title: ArcSight order: 20 backends: - arcsight - arcsight-esm logsources: linux: product: linux conditions: deviceVendor: Unix linux-sshd: product: linux service: sshd conditions: deviceVendor: Unix linux-vsftpd: product: linux service: vsftpd conditions: deviceVendor: Unix linux-auth: product: linux service: auth conditions: deviceVendor: Unix linux-clamav: product: linux service: clamav conditions: deviceVendor: Unix antivirus: product: antivirus conditions: categoryDeviceGroup: /IDS/Host/AntiVirus windows-dns: product: windows service: dns-server conditions: deviceVendor: Microsoft deviceProduct: DNS-Server windows-pc: product: windows service: powershell-classic conditions: deviceVendor: Microsoft windows-sys: product: windows service: sysmon conditions: deviceVendor: Microsoft deviceProduct: Sysmon windows-sec: product: windows service: security conditions: deviceVendor: Microsoft deviceProduct: Microsoft Windows windows-power: product: windows service: powershell conditions: deviceVendor: Microsoft windows-ntlm: product: windows service: ntlm conditions: deviceVendor: Microsoft windows-dhcp: product: windows service: dhcp conditions: deviceVendor: Microsoft windows-system: product: windows service: system conditions: deviceVendor: Microsoft windows-wmi: product: windows service: wmi conditions: deviceVendor: Microsoft windows-driver-framework: product: windows service: driver-framework conditions: deviceVendor: Microsoft windows-defender: product: windows_defender conditions: deviceVendor: Microsoft windows-driver: product: windows service: driver-framework conditions: deviceVendor: Microsoft windows-app: product: windows service: application conditions: deviceVendor: Microsoft windows-applocker: product: windows service: applocker conditions: deviceVendor: Microsoft deviceProduct: AppLocker proxy: category: proxy conditions: categoryDeviceGroup: /Proxy python: product: python conditions: deviceProduct: Python categoryDeviceGroup: /Application ruby_on_rails: product: ruby_on_rails conditions: deviceProduct: Ruby on Rails categoryDeviceGroup: /Application spring: product: spring conditions: deviceProduct: Spring categoryDeviceGroup: /Application apache: service: apache conditions: deviceservice: apache categoryDeviceGroup: /Application firewall: product: firewall conditions: categoryDeviceGroup: /Firewall fieldmappings: EventID: externalId Event-ID: externalId Event_ID: externalId eventId: externalId event_id: externalId event-id: externalId eventid: externalId dst: - destinationAddress dst_ip: - destinationAddress dst-ip: - destinationAddress src: - sourceAddress src_ip: - sourceAddress src-ip: - sourceAddress TargetImage: - destinationProcessName - filePath ImageLoaded: - destinationProcessName - deviceCustomString1 - filePath - destinationProcessName Image: - deviceProcessName - destinationProcessName - sourceProcessName ParentImage: - sourceProcessName LogonProcessName: - destinationProcessName - sourceProcessName TargetProcessId: - destinationProcessId User: - sourceUserName TargetUserName: - destinationUserName LogonId: - sourceUserId SourceIp: - sourceAddress SourceNetworkAddress: - sourceAddress SourcePort: - sourcePort SourceHostname: - sourceHostName ParentProcessId: - sourceProcessId SourceProcessId: - sourceProcessId ProcessId: - deviceProcessId - destinationProcessId DestinationPort: - destinationPort DestinationIp: - destinationAddress DestinationHostname: - destinationHostName DestinationIsIpv6: - destinationIsIpv6 SourcePortName: - sourcePortName DestinationPortName: - destinationPortName SourceIsIpv6: - sourceIsIpv6 FileVersion: - fileId Protocol: - transportProtocol TargetFilename: - filePath TargetFileName: - filePath Hashes: - fileHash Hash: - fileHash file_hash: - fileHash State: - deviceAction EventType: - deviceAction RuleName: - deviceFacility - reason SourceImage: - sourceProcessName TerminalSessionId: - deviceCustomNumber2 SequenceNumber: - deviceCustomNumber3 Initiated: - deviceCustomString4 IntegrityLevel: - deviceCustomString1 - deviceCustomString5 ProcessGuid: - fileId - deviceCustomString6 SourceProcessGUID: - flexString1 TargetProcessGUID: - fileId - flexString2 ParentProcessGuid: - oldFileId - deviceCustomString4 Product: - destinationServiceName OriginalFileName: - oldFilePath Version: - deviceCustomString1 SchemaVersion: - deviceCustomString2 Signed: - fileType - deviceCustomString1 Signature: - deviceCustomString2 SignatureStatus: - filePermission - deviceCustomString3 NewThreadId: - deviceCustomString1 StartAddress: - deviceCustomString2 StartModule: - deviceCustomString3 StartFunction: - deviceCustomString4 Device: - deviceCustomString5 - deviceCustomString1 GrantedAccess: - deviceCustomString1 - deviceCustomString2 CallTrace: - oldFilePath - deviceCustomString3 TargetObject: - filePath Details: - deviceCustomString4 - deviceCustomString1 NewName: - filePath Configuration: - filePath PipeName: - deviceCustomString6 - fileName Name: - deviceCustomString1 Operation: - deviceCustomString2 EventNamespace: - deviceCustomString3 Query: - deviceCustomString4 Type: - deviceCustomString3 Destination: - fileName Consumer: - deviceCustomString1 Filter: - deviceCustomString3 QueryName: - destinationHostName - requestUrl QueryResults: - deviceCustomString4 - deviceCustomString1 ID: - deviceCustomString1 Description: - message CommandLine: - destinationServiceName - deviceCustomString1 ParentCommandLine: - deviceCustomString2 - sourceServiceName CurrentDirectory: - oldFilePath LogonGuid: - deviceCustomString6 UserAgent: - requestClientApplication URL: - requestUrl - requestUrlQuery FileName: - fileName - filePath cs-uri-extension: - fileType c-uri-extension: - fileType s-dns: - destinationDnsDomain - destinationHost r-dns: - destinationDnsDomain - destinationHost event.name: - name http.request.body.content: - requestUrl url.query: - requestUrl cs-uri-path: - filePath keywords: - deviceCustomString1 ScriptBlockText: - deviceCustomString1 AccessMask: deviceCustomString1 AccountName: deviceCustomString1 AllowedToDelegateTo: deviceCustomString1 AttributeLDAPDisplayName: deviceCustomString1 AuditPolicyChanges: deviceCustomString1 AuthenticationPackageName: deviceCustomString1 CallingProcessName: deviceCustomString1 Command: deviceCustomString1 Command_Line: deviceCustomString1 ComputerName: deviceCustomString1 destination.domain: deviceCustomString1 DestinationIP: deviceCustomString1 EngineVersion: deviceCustomString1 Event: deviceCustomString1 event.category: deviceCustomString1 event.raw: deviceCustomString1 event_data.AccessMask: deviceCustomString1 event_data.AccountName: deviceCustomString1 event_data.AllowedToDelegateTo: deviceCustomString1 event_data.AttributeLDAPDisplayName: deviceCustomString1 event_data.AuditPolicyChanges: deviceCustomString1 event_data.AuthenticationPackageName: deviceCustomString1 event_data.CallingProcessName: deviceCustomString1 event_data.CallTrace: deviceCustomString1 event_data.CommandLine: deviceCustomString1 event_data.ComputerName: deviceCustomString1 event_data.CurrentDirectory: deviceCustomString1 event_data.Description: deviceCustomString1 event_data.DestinationHostname: deviceCustomString1 event_data.DestinationIp: deviceCustomString1 event_data.DestinationIsIpv6: deviceCustomString1 event_data.DestinationPort: deviceCustomString1 event_data.Details: deviceCustomString1 event_data.EngineVersion: deviceCustomString1 event_data.EventType: deviceCustomString1 event_data.FailureCode: deviceCustomString1 event_data.FileName: deviceCustomString1 event_data.GrantedAccess: deviceCustomString1 event_data.GroupName: deviceCustomString1 event_data.GroupSid: deviceCustomString1 event_data.Hashes: deviceCustomString1 event_data.HiveName: deviceCustomString1 event_data.HostVersion: deviceCustomString1 event_data.Image: deviceCustomString1 event_data.ImageLoaded: deviceCustomString1 event_data.ImagePath: deviceCustomString1 event_data.Imphash: deviceCustomString1 event_data.IpAddress: deviceCustomString1 event_data.KeyLength: deviceCustomString1 event_data.LogonProcessName: deviceCustomString1 event_data.LogonType: deviceCustomString1 event_data.NewProcessName: deviceCustomString1 event_data.ObjectClass: deviceCustomString1 event_data.ObjectName: deviceCustomString1 event_data.ObjectType: deviceCustomString1 event_data.ObjectValueName: deviceCustomString1 event_data.ParentCommandLine: deviceCustomString1 event_data.ParentImage: deviceCustomString1 event_data.ParentProcessName: deviceCustomString1 event_data.Path: deviceCustomString1 event_data.PipeName: deviceCustomString1 event_data.ProcessCommandLine: deviceCustomString1 event_data.ProcessName: deviceCustomString1 event_data.Properties: deviceCustomString1 event_data.SecurityID: deviceCustomString1 event_data.ServiceFileName: deviceCustomString1 event_data.ServiceName: deviceCustomString1 event_data.ShareName: deviceCustomString1 event_data.Signature: deviceCustomString1 event_data.Source: deviceCustomString1 event_data.SourceImage: deviceCustomString1 event_data.StartModule: deviceCustomString1 event_data.Status: deviceCustomString1 event_data.SubjectUserName: deviceCustomString1 event_data.SubjectUserSid: deviceCustomString1 event_data.TargetFilename: deviceCustomString1 event_data.TargetImage: deviceCustomString1 event_data.TargetObject: deviceCustomString1 event_data.TicketEncryptionType: deviceCustomString1 event_data.TicketOptions: deviceCustomString1 event_data.User: deviceCustomString1 event_data.WorkstationName: deviceCustomString1 FailureCode: deviceCustomString1 GroupName: deviceCustomString1 GroupSid: deviceCustomString1 hashes: deviceCustomString1 Header.Accept: deviceCustomString1 HiveName: deviceCustomString1 host.scan.vuln_name: deviceCustomString1 HostVersion: deviceCustomString1 ImagePath: deviceCustomString1 Imphash: deviceCustomString1 IpAddress: deviceCustomString1 IpPort: deviceCustomString1 KeyLength: deviceCustomString1 log_name: deviceCustomString1 LogonType: deviceCustomString1 NewProcessName: deviceCustomString1 ObjectClass: deviceCustomString1 ObjectName: deviceCustomString1 ObjectType: deviceCustomString1 ObjectValueName: deviceCustomString1 ParentProcessName: deviceCustomString1 Path: deviceCustomString1 ProcessCommandLine: deviceCustomString1 ProcessName: deviceCustomString1 Properties: deviceCustomString1 resource.URL: deviceCustomString1 SecurityEvent: deviceCustomString1 SecurityID: deviceCustomString1 SelectionURL: deviceCustomString1 ServiceFileName: deviceCustomString1 ServiceName: deviceCustomString1 ShareName: deviceCustomString1 Source: deviceCustomString1 source_name: deviceCustomString1 SourceIP: deviceCustomString1 Status: deviceCustomString1 SubjectDomainName: deviceCustomString1 SubjectUserName: deviceCustomString1 SubjectUserSid: deviceCustomString1 SysmonEvent: deviceCustomString1 TargetDomainName: deviceCustomString1 TargetUserSid: deviceCustomString1 TicketEncryptionType: deviceCustomString1 TicketOptions: deviceCustomString1 winlog.channel: deviceCustomString1 WorkstationName: deviceCustomString1