title: HAWK order: 20 backends: - hawk logsources: antivirus: category: antivirus conditions: vendor_type: 'Antivirus' apache: service: apache conditions: product_name: - 'apache*' - 'httpd*' webserver: category: webserver conditions: vendor_type: 'Webserver' cisco: product: cisco conditions: vendor_name: 'Cisco' django: product: django conditions: vendor_name: 'Django' okta: service: okta conditions: vendor_name: "Okta" product_name: "Identity and Access Management" onedrive: service: onedrive conditions: vendor_name: "Microsoft" product_name: "Onedrive" onelogin-events: service: onelogin.events conditions: vendor_name: "Microsoft" product_name: "Onelogin" microsoft365: product: m365 service: threat_management conditions: vendor_name: "Microsoft" product_name: "365" m365: product: m365 service: threat_management conditions: vendor_name: "Microsoft" product_name: "365" google-workspace: service: google_workspace.admin conditions: vendor_name: "Google" product_name: "Workspace" guacamole: service: guacamole product_name: "Guacamole" conditions: vendor_name: "Guacamole" google-cloud: service: gcp.audit conditions: vendor_name: "Google" product_name: "Cloud" sshd: service: sshd conditions: process_name: "sshd*" syslog: service: syslog conditions: process_name: "syslog*" spring: category: application product: spring conditions: vendor_name: "Spring" linux-audit: product: linux service: auditd conditions: vendor_name: "Linux" product_name: "Audit" modsecurity: service: modsecurity conditions: process_name: "modsec*" msexchange-management: service: msexchange-management conditions: product_name: "MSExchange Management" windows: product: windows index: windows conditions: vendor_name: "Microsoft" windows-stream-hash: product: windows category: create_stream_hash conditions: product_name: "Sysmon" vendor_id: "15" windows-create-remote-thread: product: windows category: create_remote_thread conditions: product_name: "Sysmon" vendor_id: "8" windows-process-access: product: windows category: process_access conditions: product_name: "Sysmon" vendor_id: "10" windows-process-creation: product: windows category: process_creation conditions: product_name: "Sysmon" vendor_id: "1" windows-bits-client: product: windows service: bits-client conditions: event_channel: "Microsoft-Windows-Bits-Client/Operational" windows-vhdmp-operational: product: windows service: vhdmp conditions: event_channel: 'Microsoft-Windows-VHDMP/Operational' windows-appxdeployment-server: product: windows service: appxdeployment-server conditions: event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational' windows-lsa-server: product: windows service: lsa-server conditions: event_channel: 'Microsoft-Windows-LSA/Operational' windows-appxpackaging-om: product: windows service: appxpackaging-om conditions: event_channel: 'Microsoft-Windows-AppxPackaging/Operational' windows-dns-client: product: windows service: dns-client conditions: event_channel: 'Microsoft-Windows-DNS Client Events/Operational' windows-appmodel-runtime: product: windows service: appmodel-runtime conditions: event_channel: 'Microsoft-Windows-AppModel-Runtime/Admin' windows-network-connection: product: windows category: network_connection conditions: product_name: "Sysmon" vendor_id: "3" windows-sysmon-status: product: windows category: sysmon_status conditions: product_name: "Sysmon" vendor_id: - 4 - 5 windows-sysmon-error: product: windows category: sysmon_error conditions: product_name: "Sysmon" vendor_id: "255" windows-raw-access-thread: product: windows category: raw_access_thread conditions: product_name: "Sysmon" vendor_id: 9 windows-file-create: product: windows category: file_create conditions: product_name: "Sysmon" vendor_id: "11" windows-file-event: product: windows category: file_event conditions: product_name: "Sysmon" vendor_id: "11" windows-file-change: product: windows category: file_change conditions: product_name: "Sysmon" vendor_id: "2" windows-pipe-created: product: windows category: pipe_created conditions: product_name: "Sysmon" vendor_id: - 17 - 18 windows-dns-query: product: windows category: dns_query conditions: product_name: "Sysmon" vendor_id: "22" windows-file-delete: product: windows category: file_delete conditions: product_name: "Sysmon" vendor_id: "23" windows-kernel-file-rename: product: windows category: file_rename conditions: product_name: "Kernel-File" windows-kernel-file-access: product: windows category: file_access conditions: product_name: "Kernel-File" windows-wmi-sysmon: product: windows category: wmi_event conditions: product_name: "Sysmon" vendor_id: - 19 - 20 - 21 windows-ldap-debug: product: windows category: ldap_debug conditions: event_channel: "Microsoft-Windows-LDAP-Client/Debug" windows-driver-load: product: windows category: driver_load conditions: product_name: "Sysmon" vendor_id: "6" windows-image-load: product: windows category: image_load conditions: product_name: "Sysmon" vendor_id: "7" clamav: service: clamav conditions: process_name: "clamav*" aws-cloudtrail: service: cloudtrail conditions: vendor_name: "AWS CloudTrail" zeek: product: zeek conditions: vendor_name: "Zeek" vendor_type: "IDS" firewall: category: firewall conditions: vendor_type: - "Firewall" - "Router" - "WAP" zeek-category-dns: category: dns rewrite: product: zeek service: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: hawk_source: "conn.log" zeek-conn_long: product: zeek service: conn_long conditions: hawk_source: "conn_long.log" zeek-dce_rpc: product: zeek service: dce_rpc conditions: hawk_source: "dce_rpc.log" zeek-dns: product: zeek service: dns conditions: hawk_source: "dns.log" zeek-dnp3: product: zeek service: dnp3 conditions: hawk_source: "dnp3.log" zeek-dpd: product: zeek service: dpd conditions: hawk_source: "dpd.log" zeek-files: product: zeek service: files conditions: hawk_source: "files.log" zeek-ftp: product: zeek service: ftp conditions: hawk_source: "ftp.log" zeek-gquic: product: zeek service: gquic conditions: hawk_source: "gquic.log" zeek-http: product: zeek service: http conditions: hawk_source: "http.log" zeek-http2: product: zeek service: http2 conditions: hawk_source: "http2.log" zeek-intel: product: zeek service: intel conditions: hawk_source: "intel.log" zeek-irc: product: zeek service: irc conditions: hawk_source: "irc.log" zeek-kerberos: product: zeek service: kerberos conditions: hawk_source: "kerberos.log" zeek-known_certs: product: zeek service: known_certs conditions: hawk_source: "known_certs.log" zeek-known_hosts: product: zeek service: known_hosts conditions: hawk_source: "known_hosts.log" zeek-known_modbus: product: zeek service: known_modbus conditions: hawk_source: "known_modbus.log" zeek-known_services: product: zeek service: known_services conditions: hawk_source: "known_services.log" zeek-modbus: product: zeek service: modbus conditions: hawk_source: "modbus.log" zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: hawk_source: "modbus_register_change.log" zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: hawk_source: "mqtt_connect.log" zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: hawk_source: "mqtt_publish.log" zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: hawk_source: "mqtt_subscribe.log" zeek-mysql: product: zeek service: mysql conditions: hawk_source: "mysql.log" zeek-notice: product: zeek service: notice conditions: hawk_source: "notice.log" zeek-ntlm: product: zeek service: ntlm conditions: hawk_source: "ntlm.log" zeek-ntp: product: zeek service: ntp conditions: hawk_source: "ntp.log" zeek-ocsp: product: zeek service: ntp conditions: hawk_source: "ocsp.log" zeek-pe: product: zeek service: pe conditions: hawk_source: "pe.log" zeek-pop3: product: zeek service: pop3 conditions: hawk_source: "pop3.log" zeek-radius: product: zeek service: radius conditions: hawk_source: "radius.log" zeek-rdp: product: zeek service: rdp conditions: hawk_source: "rdp.log" zeek-rfb: product: zeek service: rfb conditions: hawk_source: "rfb.log" zeek-sip: product: zeek service: sip conditions: hawk_source: "sip.log" zeek-smb_files: product: zeek service: smb_files conditions: hawk_source: "smb_files.log" zeek-smb_mapping: product: zeek service: smb_mapping conditions: hawk_source: "smb_mapping.log" zeek-smtp: product: zeek service: smtp conditions: hawk_source: "smtp.log" zeek-smtp_links: product: zeek service: smtp_links conditions: hawk_source: "smtp_links.log" zeek-snmp: product: zeek service: snmp conditions: hawk_source: "snmp.log" zeek-socks: product: zeek service: socks conditions: hawk_source: "socks.log" zeek-software: product: zeek service: software conditions: hawk_source: "software.log" zeek-ssh: product: zeek service: ssh conditions: hawk_source: "ssh.log" zeek-ssl: product: zeek service: ssl conditions: hawk_source: "tls.log" zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that product: zeek service: tls conditions: hawk_source: "tls.log" zeek-syslog: product: zeek service: syslog conditions: hawk_source: "syslog.log" zeek-tunnel: product: zeek service: tunnel conditions: hawk_source: "tunnel.log" zeek-traceroute: product: zeek service: traceroute conditions: hawk_source: "traceroute.log" zeek-weird: product: zeek service: weird conditions: hawk_source: "weird.log" zeek-x509: product: zeek service: x509 conditions: hawk_source: "x509.log" zeek-ip_search: product: zeek service: network conditions: hawk_source: - "conn.log" - "conn_long.log" - "dce_rpc.log" - "dhcp.log" - "dnp3.log" - "dns.log" - "ftp.log" - "gquic.log" - "http.log" - "irc.log" - "kerberos.log" - "modbus.log" - "mqtt_connect.log" - "mqtt_publish.log" - "mqtt_subscribe.log" - "mysql.log" - "ntlm.log" - "ntp.log" - "radius.log" - "rfb.log" - "sip.log" - "smb_files.log" - "smb_mapping.log" - "smtp.log" - "smtp_links.log" - "snmp.log" - "socks.log" - "ssh.log" - "tls.log" #SSL - "tunnel.log" - "weird.log" azure-signin: product: azure service: signinlogs conditions: vendor_name: "Microsoft" product_name: "Azure" product_source: "signInAudits" azure-auditlogs: product: azure service: auditlogs conditions: vendor_name: "Microsoft" product_name: "Azure" product_source: "directoryAudits" azure-activitylogs: product: azure service: activitylogs conditions: vendor_name: "Microsoft" product_name: "Azure" azure-activity: product: azure service: azureactivity conditions: vendor_name: "Microsoft" product_name: "Azure" microsoft-servicebus-client: product: windows service: microsoft-servicebus-client conditions: event_channel: 'Microsoft-ServiceBus-Client' windows-application: product: windows service: application conditions: event_channel: 'Application' windows-security: product: windows service: security conditions: event_channel: 'Security' windows-system: product: windows service: system conditions: event_channel: 'System' windows-sysmon: product: windows service: sysmon conditions: product_name: 'Sysmon' windows-powershell: product: windows service: powershell conditions: product_name: 'PowerShell' windows-classicpowershell: product: windows service: powershell-classic conditions: product_name: 'Windows PowerShell' windows-taskscheduler: product: windows service: taskscheduler conditions: product_name: 'TaskScheduler' windows-wmi: product: windows service: wmi conditions: product_name: 'WMI-Activity' windows-dns-server: product: windows service: dns-server conditions: product_name: 'DNS Server' windows-dns-server-audit: product: windows service: dns-server-audit conditions: product_name: 'DNS Server' windows-driver-framework: product: windows service: driver-framework conditions: product_name: 'DriverFrameworks-UserMode' windows-ntlm: product: windows service: ntlm conditions: product_name: 'NTLM' windows-dhcp: product: windows service: dhcp conditions: product_name: 'DHCP-Server' windows-defender: product: windows service: windefend conditions: product_name: 'Windows Defender' windows-applocker: product: windows service: applocker conditions: product_name: 'AppLocker' windows-firewall-advanced-security: product: windows service: firewall-as conditions: product_name: 'Windows Firewall With Advanced Security' windows-ps-module: product: windows category: ps_module conditions: product_name: 'PowerShell' vendor_id: 4103 windows-ps-script: product: windows category: ps_script conditions: product_name: 'PowerShell' vendor_id: 4104 windows-ps-classic-start: product: windows category: ps_classic_start conditions: EventID: 400 product_name: 'Windows PowerShell' windows-ps-classic-provider: product: windows category: ps_classic_provider_start conditions: vendor_id: 600 product_name: 'Windows PowerShell' windows-ps-classic-script: product: windows category: ps_classic_script conditions: vendor_id: 800 product_name: 'Windows PowerShell' windows-service-bus: service: Microsoft-ServiceBus-Client conditions: product_name: "Microsoft-ServiceBus-Client" windows-msexchange-management: product: windows service: msexchange-management conditions: product_name: 'MSExchange Management' windows-printservice-admin: product: windows service: printservice-admin conditions: product_name: 'PrintService' windows-printservice-operational: product: windows service: printservice-operational conditions: product_name: 'PrintService' windows-terminalservices-localsessionmanager-operational: product: windows service: terminalservices-localsessionmanager conditions: product_name: 'TerminalServices-LocalSessionManager' windows-codeintegrity-operational: product: windows service: codeintegrity-operational conditions: product_name: 'CodeIntegrity' windows-smbclient-security: product: windows service: smbclient-security conditions: product_name: 'SmbClient' windows-registry: product: windows category: registry_event conditions: product_name: "Sysmon" vendor_id: - 12 - 13 - 14 windows-registry-add: product: windows category: registry_add conditions: product_name: "Sysmon" vendor_id: 12 windows-registry-delete: product: windows category: registry_delete conditions: product_name: "Sysmon" vendor_id: 12 windows-registry-set: product: windows category: registry_set conditions: product_name: "Sysmon" vendor_id: 13 windows-registry-rename: product: windows category: registry_rename conditions: product_name: "Sysmon" vendor_id: 14 windows-file-block-executable: product: windows category: file_block conditions: product_name: "Sysmon" vendor_id: 27 #dns: # category: dns # conditions: qflow: product: qflow netflow: service: netflow ipfix: product: ipfix flow: product: flow fieldmappings: dst: - ip_dst_host dst_ip: - ip_dst src: - ip_src_host src_ip: - ip_src IPAddress: ip_src DNSAddress: dns_address DCIPAddress: ip_src category: vendor_category error: error_code key: event_key payload: event_payload weight: event_weight account type: account_type PrivilegeList: process_privileges pid_user: event_username sid: correlation_session_id UserSid: correlation_session_id TargetSid: target_session_id TargetUserName: target_username SamAccountName: target_username AccountName: target_username TargetDomainName: target_domain DnsServerIpAddress: dns_address QueryName: dns_query AuthenticationPackageName: package_name HostProcess: image Application: image ProcessName: image TargetImage: target_image ParentImage: parent_image CallerProcessName: parent_image ParentProcessName: parent_image CommandLine: command ProcessCommandLine: command ParentCommandLine: parent_command Imphash: file_hash_imphash sha256: file_hash_sha256 md5: file_hash_md5 sha1: file_hash_sha1 SubjectUserSid: correlation_session_id SubjectSid: correlation_session_id SubjectUserName: correlation_username SubjectDomainName: correlation_domain SubjectLogonId: correlation_logon_id pid: event_pid ProccessId: pid NewProcessName: image ServiceName: service_name Service: service_name ServiceFileName: filename EventID: vendor_id SourceImage: parent_image ImageLoaded: image_loaded Description: image_description ScriptBlockText: value Product: image_product Company: image_company CurrentDirectory: path ShareName: path RelativeTargetName: filename TargetName: value Initiated: value Accesses: access_mask LDAPDisplayName: distinguished_name AttributeLDAPDisplayName: distinguished_name AttributeValue: value ParentProcessId: parent_pid SourceProcessId: source_pid TargetProcessId: target_pid Signed: signature Status: value TargetFilename: filename FileName: filename TargetObject: object_target ObjectClass: object_type ObjectValueName: object_name ObjectName: object_name DeviceClassName: object_name CallTrace: calltrace IpAddress: ip_src WorkstationName: ip_src_host Workstation: ip_src_host DestinationIp: ip_dst DestinationHostname: ip_dst_host DestinationPort: ip_dport DestAddress: ip_dst DestPort: ip_dport SourceAddress: ip_src SourcePort: ip_sport GrantedAccess: access_mask StartModule: target_process_name TargetProcessAddress: process_address TicketOptions: sys.ticket.options TicketEncryptionType: sys.ticket.encryption.type DetectionSource: value Priority: event_priority event_type_id: vendor_id destination.port: ip_dport user: correlation_username User: correlation_username # Provider_Name: channel c-referer: http_referer cs-referer: http_referer cs-host: http_host cs-method: http_method c-uri: http_path c-uri-stem: http_path cs-uri: http_path cs-uri-stem: http_path c-agent: http_user_agent cs-agent: http_user_agent c-useragent: http_user_agent cs-useragent: http_user_agent cs-user-agent: http_user_agent c-ip: ip_src cs-ip: ip_src s-ip: ip_dst sc-ip: ip_dst c-username: correlation_username cs-username: correlation_username s-computername: ip_dst_host cs-uri-query: http_query c-uri-query: http_query sc-status: http_status_code sc-bytes: http_content_length user-agent: http_user_agent cs-User-Agent: http_user_agent r-dns: http_host id.orig_h: ip_src id.orig_p: ip_sport id.resp_h: ip_dst id.resp_p: ip_dport host: ip_src hostname: ip_src_host port_num: ip_dport dst_port: ip_dport query: dns_query orig_ip_bytes: net_if_out_bytes resp_ip_bytes: net_if_in_bytes QNAME: qname Channel: event_channel