refactor: first bigger log source refactoring

see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835

tools/config/arcsight.yml

@@ -125,9 +125,9 @@ logsources:
       deviceProduct: Spring
       categoryDeviceGroup: /Application
   apache:
-    product: apache
+    service: apache
     conditions:
-      deviceProduct: Apache
+      deviceservice: apache
       categoryDeviceGroup: /Application
   firewall:
     product: firewall

tools/config/devo-web.yml

@@ -10,7 +10,7 @@ logsources:
     category: proxy
     index: proxy.all.access
   apache:
-    product: apache
+    service: apache
     index: web.all.access
 fieldmappings:
   c-uri: url

tools/config/ecs-azure-ad_auditlogs.yml

@@ -6,6 +6,6 @@ backends:
 fieldmappings:
   category: azure.auditlogs.properties.category
   activityDisplayName: event.action
-  loggedByService: azure.auditlogs.properties.logged_by_service
+  loggedByservice: auditlogs.properties.logged_by_service
   result: event.outcome
   initiatedBy.user.userPrincipalName: azure.auditlogs.properties.initiated_by.user.userPrincipalName

tools/config/fireeye-helix.yml

@@ -116,7 +116,7 @@ logsources:
         category: firewall
         index: firewall
     connection:
-        category: netflow
+        service: netflow
         index: connection
     proxy:
         category: proxy

tools/config/generic/m365.yml

@@ -1,33 +1,33 @@
 title: Microsoft 365 Rules
 order: 10
 logsources:
-    ThreatManagement:
+    threat_management:
         product: m365
-        category: ThreatManagement
+        service: threat_management
         conditions:
             eventSource: SecurityComplianceCenter
-    AccessGovernance:
+    access_governance:
         product: m365
-        category: AccessGovernance
+        service: access_governance
         conditions:
             eventSource: SecurityComplianceCenter
-    CloudDiscovery:
+    cloud_discovery:
         product: m365
-        category: CloudDiscovery
+        service: cloud_discovery
         conditions:
             eventSource: SecurityComplianceCenter
-    DataLossPrevention:
+    data_loss_prevention:
         product: m365
-        category: DataLossPrevention
+        service: data_loss_prevention
         conditions:
             eventSource: SecurityComplianceCenter
-    ThreatDetection:
+    threat_detection:
         product: m365
-        category: ThreatDetection
+        service: threat_detection
         conditions:
             eventSource: SecurityComplianceCenter
-    SharingControl:
+            sharing_control:
         product: m365
-        category: SharingControl
+    service: sharing_control
         conditions:
             eventSource: SecurityComplianceCenter

tools/config/hawk.yml

@@ -8,7 +8,7 @@ logsources:
    conditions:
      vendor_type: 'Antivirus'
  apache:
-   product: apache
+   service: apache
    conditions:
      product_name: 
        - 'apache*'
@@ -41,13 +41,13 @@ logsources:
     vendor_name: "Microsoft"
     product_name: "Onelogin" 
  microsoft365:
-   category: ThreatManagement
+   service: threat_management
    service: Microsoft365
    conditions:
     vendor_name: "Microsoft"
     product_name: "365"
  m365:
-   category: ThreatManagement
+   service: threat_management
    service: m365
    conditions:
     vendor_name: "Microsoft"
@@ -218,22 +218,22 @@ logsources:
   conditions:
     vendor_name: "Zeek IDS"
  azure-signin:
-  service: azure.signinlogs
+  service: signinlogs
   conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-auditlogs:
-   service: azure.auditlogs
+   service: auditlogs
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-activitylogs:
-   service: azure.activitylogs
+   service: activitylogs
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
  azure-activity:
-   service: AzureActivity
+   service: azureactivity
    conditions:
     vendor_name: "Microsoft"
     product_name: "Azure"
@@ -382,7 +382,7 @@ logsources:
  qflow:
    product: qflow
  netflow:
-   product: netflow
+   service: netflow
  ipfix:
    product: ipfix
  flow:

tools/config/limacharlie.yml

@@ -8,4 +8,4 @@ logsources:
   linux:
     product: linux
   netflow:
-    product: netflow
+    service: netflow

tools/config/qradar.yml

@@ -4,7 +4,7 @@ backends:
 order: 20
 logsources:
  apache:
-   product: apache
+   service: apache
    index: apache
    conditions:
      LOGSOURCETYPENAME(devicetype): '*apache*'
@@ -17,7 +17,7 @@ logsources:
    product: qflow
    index: flows
  netflow:
-   product: netflow
+   service: netflow
    index: flows
  ipfix:
    product: ipfix

tools/config/sumologic-cse.yml

@@ -64,11 +64,10 @@ logsources:
     product: gsuite
     index: gsuite
   apache:
-    product: apache
     service: apache
     index: Apache
   apache2:
-    product: apache
+    service: apache
     index: Apache
   nginx:
     product: nginx

tools/config/sumologic.yml

@@ -107,11 +107,10 @@ logsources:
     conditions:
       EventChannel: 'Microsoft-Windows-Bits-Client/Operational' 
   apache:
-    product: apache
     service: apache
     index: WEBSERVER
   apache2:
-    product: apache
+    service: apache
     index: WEBSERVER
   webserver:
     category: webserver