akshay.chaturvedi
69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
title: DNIF
|
|
order: 20
|
|
backends:
|
|
- dnif
|
|
logsources:
|
|
firewall-product-qualys:
|
|
product: qualys
|
|
index: firewall
|
|
firewall-product-windows:
|
|
product: windows
|
|
service: security
|
|
index: firewall
|
|
firewall-category-firewall:
|
|
category: firewall
|
|
index: firewall
|
|
aws-cloudtrail:
|
|
product: aws
|
|
service: cloudtrail
|
|
index: cloudtrail
|
|
dns-category:
|
|
category: dns
|
|
index: dns
|
|
sysmon-windows:
|
|
product: windows
|
|
service: sysmon
|
|
index: sysmon-image-load
|
|
sysmon-category-error:
|
|
product: windows
|
|
category: sysmon_error
|
|
index:
|
|
- sysmon-process
|
|
sysmon-category-status:
|
|
product: windows
|
|
category: sysmon_status
|
|
index:
|
|
- sysmon-process
|
|
sysmon-service-process_tampering:
|
|
product: windows
|
|
category: process_tampering
|
|
index:
|
|
- sysmon-process
|
|
- sysmon-image-load
|
|
linux-auditd:
|
|
product: linux
|
|
service: auditd
|
|
index: auditd
|
|
windows-dns-query:
|
|
product: windows
|
|
category: dns_query
|
|
index: dns
|
|
fieldmappings:
|
|
src_ip: srcIp
|
|
sourceIPAddress: srcIp
|
|
dst_ip: dstIp
|
|
dst_port: dstPort
|
|
destination.port: dstPort
|
|
action: action
|
|
eventName: eventname
|
|
SourceImage: imageloaded
|
|
TargetImage: image
|
|
EventID: eid
|
|
message_size: txlen
|
|
record_type: recordType
|
|
overrides:
|
|
- field: action
|
|
value: PACKET_ALLOWED
|
|
regexes:
|
|
- (action == \"accept\")
|
|
- (action == \"forward\") |