SigmaHQ/tools/config/ecs-dns.yml

title: Elastic Common Schema mapping for proxy and webserver logs including NSM DNS logs (zeek/suricata)
order: 20
backends:
  - es-qs
  - es-dsl
  - elasticsearch-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
# zeek-category-dns:
  # category: dns
  # conditions:
    # event.dataset: dns
# zeek-dns:
  # product: zeek
  # service: dns
  # conditions:
    # event.dataset: dns
defaultindex:
  - filebeat-*
# logsourcemerging: or 
fieldmappings:
  # All Logs Applied Mapping & Taxonomy
  dst:
    - destination.address
    - destination.ip
  dst_ip:
    - destination.address
    - destination.ip
  dst_port: destination.port
  src:
    - source.address
    - source.ip
  src_ip:
    - source.address
    - source.ip
  src_port: source.port  
  # DNS Taxonomy
  answer: dns.answers.name
  c-dns: dns.question.name
  parent_domain: dns.question.registered_domain
  query: dns.question.name
  QueryName: dns.question.name
  r-dns: dns.question.name
  record_type: dns.answers.type
  response: dns.answers
  #question_length:
  # Zeek DNS specific
  AA: dns.AA
  addl: dns.addl
  answers: dns.answers.name
  auth: dns.auth
  qclass_name: dns.question.class
  qclass: dns.qclass
  qtype_name: dns.question.type
  qtype: dns.qtype
  query: dns.question.name
  #question_length: labels.dns.query_length
  RA: dns.RA
  rcode_name: dns.response_code
  rcode: dns.rcode
  RD: dns.RD
  rejected: dns.rejected
  rtt: dns.rtt
  TC: dns.TC
  trans_id: dns.id
  TTLs: dns.answers.ttl
  Z: dns.Z
Added Humio, Crowdstrike, Corelight 2020-05-08 10:41:52 +00:00			`title: Elastic Common Schema mapping for proxy and webserver logs including NSM DNS logs (zeek/suricata)`
			`order: 20`
			`backends:`
			`- es-qs`
			`- es-dsl`
			`- elasticsearch-rule`
			`- kibana`
kibana-ndjson for all configs which already have kibana 2020-11-09 07:42:35 +00:00			`- kibana-ndjson`
Added Humio, Crowdstrike, Corelight 2020-05-08 10:41:52 +00:00			`- xpack-watcher`
			`- elastalert`
			`- elastalert-dsl`
			`# zeek-category-dns:`
			`# category: dns`
			`# conditions:`
			`# event.dataset: dns`
			`# zeek-dns:`
			`# product: zeek`
			`# service: dns`
			`# conditions:`
			`# event.dataset: dns`
			`defaultindex:`
			`- filebeat-*`
			`# logsourcemerging: or`
			`fieldmappings:`
			`# All Logs Applied Mapping & Taxonomy`
			`dst:`
			`- destination.address`
			`- destination.ip`
			`dst_ip:`
			`- destination.address`
			`- destination.ip`
			`dst_port: destination.port`
			`src:`
			`- source.address`
			`- source.ip`
			`src_ip:`
			`- source.address`
			`- source.ip`
			`src_port: source.port`
			`# DNS Taxonomy`
			`answer: dns.answers.name`
			`c-dns: dns.question.name`
			`parent_domain: dns.question.registered_domain`
			`query: dns.question.name`
			`QueryName: dns.question.name`
			`r-dns: dns.question.name`
			`record_type: dns.answers.type`
			`response: dns.answers`
			`#question_length:`
			`# Zeek DNS specific`
			`AA: dns.AA`
			`addl: dns.addl`
			`answers: dns.answers.name`
			`auth: dns.auth`
			`qclass_name: dns.question.class`
			`qclass: dns.qclass`
			`qtype_name: dns.question.type`
			`qtype: dns.qtype`
			`query: dns.question.name`
			`#question_length: labels.dns.query_length`
			`RA: dns.RA`
			`rcode_name: dns.response_code`
			`rcode: dns.rcode`
			`RD: dns.RD`
			`rejected: dns.rejected`
			`rtt: dns.rtt`
			`TC: dns.TC`
			`trans_id: dns.id`
			`TTLs: dns.answers.ttl`
			`Z: dns.Z`