SigmaHQ/tools/config/logstash-zeek-default-json.yml

title: Zeek field mappings for default collection of JSON logs with no parsing/normalization done and sending into logstash-*index
order: 20
backends:
  - es-qs
  - es-dsl
  - elasticsearch-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
logsources:
  zeek:
    product: zeek
    index: 'logstash*'
  zeek-category-accounting:
    category: accounting
    rewrite:
      product: zeek
      service: syslog
  zeek-category-firewall:
    category: firewall
    rewrite:
      product: zeek
      service: conn
  zeek-category-dns:
    category: dns
    rewrite:
      product: zeek
      service: dns
  zeek-category-proxy:
    category: proxy
    rewrite:
        product: zeek
        service: http
  zeek-category-webserver:
    category: webserver
    rewrite:
        product: zeek
        service: http
  zeek-conn:
    product: zeek
    service: conn
    conditions:
      '@stream': conn
  zeek-conn_long:
    product: zeek
    service: conn_long
    conditions:
      '@stream': conn_long
  zeek-dce_rpc:
    product: zeek
    service: dce_rpc
    conditions:
      '@stream': dce_rpc
  zeek-dns:
    product: zeek
    service: dns
    conditions:
      '@stream': dns
  zeek-dnp3:
    product: zeek
    service: dnp3
    conditions:
      '@stream': dnp3
  zeek-dpd:
    product: zeek
    service: dpd
    conditions:
      '@stream': dpd
  zeek-files:
    product: zeek
    service: files
    conditions:
      '@stream': files
  zeek-ftp:
    product: zeek
    service: ftp
    conditions:
      '@stream': ftp
  zeek-gquic:
    product: zeek
    service: gquic
    conditions:
      '@stream': gquic
  zeek-http:
    product: zeek
    service: http
    conditions:
      '@stream': http
  zeek-http2:
    product: zeek
    service: http2
    conditions:
      '@stream': http2
  zeek-intel:
    product: zeek
    service: intel
    conditions:
      '@stream': intel
  zeek-irc:
    product: zeek
    service: irc
    conditions:
      '@stream': irc
  zeek-kerberos:
    product: zeek
    service: kerberos
    conditions:
      '@stream': kerberos
  zeek-known_certs:
    product: zeek
    service: known_certs
    conditions:
      '@stream': known_certs
  zeek-known_hosts:
    product: zeek
    service: known_hosts
    conditions:
      '@stream': known_hosts
  zeek-known_modbus:
    product: zeek
    service: known_modbus
    conditions:
      '@stream': known_modbus
  zeek-known_services:
    product: zeek
    service: known_services
    conditions:
      '@stream': known_services
  zeek-modbus:
    product: zeek
    service: modbus
    conditions:
      '@stream': modbus
  zeek-modbus_register_change:
    product: zeek
    service: modbus_register_change
    conditions:
      '@stream': modbus_register_change
  zeek-mqtt_connect:
    product: zeek
    service: mqtt_connect
    conditions:
      '@stream': mqtt_connect
  zeek-mqtt_publish:
    product: zeek
    service: mqtt_publish
    conditions:
      '@stream': mqtt_publish
  zeek-mqtt_subscribe:
    product: zeek
    service: mqtt_subscribe
    conditions:
      '@stream': mqtt_subscribe
  zeek-mysql:
    product: zeek
    service: mysql
    conditions:
      '@stream': mysql
  zeek-notice:
    product: zeek
    service: notice
    conditions:
      '@stream': notice
  zeek-ntlm:
    product: zeek
    service: ntlm
    conditions:
      '@stream': ntlm
  zeek-ntp:
    product: zeek
    service: ntp
    conditions:
      '@stream': ntp
  zeek-ocsp:
    product: zeek
    service: ntp
    conditions:
      '@stream': ocsp
  zeek-pe:
    product: zeek
    service: pe
    conditions:
      '@stream': pe
  zeek-pop3:
    product: zeek
    service: pop3
    conditions:
      '@stream': pop3
  zeek-radius:
    product: zeek
    service: radius
    conditions:
      '@stream': radius
  zeek-rdp:
    product: zeek
    service: rdp
    conditions:
      '@stream': rdp
  zeek-rfb:
    product: zeek
    service: rfb
    conditions:
      '@stream': rfb
  zeek-sip:
    product: zeek
    service: sip
    conditions:
      '@stream': sip
  zeek-smb_files:
    product: zeek
    service: smb_files
    conditions:
      '@stream': smb_files
  zeek-smb_mapping:
    product: zeek
    service: smb_mapping
    conditions:
      '@stream': smb_mapping
  zeek-smtp:
    product: zeek
    service: smtp
    conditions:
      '@stream': smtp
  zeek-smtp_links:
    product: zeek
    service: smtp_links
    conditions:
      '@stream': smtp_links
  zeek-snmp:
    product: zeek
    service: snmp
    conditions:
      '@stream': snmp
  zeek-socks:
    product: zeek
    service: socks
    conditions:
      '@stream': socks
  zeek-software:
    product: zeek
    service: software
    conditions:
      '@stream': software
  zeek-ssh:
    product: zeek
    service: ssh
    conditions:
      '@stream': ssh
  zeek-ssl:
    product: zeek
    service: ssl
    conditions:
      '@stream': ssl
  zeek-tls: # In case people call it TLS even though orig log is called ssl
    product: zeek
    service: tls
    conditions:
      '@stream': ssl
  zeek-syslog:
    product: zeek
    service: syslog
    conditions:
      '@stream': syslog
  zeek-tunnel:
    product: zeek
    service: tunnel
    conditions:
      '@stream': tunnel
  zeek-traceroute:
    product: zeek
    service: traceroute
    conditions:
      '@stream': traceroute
  zeek-weird:
    product: zeek
    service: weird
    conditions:
      '@stream': weird
  zeek-x509:
    product: zeek
    service: x509
    conditions:
      '@stream': x509
  zeek-ip_search:
    product: zeek
    service: network
    conditions:
      '@stream':
        - conn
        - conn_long
        - dce_rpc
        - dhcp
        - dnp3
        - dns
        - ftp
        - gquic
        - http
        - irc
        - kerberos
        - modbus
        - mqtt_connect
        - mqtt_publish
        - mqtt_subscribe
        - mysql
        - ntlm
        - ntp
        - radius
        - rfb
        - sip
        - smb_files
        - smb_mapping
        - smtp
        - smtp_links
        - snmp
        - socks
        - ssh
        - tls #SSL
        - tunnel
        - weird
defaultindex: 'logstash-*'
fieldmappings:
  # All Logs Applied Mapping & Taxonomy
  dst_ip: id.resp_h
  dst_port: id.resp_p
  network_protocol: proto
  src_ip: id.orig_h
  src_port: id.orig_p
  # DNS matching Taxonomy & DNS Category
  answer: answers
  #question_length: # Does not exist in open source version
  record_type: qtype_name
  #parent_domain: # Does not exist in open source version
  # HTTP matching Taxonomy & Web/Proxy Category
  cs-bytes: request_body_len
  cs-cookie: cookie
  r-dns: host
  sc-bytes: response_body_len
  sc-status: status_code
  c-uri: uri
  c-uri-extension: uri
  c-uri-query: uri
  c-uri-stem: uri
  c-useragent: user_agent
  cs-host: host
  cs-method: method
  cs-referrer: referrer
  cs-version: version
  # Few other variations of names from zeek source itself
  id_orig_h: id.orig_h
  id_orig_p: id.orig_p
  id_resp_h: id.resp_h
  id_resp_p: id.resp_p
  # Temporary one off rule name fields
  agent.version: version
  c-cookie: cookie
  c-ip: id.orig_h
  cs-uri: uri
  clientip: id.orig_h
  clientIP: id.orig_h
  dest_domain:
    - query
    - host
    - server_name
  dest_ip: id.resp_h
  dest_port: id.resp_p
  #TODO:WhatShouldThisBe?==dest:
  #TODO:WhatShouldThisBe?==destination:
  #TODO:WhatShouldThisBe?==Destination:
  destination.hostname:
    - query
    - host
    - server_name
  DestinationAddress: id.resp_h
  DestinationHostname:
    - host
    - query
    - server_name
  DestinationIp: id.resp_h
  DestinationIP: id.resp_h
  DestinationPort: id.resp_p
  dst-ip: id.resp_h
  dstip: id.resp_h
  dstport: id.resp_p
  Host:
    - host
    - query
    - server_name
  HostVersion: http.version
  http_host:
    - host
    - query
    - server_name
  http_uri: uri
  http_url: uri
  http_user_agent: user_agent
  http.request.url-query-params: uri
  HttpMethod: method
  in_url: uri
  # parent_domain: # Not in open source zeek
  post_url_parameter: uri
  Request Url: uri
  request_url: uri
  request_URL: uri
  RequestUrl: uri
  #response: status_code
  resource.url: uri
  resource.URL: uri
  sc_status: status_code
  sender_domain:
    - query
    - server_name
  service.response_code: status_code
  source: id.orig_h
  SourceAddr: id.orig_h
  SourceAddress: id.orig_h
  SourceIP: id.orig_h
  SourceIp: id.orig_h
  SourceNetworkAddress: id.orig_h
  SourcePort: id.orig_p
  srcip: id.orig_h
  Status: status_code
  status: status_code
  url: uri
  URL: uri
  url_query: uri
  url.query: uri
  uri_path: uri
  user_agent: user_agent
  user_agent.name: user_agent
  user-agent: user_agent
  User-Agent: user_agent
  useragent: user_agent
  UserAgent: user_agent
  User Agent: user_agent
  web_dest:
    - host
    - query
    - server_name
  web.dest:
    - host
    - query
    - server_name
  Web.dest:
    - host
    - query
    - server_name
  web.host:
    - host
    - query
    - server_name
  Web.host:
    - host
    - query
    - server_name
  web_method: method
  Web_method: method
  web.method: method
  Web.method: method
  web_src: id.orig_h
  web_status: status_code
  Web_status: status_code
  web.status: status_code
  Web.status: status_code
  web_uri: uri
  web_url: uri
  # Most are in ECS, but for things not using Elastic - these need renamed
  destination.ip: id.resp_h
  destination.port: id.resp_p
  http.request.body.content: post_body
  #source.domain:
  source.ip: id.orig_h
  source.port: id.orig_p
on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR. 2020-05-02 11:23:11 +00:00			`title: Zeek field mappings for default collection of JSON logs with no parsing/normalization done and sending into logstash-*index`
			`order: 20`
			`backends:`
			`- es-qs`
			`- es-dsl`
			`- elasticsearch-rule`
			`- kibana`
kibana-ndjson for all configs which already have kibana 2020-11-09 07:42:35 +00:00			`- kibana-ndjson`
on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR. 2020-05-02 11:23:11 +00:00			`- xpack-watcher`
			`- elastalert`
			`- elastalert-dsl`
			`logsources:`
			`zeek:`
			`product: zeek`
			`index: 'logstash*'`
			`zeek-category-accounting:`
			`category: accounting`
			`rewrite:`
			`product: zeek`
			`service: syslog`
			`zeek-category-firewall:`
			`category: firewall`
zeek category update and minor field updates 2020-05-19 09:02:45 +00:00			`rewrite:`
			`product: zeek`
			`service: conn`
on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR. 2020-05-02 11:23:11 +00:00			`zeek-category-dns:`
			`category: dns`
zeek category update and minor field updates 2020-05-19 09:02:45 +00:00			`rewrite:`
			`product: zeek`
			`service: dns`
on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR. 2020-05-02 11:23:11 +00:00			`zeek-category-proxy:`
			`category: proxy`
			`rewrite:`
			`product: zeek`
			`service: http`
			`zeek-category-webserver:`
			`category: webserver`
			`rewrite:`
			`product: zeek`
			`service: http`
			`zeek-conn:`
			`product: zeek`
			`service: conn`
			`conditions:`
			`'@stream': conn`
			`zeek-conn_long:`
			`product: zeek`
			`service: conn_long`
			`conditions:`
			`'@stream': conn_long`
			`zeek-dce_rpc:`
			`product: zeek`
			`service: dce_rpc`
			`conditions:`
			`'@stream': dce_rpc`
			`zeek-dns:`
			`product: zeek`
			`service: dns`
			`conditions:`
			`'@stream': dns`
			`zeek-dnp3:`
			`product: zeek`
			`service: dnp3`
			`conditions:`
			`'@stream': dnp3`
			`zeek-dpd:`
			`product: zeek`
			`service: dpd`
			`conditions:`
			`'@stream': dpd`
			`zeek-files:`
			`product: zeek`
			`service: files`
			`conditions:`
			`'@stream': files`
			`zeek-ftp:`
			`product: zeek`
			`service: ftp`
			`conditions:`
			`'@stream': ftp`
			`zeek-gquic:`
			`product: zeek`
			`service: gquic`
			`conditions:`
			`'@stream': gquic`
			`zeek-http:`
			`product: zeek`
			`service: http`
			`conditions:`
			`'@stream': http`
			`zeek-http2:`
			`product: zeek`
			`service: http2`
			`conditions:`
			`'@stream': http2`
			`zeek-intel:`
			`product: zeek`
			`service: intel`
			`conditions:`
			`'@stream': intel`
			`zeek-irc:`
			`product: zeek`
			`service: irc`
			`conditions:`
			`'@stream': irc`
			`zeek-kerberos:`
			`product: zeek`
			`service: kerberos`
			`conditions:`
			`'@stream': kerberos`
			`zeek-known_certs:`
			`product: zeek`
			`service: known_certs`
			`conditions:`
			`'@stream': known_certs`
			`zeek-known_hosts:`
			`product: zeek`
			`service: known_hosts`
			`conditions:`
			`'@stream': known_hosts`
			`zeek-known_modbus:`
			`product: zeek`
			`service: known_modbus`
			`conditions:`
			`'@stream': known_modbus`
			`zeek-known_services:`
			`product: zeek`
			`service: known_services`
			`conditions:`
			`'@stream': known_services`
			`zeek-modbus:`
			`product: zeek`
			`service: modbus`
			`conditions:`
			`'@stream': modbus`
			`zeek-modbus_register_change:`
			`product: zeek`
			`service: modbus_register_change`
			`conditions:`
			`'@stream': modbus_register_change`
			`zeek-mqtt_connect:`
			`product: zeek`
			`service: mqtt_connect`
			`conditions:`
			`'@stream': mqtt_connect`
			`zeek-mqtt_publish:`
			`product: zeek`
			`service: mqtt_publish`
			`conditions:`
			`'@stream': mqtt_publish`
			`zeek-mqtt_subscribe:`
			`product: zeek`
			`service: mqtt_subscribe`
			`conditions:`
			`'@stream': mqtt_subscribe`
			`zeek-mysql:`
			`product: zeek`
			`service: mysql`
			`conditions:`
			`'@stream': mysql`
			`zeek-notice:`
			`product: zeek`
			`service: notice`
			`conditions:`
			`'@stream': notice`
			`zeek-ntlm:`
			`product: zeek`
			`service: ntlm`
			`conditions:`
			`'@stream': ntlm`
			`zeek-ntp:`
			`product: zeek`
			`service: ntp`
			`conditions:`
			`'@stream': ntp`
			`zeek-ocsp:`
			`product: zeek`
			`service: ntp`
			`conditions:`
			`'@stream': ocsp`
			`zeek-pe:`
			`product: zeek`
			`service: pe`
			`conditions:`
			`'@stream': pe`
			`zeek-pop3:`
			`product: zeek`
			`service: pop3`
			`conditions:`
			`'@stream': pop3`
			`zeek-radius:`
			`product: zeek`
			`service: radius`
			`conditions:`
			`'@stream': radius`
			`zeek-rdp:`
			`product: zeek`
			`service: rdp`
			`conditions:`
			`'@stream': rdp`
			`zeek-rfb:`
			`product: zeek`
			`service: rfb`
			`conditions:`
			`'@stream': rfb`
			`zeek-sip:`
			`product: zeek`
			`service: sip`
			`conditions:`
			`'@stream': sip`
			`zeek-smb_files:`
			`product: zeek`
			`service: smb_files`
			`conditions:`
			`'@stream': smb_files`
			`zeek-smb_mapping:`
			`product: zeek`
			`service: smb_mapping`
			`conditions:`
			`'@stream': smb_mapping`
			`zeek-smtp:`
			`product: zeek`
			`service: smtp`
			`conditions:`
			`'@stream': smtp`
			`zeek-smtp_links:`
			`product: zeek`
			`service: smtp_links`
			`conditions:`
			`'@stream': smtp_links`
			`zeek-snmp:`
			`product: zeek`
			`service: snmp`
			`conditions:`
			`'@stream': snmp`
			`zeek-socks:`
			`product: zeek`
			`service: socks`
			`conditions:`
			`'@stream': socks`
			`zeek-software:`
			`product: zeek`
			`service: software`
			`conditions:`
			`'@stream': software`
			`zeek-ssh:`
			`product: zeek`
			`service: ssh`
			`conditions:`
			`'@stream': ssh`
			`zeek-ssl:`
			`product: zeek`
			`service: ssl`
			`conditions:`
			`'@stream': ssl`
			`zeek-tls: # In case people call it TLS even though orig log is called ssl`
			`product: zeek`
			`service: tls`
			`conditions:`
			`'@stream': ssl`
			`zeek-syslog:`
			`product: zeek`
			`service: syslog`
			`conditions:`
			`'@stream': syslog`
			`zeek-tunnel:`
			`product: zeek`
			`service: tunnel`
			`conditions:`
			`'@stream': tunnel`
			`zeek-traceroute:`
			`product: zeek`
			`service: traceroute`
			`conditions:`
			`'@stream': traceroute`
			`zeek-weird:`
			`product: zeek`
			`service: weird`
			`conditions:`
			`'@stream': weird`
			`zeek-x509:`
			`product: zeek`
			`service: x509`
			`conditions:`
			`'@stream': x509`
			`zeek-ip_search:`
			`product: zeek`
			`service: network`
			`conditions:`
			`'@stream':`
			`- conn`
			`- conn_long`
			`- dce_rpc`
			`- dhcp`
			`- dnp3`
			`- dns`
			`- ftp`
			`- gquic`
			`- http`
			`- irc`
			`- kerberos`
			`- modbus`
			`- mqtt_connect`
			`- mqtt_publish`
			`- mqtt_subscribe`
			`- mysql`
			`- ntlm`
			`- ntp`
			`- radius`
			`- rfb`
			`- sip`
			`- smb_files`
			`- smb_mapping`
			`- smtp`
			`- smtp_links`
			`- snmp`
			`- socks`
			`- ssh`
			`- tls #SSL`
			`- tunnel`
			`- weird`
			`defaultindex: 'logstash-*'`
			`fieldmappings:`
			`# All Logs Applied Mapping & Taxonomy`
			`dst_ip: id.resp_h`
			`dst_port: id.resp_p`
			`network_protocol: proto`
			`src_ip: id.orig_h`
			`src_port: id.orig_p`
			`# DNS matching Taxonomy & DNS Category`
			`answer: answers`
			`#question_length: # Does not exist in open source version`
			`record_type: qtype_name`
			`#parent_domain: # Does not exist in open source version`
			`# HTTP matching Taxonomy & Web/Proxy Category`
			`cs-bytes: request_body_len`
			`cs-cookie: cookie`
			`r-dns: host`
			`sc-bytes: response_body_len`
			`sc-status: status_code`
			`c-uri: uri`
			`c-uri-extension: uri`
			`c-uri-query: uri`
			`c-uri-stem: uri`
			`c-useragent: user_agent`
			`cs-host: host`
			`cs-method: method`
			`cs-referrer: referrer`
			`cs-version: version`
zeek category update and minor field updates 2020-05-19 09:02:45 +00:00			`# Few other variations of names from zeek source itself`
			`id_orig_h: id.orig_h`
			`id_orig_p: id.orig_p`
			`id_resp_h: id.resp_h`
			`id_resp_p: id.resp_p`
			`# Temporary one off rule name fields`
on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR. 2020-05-02 11:23:11 +00:00			`agent.version: version`
			`c-cookie: cookie`
			`c-ip: id.orig_h`
			`cs-uri: uri`
			`clientip: id.orig_h`
			`clientIP: id.orig_h`
			`dest_domain:`
			`- query`
			`- host`
			`- server_name`
			`dest_ip: id.resp_h`
Updated config 2020-05-20 09:35:00 +00:00			`dest_port: id.resp_p`
			`#TODO:WhatShouldThisBe?==dest:`
			`#TODO:WhatShouldThisBe?==destination:`
			`#TODO:WhatShouldThisBe?==Destination:`
			`destination.hostname:`
			`- query`
			`- host`
			`- server_name`
			`DestinationAddress: id.resp_h`
			`DestinationHostname:`
			`- host`
			`- query`
			`- server_name`
			`DestinationIp: id.resp_h`
			`DestinationIP: id.resp_h`
			`DestinationPort: id.resp_p`
			`dst-ip: id.resp_h`
			`dstip: id.resp_h`
			`dstport: id.resp_p`
			`Host:`
			`- host`
			`- query`
			`- server_name`
			`HostVersion: http.version`
			`http_host:`
			`- host`
			`- query`
			`- server_name`
			`http_uri: uri`
			`http_url: uri`
			`http_user_agent: user_agent`
			`http.request.url-query-params: uri`
			`HttpMethod: method`
			`in_url: uri`
			`# parent_domain: # Not in open source zeek`
			`post_url_parameter: uri`
			`Request Url: uri`
			`request_url: uri`
			`request_URL: uri`
			`RequestUrl: uri`
			`#response: status_code`
			`resource.url: uri`
			`resource.URL: uri`
			`sc_status: status_code`
			`sender_domain:`
			`- query`
			`- server_name`
			`service.response_code: status_code`
			`source: id.orig_h`
			`SourceAddr: id.orig_h`
			`SourceAddress: id.orig_h`
			`SourceIP: id.orig_h`
			`SourceIp: id.orig_h`
			`SourceNetworkAddress: id.orig_h`
			`SourcePort: id.orig_p`
			`srcip: id.orig_h`
			`Status: status_code`
			`status: status_code`
			`url: uri`
			`URL: uri`
			`url_query: uri`
			`url.query: uri`
			`uri_path: uri`
			`user_agent: user_agent`
			`user_agent.name: user_agent`
			`user-agent: user_agent`
			`User-Agent: user_agent`
			`useragent: user_agent`
			`UserAgent: user_agent`
			`User Agent: user_agent`
			`web_dest:`
			`- host`
			`- query`
			`- server_name`
			`web.dest:`
			`- host`
			`- query`
			`- server_name`
			`Web.dest:`
			`- host`
			`- query`
			`- server_name`
			`web.host:`
			`- host`
			`- query`
			`- server_name`
			`Web.host:`
			`- host`
			`- query`
			`- server_name`
			`web_method: method`
			`Web_method: method`
			`web.method: method`
			`Web.method: method`
			`web_src: id.orig_h`
			`web_status: status_code`
			`Web_status: status_code`
			`web.status: status_code`
			`Web.status: status_code`
			`web_uri: uri`
			`web_url: uri`
			`# Most are in ECS, but for things not using Elastic - these need renamed`
			`destination.ip: id.resp_h`
			`destination.port: id.resp_p`
			`http.request.body.content: post_body`
			`#source.domain:`
			`source.ip: id.orig_h`
Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 15:06:32 +00:00			`source.port: id.orig_p`