title: DNIF
order: 20
backends:
  - dnif
logsources:
  firewall-product-qualys:
    product: qualys
    index: firewall
  firewall-product-windows:
    product: windows
    service: security
    index: firewall
  firewall-category-firewall:
    category: firewall
    index: firewall
  aws-cloudtrail:
    product: aws
    service: cloudtrail
    index: cloudtrail
  dns-category:
    category: dns
    index: dns
  sysmon-windows:
    product: windows
    service: sysmon
    index: sysmon-image-load
  sysmon-category-error:
    product: windows
    category: sysmon_error
    index: 
      - sysmon-process
  sysmon-category-status:
    product: windows
    category: sysmon_status
    index:
      - sysmon-process
  sysmon-service-process_tampering:
    product: windows
    category: process_tampering
    index:
      - sysmon-process
      - sysmon-image-load
  linux-auditd:
    product: linux
    service: auditd
    index: auditd
  windows-dns-query:
    product: windows
    category: dns_query
    index: dns
fieldmappings:
  src_ip: srcIp
  sourceIPAddress: srcIp
  dst_ip: dstIp
  dst_port: dstPort
  destination.port: dstPort
  action: action
  eventName: eventname
  SourceImage: imageloaded
  TargetImage: image
  EventID: eid
  message_size: txlen
  record_type: recordType
overrides:
  - field: action
    value: PACKET_ALLOWED
    regexes:
      - (action == \"accept\")
      - (action == \"forward\")