title: SumoLogic order: 20 backends: - sumologic afl_fields: - _index - EventID - CommandLine - NewProcessName - Image - ParentImage - ParentCommandLine - ParentProcessName # Sumulogic mapping depends on customer configuration. Adapt to your context! # typically rule on _sourceCategory, _index or Field Extraction Rules (FER) # supposing existing FER for service, EventChannel, EventID logsources: unix: product: unix index: UNIX linux: product: linux index: LINUX linux-sshd: product: linux service: sshd index: LINUX linux-auth: product: linux service: auth index: LINUX linux-clamav: product: linux service: clamav index: LINUX windows: product: windows index: WINDOWS windows-sysmon: product: windows service: sysmon conditions: EventChannel: Microsoft-Windows-Sysmon index: WINDOWS windows-security: product: windows service: security conditions: EventChannel: Security index: WINDOWS windows-powershell: product: windows service: powershell conditions: EventChannel: - Microsoft-Windows-Powershell - PowerShellCore index: WINDOWS windows-system: product: windows service: system conditions: EventChannel: System index: WINDOWS windows-dhcp: product: windows service: dhcp conditions: EventChannel: Microsoft-Windows-DHCP-Server index: WINDOWS windows-ntlm: product: windows service: ntlm conditions: EventChannel: 'Microsoft-Windows-NTLM/Operational' index: WINDOWS windows-printservice-admin: product: windows service: printservice-admin conditions: EventChannel: 'Microsoft-Windows-PrintService/Admin' index: WINDOWS windows-printservice-operational: product: windows service: printservice-operational conditions: EventChannel: 'Microsoft-Windows-PrintService/Operational' index: WINDOWS windows-terminalservices-localsessionmanager-operational: product: windows service: terminalservices-localsessionmanager conditions: EventChannel: 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' index: WINDOWS windows-codeintegrity-operational: product: windows service: codeintegrity-operational conditions: EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational' index: WINDOWS windows-smbclient-security: product: windows service: smbclient-security conditions: EventChannel: 'Microsoft-Windows-SmbClient/Security' index: WINDOWS windows-msexchange-management: product: windows service: msexchange-management conditions: EventChannel: 'MSExchange Management' index: WINDOWS windows-firewall-advanced-security: product: windows service: firewall-as conditions: EventChannel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' index: WINDOWS windows-bits-client: product: windows service: bits-client conditions: EventChannel: 'Microsoft-Windows-Bits-Client/Operational' index: WINDOWS windows-security-mitigations: product: windows service: security-mitigations conditions: EventChannel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' index: WINDOWS windows-diagnosis: product: windows service: diagnosis-scripted conditions: EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' index: WINDOWS windows-shell-core: product: windows service: shell-core conditions: EventChannel: 'Microsoft-Windows-Shell-Core/Operational' index: WINDOWS windows-openssh: product: windows service: openssh conditions: EventChannel: 'OpenSSH/Operational' index: WINDOWS windows-ldap-debug: product: windows service: ldap_debug conditions: EventChannel: 'Microsoft-Windows-LDAP-Client/Debug' index: WINDOWS windows-bitlocker: product: windows service: bitlocker conditions: EventChannel: 'Microsoft-Windows-BitLocker/BitLocker Management' index: WINDOWS windows-vhdmp-operational: product: windows service: vhdmp conditions: EventChannel: 'Microsoft-Windows-VHDMP/Operational' index: WINDOWS windows-appxdeployment-server: product: windows service: appxdeployment-server conditions: EventChannel: 'Microsoft-Windows-AppXDeploymentServer/Operational' index: WINDOWS windows-lsa-server: product: windows service: lsa-server conditions: EventChannel: 'Microsoft-Windows-LSA/Operational' index: WINDOWS windows-appxpackaging-om: product: windows service: appxpackaging-om conditions: EventChannel: 'Microsoft-Windows-AppxPackaging/Operational' index: WINDOWS windows-dns-client: product: windows service: dns-client conditions: EventChannel: 'Microsoft-Windows-DNS Client Events/Operational' index: WINDOWS windows-appmodel-runtime: product: windows service: appmodel-runtime conditions: EventChannel: 'Microsoft-Windows-AppModel-Runtime/Admin' index: WINDOWS apache: service: apache index: WEBSERVER apache2: service: apache index: WEBSERVER webserver: category: webserver index: WEBSERVER firewall: category: firewall index: FIREWALL firewall2: product: firewall index: FIREWALL network-dns: category: dns index: DNS network-dns2: product: dns index: DNS proxy: category: proxy index: PROXY antivirus: category: antivirus index: ANTIVIRUS application-sql: product: sql index: DATABASE application-python: product: python index: APPLICATIONS application-django: product: django index: DJANGO application-rails: product: rails index: RAILS application-spring: product: spring index: SPRING # if no index, search in all indexes