3..53f85064a 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index d9230b10f..884360c34 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection1: properties.message|startswith: diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 598fd4ea6..6af9fe8ac 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 9bc995726..ec22988cb 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -11,7 +11,7 @@ references: - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection1: properties.message|startswith: diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index 611925741..7c4aefd91 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -9,7 +9,7 @@ references: - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection_operation_name: properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index 33de95bf6..e731c0d87 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 7040be7c5..ac7d0e1df 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -9,7 +9,7 @@ references: - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection_operation_name: properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index 7306b36a0..b13335b6b 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index e1f86ce74..923169ffe 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index bd823765a..3f24ab0ba 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index b393caa01..6a56ea6c6 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -12,7 +12,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_login_to_disabled_account.yml b/rules/cloud/azure/azure_login_to_disabled_account.yml index 1510f307a..8f8392ca8 100644 --- a/rules/cloud/azure/azure_login_to_disabled_account.yml +++ b/rules/cloud/azure/azure_login_to_disabled_account.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection: ResultType: 50057 diff --git a/rules/cloud/azure/azure_mfa_disabled.yml b/rules/cloud/azure/azure_mfa_disabled.yml index a6df069c8..d8ce54bce 100644 --- a/rules/cloud/azure/azure_mfa_disabled.yml +++ b/rules/cloud/azure/azure_mfa_disabled.yml @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: eventSource: AzureActiveDirectory diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 795d2cdb4..8d997688e 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection: ResultType: 50074 diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index c9c9c2860..2a36bbdab 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index c1731807a..a2ab1da57 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index 109c825a4..c54bd0d56 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index cc35235ae..cd2f06382 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index bf2990d3b..5eefd7274 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index 77ce17e7a..faa1a2c7b 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index 055e3dab7..57b3f464f 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_rare_operations.yml b/rules/cloud/azure/azure_rare_operations.yml index 3a1ad660f..169ae1b53 100644 --- a/rules/cloud/azure/azure_rare_operations.yml +++ b/rules/cloud/azure/azure_rare_operations.yml @@ -4,12 +4,12 @@ status: test description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. author: sawwinnnaung references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml date: 2020/05/07 modified: 2021/11/27 logsource: product: azure - service: AzureActivity + service: azureactivity detection: keywords: - Microsoft.DocumentDB/databaseAccounts/listKeys/action diff --git a/rules/cloud/azure/azure_service_principal_created.yml b/rules/cloud/azure/azure_service_principal_created.yml index 0c72bddfe..28d351a04 100644 --- a/rules/cloud/azure/azure_service_principal_created.yml +++ b/rules/cloud/azure/azure_service_principal_created.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: 'Add service principal' diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 34c16e92c..fbda2c690 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: Remove service principal diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 712a9aaaa..82994da37 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection1: properties.message: diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml index 798468f2d..a566a107b 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation logsource: product: azure - service: azure.auditlogs + service: auditlogs detection: selection: Category: 'Administrative' diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index a4ef51caf..1edf50649 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/azure/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/azure_unusual_authentication_interruption.yml index b5aee460f..f71db67b8 100644 --- a/rules/cloud/azure/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/azure_unusual_authentication_interruption.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection1: ResultType: 50097 diff --git a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml index 1af7385bb..4b2b0bec9 100644 --- a/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml +++ b/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts logsource: product: azure - service: azure.signinlogs + service: signinlogs detection: selection: ResultType: 53003 diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index 57fe151b9..40a1604f6 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message|startswith: diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index a57ffb160..e7cc2e36b 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations logsource: product: azure - service: azure.activitylogs + service: activitylogs detection: selection: properties.message: diff --git a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml index 7b59edc1e..ed18a8521 100644 --- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml +++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml index b45f1711e..2fb822e9b 100644 --- a/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml index cbbb77acc..24cb1c14d 100644 --- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml +++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml index 34c2e31c2..2f407d50a 100644 --- a/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml +++ b/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml index 210f444f1..3694bf34c 100644 --- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml +++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatDetection + service: threat_detection product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 78797ef3f..11ff77811 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -9,7 +9,7 @@ references: date: 2020/07/06 modified: 2021/11/27 logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml index 419f8a3b5..98bba6910 100644 --- a/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml +++ b/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_new_federated_domain_added.yml b/rules/cloud/m365/microsoft365_new_federated_domain_added.yml index e5293b0f6..adbf52d44 100644 --- a/rules/cloud/m365/microsoft365_new_federated_domain_added.yml +++ b/rules/cloud/m365/microsoft365_new_federated_domain_added.yml @@ -11,7 +11,7 @@ references: - https://www.sygnia.co/golden-saml-advisory - https://o365blog.com/post/aadbackdoor/ logsource: - category: Exchange + service: exchange product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml index a83c5cdc6..489613f57 100644 --- a/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml +++ b/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml index bed597d4b..b7916e14a 100644 --- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml +++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml index cfe53ef79..1c2bbf799 100644 --- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml +++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml index 3b9fa3d5a..6f68cbd70 100644 --- a/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml +++ b/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml index 4c43c2a72..a334ac653 100644 --- a/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml +++ b/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference logsource: - category: ThreatManagement + service: threat_management product: m365 detection: selection: diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index 4bf1b1210..4592b6975 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -53,7 +53,7 @@ references: # - PCI DSS 3.2 7.2 # - PCI DSS 3.2 7.3 logsource: - product: netflow + service: netflow detection: selection: destination.port: diff --git a/rules/web/web_apache_segfault.yml b/rules/web/web_apache_segfault.yml index a7c208d46..13ad886db 100644 --- a/rules/web/web_apache_segfault.yml +++ b/rules/web/web_apache_segfault.yml @@ -8,7 +8,7 @@ references: date: 2017/02/28 modified: 2021/11/27 logsource: - product: apache + service: apache detection: keywords: - 'exit signal Segmentation Fault' diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index 7710cbb5d..ca2c3e4e3 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -8,7 +8,7 @@ references: date: 2019/01/22 modified: 2021/11/27 logsource: - product: apache + service: apache detection: keywords: - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' diff --git a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml index 52ddd3d5b..6666cbf0d 100644 --- a/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml +++ b/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml @@ -15,7 +15,6 @@ tags: - attack.persistence - attack.t1505.003 logsource: - product: zoho_manageengine category: webserver definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs' detection: diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml index 90dbfc960..58df5c969 100644 --- a/rules/web/web_nginx_core_dump.yml +++ b/rules/web/web_nginx_core_dump.yml @@ -8,7 +8,7 @@ references: - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ logsource: - product: apache + service: apache detection: keywords: - 'exited on signal 6 (core dumped)' diff --git a/tools/config/arcsight.yml b/tools/config/arcsight.yml index 3532e7b1b..a2ac04dae 100644 --- a/tools/config/arcsight.yml +++ b/tools/config/arcsight.yml @@ -125,9 +125,9 @@ logsources: deviceProduct: Spring categoryDeviceGroup: /Application apache: - product: apache + service: apache conditions: - deviceProduct: Apache + deviceservice: apache categoryDeviceGroup: /Application firewall: product: firewall diff --git a/tools/config/devo-web.yml b/tools/config/devo-web.yml index 3891aedb7..689e8c552 100644 --- a/tools/config/devo-web.yml +++ b/tools/config/devo-web.yml @@ -10,7 +10,7 @@ logsources: category: proxy index: proxy.all.access apache: - product: apache + service: apache index: web.all.access fieldmappings: c-uri: url diff --git a/tools/config/ecs-azure-ad_auditlogs.yml b/tools/config/ecs-azure-ad_auditlogs.yml index 5d70530c7..8d40e0891 100644 --- a/tools/config/ecs-azure-ad_auditlogs.yml +++ b/tools/config/ecs-azure-ad_auditlogs.yml @@ -6,6 +6,6 @@ backends: fieldmappings: category: azure.auditlogs.properties.category activityDisplayName: event.action - loggedByService: azure.auditlogs.properties.logged_by_service + loggedByservice: auditlogs.properties.logged_by_service result: event.outcome initiatedBy.user.userPrincipalName: azure.auditlogs.properties.initiated_by.user.userPrincipalName diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 2ac4735ef..b70f5f5f2 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -116,7 +116,7 @@ logsources: category: firewall index: firewall connection: - category: netflow + service: netflow index: connection proxy: category: proxy diff --git a/tools/config/generic/m365.yml b/tools/config/generic/m365.yml index c83606056..67cbd0efa 100644 --- a/tools/config/generic/m365.yml +++ b/tools/config/generic/m365.yml @@ -1,33 +1,33 @@ title: Microsoft 365 Rules order: 10 logsources: - ThreatManagement: + threat_management: product: m365 - category: ThreatManagement + service: threat_management conditions: eventSource: SecurityComplianceCenter - AccessGovernance: + access_governance: product: m365 - category: AccessGovernance + service: access_governance conditions: eventSource: SecurityComplianceCenter - CloudDiscovery: + cloud_discovery: product: m365 - category: CloudDiscovery + service: cloud_discovery conditions: eventSource: SecurityComplianceCenter - DataLossPrevention: + data_loss_prevention: product: m365 - category: DataLossPrevention + service: data_loss_prevention conditions: eventSource: SecurityComplianceCenter - ThreatDetection: + threat_detection: product: m365 - category: ThreatDetection + service: threat_detection conditions: eventSource: SecurityComplianceCenter - SharingControl: + sharing_control: product: m365 - category: SharingControl + service: sharing_control conditions: eventSource: SecurityComplianceCenter diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 6b4277fbc..084ce3ed9 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -8,7 +8,7 @@ logsources: conditions: vendor_type: 'Antivirus' apache: - product: apache + service: apache conditions: product_name: - 'apache*' @@ -41,13 +41,13 @@ logsources: vendor_name: "Microsoft" product_name: "Onelogin" microsoft365: - category: ThreatManagement + service: threat_management service: Microsoft365 conditions: vendor_name: "Microsoft" product_name: "365" m365: - category: ThreatManagement + service: threat_management service: m365 conditions: vendor_name: "Microsoft" @@ -218,22 +218,22 @@ logsources: conditions: vendor_name: "Zeek IDS" azure-signin: - service: azure.signinlogs + service: signinlogs conditions: vendor_name: "Microsoft" product_name: "Azure" azure-auditlogs: - service: azure.auditlogs + service: auditlogs conditions: vendor_name: "Microsoft" product_name: "Azure" azure-activitylogs: - service: azure.activitylogs + service: activitylogs conditions: vendor_name: "Microsoft" product_name: "Azure" azure-activity: - service: AzureActivity + service: azureactivity conditions: vendor_name: "Microsoft" product_name: "Azure" @@ -382,7 +382,7 @@ logsources: qflow: product: qflow netflow: - product: netflow + service: netflow ipfix: product: ipfix flow: diff --git a/tools/config/limacharlie.yml b/tools/config/limacharlie.yml index 693ca2149..5dcbce584 100644 --- a/tools/config/limacharlie.yml +++ b/tools/config/limacharlie.yml @@ -8,4 +8,4 @@ logsources: linux: product: linux netflow: - product: netflow \ No newline at end of file + service: netflow \ No newline at end of file diff --git a/tools/config/qradar.yml b/tools/config/qradar.yml index 428a73cf7..8ae3a1915 100644 --- a/tools/config/qradar.yml +++ b/tools/config/qradar.yml @@ -4,7 +4,7 @@ backends: order: 20 logsources: apache: - product: apache + service: apache index: apache conditions: LOGSOURCETYPENAME(devicetype): '*apache*' @@ -17,7 +17,7 @@ logsources: product: qflow index: flows netflow: - product: netflow + service: netflow index: flows ipfix: product: ipfix diff --git a/tools/config/sumologic-cse.yml b/tools/config/sumologic-cse.yml index 893e83bec..8095364d6 100644 --- a/tools/config/sumologic-cse.yml +++ b/tools/config/sumologic-cse.yml @@ -64,11 +64,10 @@ logsources: product: gsuite index: gsuite apache: - product: apache service: apache index: Apache apache2: - product: apache + service: apache index: Apache nginx: product: nginx diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 7b16a44c7..850fa9d19 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -107,11 +107,10 @@ logsources: conditions: EventChannel: 'Microsoft-Windows-Bits-Client/Operational' apache: - product: apache service: apache index: WEBSERVER apache2: - product: apache + service: apache index: WEBSERVER webserver: category: webserver