title: HAWK
order: 20
backends:
  - hawk
logsources:
 antivirus:
   product: antivirus
   conditions:
     vendor_type: 'Antivirus'
 apache:
   service: apache
   conditions:
     product_name: 
       - 'apache*'
       - 'httpd*'
 webserver:
   category: webserver
   conditions:
     vendor_type: 'Webserver'
 cisco:
   product: cisco
   conditions:
     vendor_name: 'Cisco'
 django:
   product: django
   conditions:
     vendor_name: 'Django'
 okta:
   service: okta
   conditions:
    vendor_name: "Okta"
    product_name: "Identity and Access Management"
 onedrive:
   service: onedrive
   conditions:
    vendor_name: "Microsoft"
    product_name: "Onedrive"
 onelogin-events:
   service: onelogin.events
   conditions:
    vendor_name: "Microsoft"
    product_name: "Onelogin" 
 microsoft365:
   service: threat_management
   service: Microsoft365
   conditions:
    vendor_name: "Microsoft"
    product_name: "365"
 m365:
   service: threat_management
   service: m365
   conditions:
    vendor_name: "Microsoft"
    product_name: "365"
 google-workspace:
   service: google_workspace.admin
   conditions:
    vendor_name: "Google"
    product_name: "Workspace"
 guacamole:
   service: guacamole
   product_name: "Guacamole"
   conditions:
    vendor_name: "Guacamole"
 google-cloud:
   service: gcp.audit
   conditions:
    vendor_name: "Google"
    product_name: "Cloud"
 auditd:
   service: auditd
   conditions:
    process_name: "auditd"
 sshd:
   service: sshd
   conditions:
    process_name: "sshd*"
 syslog:
   service: syslog
   conditions:
    process_name: "syslog*"
 spring:
   category: application
   product: spring
   conditions:
    vendor_name: "Spring"
 modsecurity:
   service: modsecurity
   conditions:
    process_name: "modsec*"
 msexchange-management:
   service: msexchange-management
   conditions:
    channel: "MSExchange Management"
 windows:
   product: windows
   index: windows
   conditions:
     vendor_name: "Microsoft"
 windows-stream-hash:
   product: windows
   category: create_stream_hash
   conditions:
     product_name: "Sysmon"
     vendor_id: "15"
 windows-create-remote-thread:
   product: windows
   category: create_remote_thread
   conditions:
     product_name: "Sysmon"
     vendor_id: "8"
 windows-process-access:
   product: windows
   category: process_access
   conditions:
     product_name: "Sysmon"
     vendor_id: "10"
 windows-process-creation:
   product: windows
   category: process_creation
   conditions:
     product_name: "Sysmon"
     vendor_id: "1"
 windows-network-connection:
   product: windows
   category: network_connection
   conditions:
     product_name: "Sysmon"
     vendor_id: "3"
 windows-sysmon-status:
   product: windows
   category: sysmon_status
   conditions:
     product_name: "Sysmon"
     vendor_id: 
       - 4
       - 5
 windows-sysmon-error:
   product: windows
   category: sysmon_error
   conditions:
     product_name: "Sysmon"
     vendor_id: "255"
 windows-raw-access-thread:
   product: windows
   category: raw_access_thread
   conditions:
     product_name: "Sysmon"
     vendor_id: 9
 windows-file-create:
   product: windows
   category: file_create
   conditions:
     product_name: "Sysmon"
     vendor_id: "11"
 windows-file-event:
   product: windows
   category: file_event
   conditions:
     product_name: "Sysmon"
     vendor_id: "11"
 windows-pipe-created:
   product: windows
   category: pipe_created
   conditions:
     product_name: "Sysmon"
     vendor_id: 
       - 17
       - 18
 windows-dns-query:
   product: windows
   category: dns_query
   conditions:
     product_name: "Sysmon"
     vendor_id: "22"
 windows-file-delete:
   product: windows
   category: file_delete
   conditions:
     product_name: "Sysmon"
     vendor_id: "23"
 windows-wmi-sysmon:
   product: windows
   category: wmi_event
   conditions:
     product_name: "Sysmon"
     vendor_id:
       - 19
       - 20
       - 21 
 windows-ldap-query:
   product: windows
   category: ldap_query
   conditions:
     channel: "Microsoft-Windows-LDAP-Client/Debug ETW"
 windows-driver-load:
   product: windows
   category: driver_load
   conditions:
     product_name: "Sysmon"
     vendor_id: "6"
 windows-image-load:
   product: windows
   category: image_load
   conditions:
     product_name: "Sysmon"
     vendor_id: "7"
 clamav:
   service: clamav
   conditions:
    process_name: "clamav*"
 aws-cloudtrail:
  service: cloudtrail
  conditions:
    vendor_name: "AWS CloudTrail"
 zeek:
  product: zeek
  conditions:
    vendor_name: "Zeek IDS"
 azure-signin:
  service: signinlogs
  conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-auditlogs:
   service: auditlogs
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-activitylogs:
   service: activitylogs
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 azure-activity:
   service: azureactivity
   conditions:
    vendor_name: "Microsoft"
    product_name: "Azure"
 windows-application:
   product: windows
   service: application
   conditions:
     product_name: 'Application'
 windows-security:
   product: windows
   service: security
   conditions:
     product_name: 'Security'
 windows-system:
   product: windows
   service: system
   conditions:
     product_name: 'System'
 windows-sysmon:
   product: windows
   service: sysmon
   conditions:
     product_name: 'Sysmon'
 windows-powershell:
   product: windows
   service: powershell
   conditions:
     product_name: 'PowerShell'
 windows-classicpowershell:
   product: windows
   service: powershell-classic
   conditions:
     product_name: 'Windows PowerShell'
 windows-taskscheduler:
   product: windows
   service: taskscheduler
   conditions:
     product_name: 'TaskScheduler'
 windows-wmi:
   product: windows
   service: wmi
   conditions:
     product_name: 'WMI-Activity'
 windows-dns-server:
   product: windows
   service: dns-server
   conditions:
     channel: 'DNS Server'
 windows-dns-server-audit:
   product: windows
   service: dns-server-audit
   conditions:
     channel: 'DNS Server'
 windows-driver-framework:
   product: windows
   service: driver-framework
   conditions:
     product_name: 'DriverFrameworks-UserMode'
 windows-ntlm:
   product: windows
   service: ntlm
   conditions:
     product_name: 'NTLM'
 windows-dhcp:
   product: windows
   service: dhcp
   conditions:
     product_name: 'DHCP-Server'
 windows-defender:
   product: windows
   service: windefend
   conditions:
     product_name: 'Windows Defender'
 windows-applocker:
   product: windows
   service: applocker
   conditions:
     product_name:
       - 'AppLocker'
 windows-firewall-advanced-security:
   product: windows
   service: firewall-as
   conditions:
     product_name: 'Windows Firewall With Advanced Security'
 windows-ps-module:
   product: windows
   category: ps_module
   conditions:
     product_name: 'PowerShell'
     vendor_id: 4103
 windows-ps-script:
   product: windows
   category: ps_script
   conditions:
     product_name: 'PowerShell'
     vendor_id: 4104
 windows-ps-classic-provider:
   product: windows
   category: ps_classic_provider_start
   conditions:
     vendor_id: 600
     product_name: 'Windows PowerShell'
 windows-ps-classic-script:
   product: windows
   category: ps_classic_script
   conditions:
     vendor_id: 800
     product_name: 'Windows PowerShell'
 windows-service-bus:
   service: Microsoft-ServiceBus-Client
   conditions:
     product_name: "Microsoft-ServiceBus-Client"
 windows-msexchange-management:
   product: windows
   service: msexchange-management
   conditions:
     channel: 'MSExchange Management'
 windows-printservice-admin:
   product: windows
   service: printservice-admin
   conditions:
     product_name: 'PrintService'
 windows-printservice-operational:
   product: windows
   service: printservice-operational
   conditions:
     product_name: 'PrintService'
 windows-codeintegrity-operational:
   product: windows
   service: codeintegrity-operational
   conditions:
     product_name: 'CodeIntegrity'
 windows-smbclient-security:
   product: windows
   service: smbclient-security
   conditions:
     product_name: 'SmbClient'
 windows-registry:
   product: windows
   category: registry_event
   conditions:
     vendor_id: 
      - 12
      - 13
      - 14
 qflow:
   product: qflow
 netflow:
   service: netflow
 ipfix:
   product: ipfix
 flow:
   product: flow
fieldmappings:
  dst:
    - ip_dst_host
  dst_ip:
    - ip_dst
  src:
    - ip_src_host
  src_ip:
    - ip_src
  IPAddress: ip_src
  DNSAddress: dns_address
  DCIPAddress: ip_src
  category: vendor_category
  error: error_code
  key: event_key
  payload: event_payload
  weight: event_weight
  account type: account_type
  PrivilegeList: process_privileges
  pid_user: event_username
  sid: correlation_session_id
  UserSid: correlation_session_id
  TargetSid: target_session_id
  TargetUserName: target_username
  SamAccountName: target_username
  AccountName: target_username
  TargetDomainName: target_domain
  DnsServerIpAddress: dns_address
  QueryName: hostname_dst
  AuthenticationPackageName: package_name
  HostProcess: image
  Application: image
  ProcessName: image
  TargetImage: target_image
  ParentImage: parent_image
  CallerProcessName: parent_image
  ParentProcessName: parent_image
  CommandLine: command
  ProcessCommandLine: command
  ParentCommandLine: parent_command
  IMPHASH: file_hash_imphash
  Imphash: file_hash_imphash
  SHA256: file_hash_sha256
  MD5: file_hash_md5
  SHA1: file_hash_sha1
  SubjectUserSid: correlation_session_id
  SubjectSid: correlation_session_id
  SubjectUserName: correlation_username
  SubjectDomainName: correlation_domain
  SubjectLogonId: correlation_logon_id
  pid: event_pid
  ProccessId: pid
  NewProcessName: image
  ServiceName: service_name
  Service: service_name
  ServiceFileName: filename
  EventID: vendor_id
  SourceImage: parent_image
  ImageLoaded: image_loaded
  Description: image_description
  ScriptBlockText: value
  Product: image_product
  Company: image_company
  CurrentDirectory: path
  ShareName: path
  RelativeTargetName: filename
  TargetName: value
  Initiated: value
  Accesses: access_mask
  LDAPDisplayName: distinguished_name
  AttributeLDAPDisplayName: distinguished_name
  AttributeValue: value
  ParentProcessId: parent_pid
  SourceProcessId: source_pid
  TargetProcessId: target_pid
  Signed: signature
  Status: value
  TargetFilename: filename
  TargetObject: object_target
  ObjectClass: object_type
  ObjectValueName: object_name
  ObjectName: object_name
  DeviceClassName: object_name
  CallTrace: calltrace
  IpAddress: ip_src
  WorkstationName: hostname_src
  Workstation: hostname_src
  DestinationIp: ip_dst
  DestinationHostname: hostname_dst
  DestinationPort: ip_dport
  GrantedAccess: access_mask
  StartModule: target_process_name
  TargetProcessAddress: process_address
  TicketOptions: sys.ticket.options
  TicketEncryptionType: sys.ticket.encryption.type
  DetectionSource: value
  Priority: event_priority
  event_type_id: vendor_id
  eventtype: vendor_type
  destination.port: ip_dport
  user: correlation_username
  User: correlation_username
  Provider_Name: channel
  c-referer: http_referer
  cs-referer: http_referer
  c-uri: http_uri
  cs-uri: http_uri
  c-agent: http_user_agent
  cs-agent: http_user_agent
  c-useragent: http_user_agent
  cs-useragent: http_user_agent
  c-ip: ip_src
  cs-ip: ip_src
  s-ip: ip_dst
  sc-ip: ip_dst
  c-username: correlation_username
  cs-username: correlation_username
  s-computername: ip_dst_host
  cs-uri-query: http_query
  c-uri-query: http_query
  sc-status: http_status_code
  sc-bytes: http_content_length
  user-agent: http_user_agent
  cs-User-Agent: http_user_agent
  r-dns: ip_dst_host