Commit82d3823

authored

Merge pull request#115 from spsocprime/qradar_linux_auditd_upd

upd qradar linux auditd config

2 parents4154275 +1a5d778 commit82d3823Copy full SHA for 82d3823

File tree

+11

-6

lines changed

+11

-6

lines changed

Lines changed: 11 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`platform:Qradar`
`2`	`2`	`source:linux_auditd`
`3`		`-description:Text that describe current mapping`
	`3`	`+description:Auditd field mappings to QRadar default CEPs.`
`4`	`4`
`5`	`5`	`log_source:`
`6`	`6`	`devicetype:[11]`
`@@ -9,8 +9,13 @@ default_log_source:`
`9`	`9`	`devicetype:11`
`10`	`10`
`11`	`11`	`field_mapping:`
`12`		`-a0:a0`
`13`		`-a1:a1`
`14`		`-a2:a2`
`15`		`-a3:a3`
`16`		`-exe:exe`
	`12`	`+a0:Command`
	`13`	`+a1:Command`
	`14`	`+a2:Command`
	`15`	`+a3:Command`
	`16`	`+exe:Process Path`
	`17`	`+CommandLine:Command`
	`18`	`+Image:Process Path`
	`19`	`+User:username`
	`20`	`+LogonId:Logon ID`
	`21`	`+ParentImage:Parent Process Path`

Comments

(0)