title: SumoLogic
order: 20
backends:
  - sumologic-cse
  - sumologic-cse-rule
# Sumulogic mapping depends on customer configuration. Adapt to your context!
# typically rule on _sourceCategory, _index or Field Extraction Rules (FER)
# supposing existing FER for service, metdata_vendor, EventID
logsources:
  unix:
    product: unix
    index: UNIX
  linux:
    product: linux
    index: Linux
  linux-sshd:
    product: linux
    service: sshd
    index: Linux
  linux-auth:
    product: linux
    service: auth
    index: Linux
  linux-clamav:
    product: linux
    service: clamav
    index: Linux
  windows:
    product: windows
    index: Windows
    conditions:
      metdata_vendor: Microsoft
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      metdata_vendor: Microsoft
    index: Windows
  windows-security:
    product: windows
    service: security
    conditions:
      metdata_vendor: Microsoft
    index: Security
  windows-powershell:
    product: windows
    service: powershell
    conditions:
      metdata_vendor: Microsoft
    index: Powershell
  windows-system:
    product: windows
    service: system
    conditions:
      metdata_vendor: Microsoft
    index: Windows
  windows-dhcp:
    product: windows
    service: dhcp
    conditions:
      metdata_vendor: Microsoft
    index: Windows
  microsoft:
    product: gsuite
    index: gsuite
  apache:
    service: apache
    index: Apache
  apache2:
    service: apache
    index: Apache
  nginx:
    product: nginx
    index: Nginx
  cisco:
    product: cisco
    index: Cisco
  webserver:
    category: webserver
    index: WEBSERVER
  firewall:
    category: firewall
    index: FIREWALL
  firewall2:
    product: firewall
    index: FIREWALL
  network-dns:
    category: dns
    index: DNS
  network-dns2:
    product: dns
    index: DNS
  proxy:
    category: proxy
    index: PROXY
  vpn:
    product: vpn
    index: network
  antivirus:
    product: antivirus
    index: ANTIVIRUS
  azure:
    product: azure
    index: Azure
    conditions:
      metdata_vendor: Microsoft
  azuread:
    product: azuread
    index: Azure AD
    conditions:
      metdata_vendor: Microsoft
  zeek:
    product: zeek
    index: zeek
  application-sql:
    product: sql
    index: DATABASE
  application-python:
    product: python
    index: APPLICATIONS
  application-django:
    product: django
    index: Django
  application-rails:
    product: rails
    index: RAILS
  application-spring:
    product: spring
    index: SPRING
# if no index, search in all indexes

fieldmappings:
  EventID: metadata_deviceEventId
  event_id: metadata_deviceEventId
  Image: baseImage
  event_data.Image: baseImage
  TargetImage: changeTarget
  EventType: changeType
  CommandLine: commandLine
  Commandline: commandLine
  process.args: commandLine
  event_data.CommandLine: commandLine
  Description: description

  DestinationHostname: dstDevice_hostname
  DestinationIp: dstDevice_ip
  dst_ip: dstDevice_ip
  dst_mac: dstDevice_mac
  DestinationPort: dstPort
  dst_port: dstPort

  FileName: file_basename
  Imphash: file_hash_imphash
  hash: file_hash_imphash
  file_hash: file_hash_imphash
#  :file_hash_md5
#  :file_hash_sha1
#  :file_hash_sha256

  Path: file_path
  path: file_path

  LogonType: logonType
  ModuleType: moduleType
  ObjectType: objectType

  ParentImage: parentBaseImage
  event_data.ParentImage: parentBaseImage
  ParentCommandLine: parentCommandLine
  ParentProcessName: parentPid

  SourceHostname: srcDevice_hostname
  SourceIp: srcDevice_ip
  src_ip: srcDevice_ip
  src_mac: srcDevice_mac
  SourcePort: srcPort
  src_port: srcPort
  User: user_username
  User-Agent: http_userAgent
  Protocol: http_url_protocol

  destination.domain: http_url_rootDomain
  domain: http_url_rootDomain