title: QRadar
backends:
  - qradar
order: 20
logsources:
  apache:
    product: apache
    conditions:
      LOGSOURCETYPENAME(devicetype): ilike '%apache%'

  windows:
    product: windows
    conditions:
      LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log'

  qflow:
    product: qflow
    index: flows

  netflow:
    product: netflow
    index: flows

  ipfix:
    product: ipfix
    index: flows

  flow:
    category: flow
    index: flows

fieldmappings:
  EventID:
    - Event ID Code
  dst:
    - destinationIP
  dst_ip:
    - destinationIP
  src:
    - sourceIP
  src_ip:
    - sourceIP
  c-ip: sourceIP
  cs-ip: sourceIP
  c-uri: url
  c-uri-extension: file_extension
  c-useragent: user_agent
  c-uri-query: uri_query
  cs-method: Method
  r-dns: FQDN
  ClientIP: sourceIP
  ServiceFileName: Service Name