-
Notifications
You must be signed in to change notification settings - Fork 10
/
leef.toml.example
43 lines (35 loc) · 1.34 KB
/
leef.toml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[general]
backup_dir = "/Users/avanbrunt/Desktop/backdir"
output_format = "template"
output_type = "tcp+tls"
tcp_out = "0.0.0.0:8888"
[tls]
ca_cert = "/etc/integrations/ca.pem"
cert = "/etc/integrations/cert.pem"
key = "/etc/integrations/cert.key"
tls_verify = true
[alerts_template]
template = "{{datetime_utc}} localhost LEEF:2.0|{{vendor}}|{{product}}|{{product_version}}|x09|{{extension}}"
type_field = "type"
time_format = "%b-%d-%Y %H:%M:%S GMT"
time_fields = ["backend_timestamp"]
[alerts_template.extension]
default = """\
cat={{type}}\tdevTime={{backend_timestamp}}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tsev={{severity}}\
\tidentSrc={{device_external_ip}}\tresource={{device_name}}\tpolicy={{device_policy}}\tusrName={{device_username}}"""
[audit_logs_template]
template = "{{datetime_utc}} localhost LEEF:2.0|{{vendor}}|{{product}}|{{product_version}}|Audit|x09|{{extension}}"
type_field = ""
time_format = "%b-%d-%Y %H:%M:%S GMT"
time_fields = ["eventTime"]
[audit_logs_template.extension]
default = "devTime={{eventTime}}\tdevTimeFormat=MMM dd yyyy HH:mm:ss z\tusrName={{{{loginName}}}}\tidentSrc={{clientIp}}"
[Prod02ORG]
custom_api_id = "RANDOM_ID"
custom_api_key = "RANDOM_SECRET"
org_key = "SOME_ORG"
server_url = "defense.conferdeploy.net"
alerts_enabled = true
audit_logs_enabled = true
[[Prod02ORG.alert_rules]]
minimum_severity = 1