Create ecs-suricata.yml

tools/config/ecs-suricata.yml

@@ -0,0 +1,53 @@
+title: Elastic Common Schema And Elastic Exported Fields Mapping For Suricata Logs
+order: 20
+backends:
+  - es-qs
+  - es-dsl
+  - es-rule
+  - kibana
+  - xpack-watcher
+  - elastalert
+  - elastalert-dsl
+fieldmappings:
+  timestamp: '@timestamp'
+  flow_id: suricata.eve.flow_id
+  in_iface: suricata.eve.in_iface
+  event_type: event.kind
+  src_ip: source.ip
+  src_port: source.port
+  dest_ip: destination.ip
+  dest_port: destination.port
+  proto: network.transport
+  tx_id: suricata.eve.tx_id
+  alert.action: event.type
+  alert.gid: suricata.eve.alert.gid
+  alert.signature_id: rule.id
+  alert.rev: suricata.eve.alert.rev
+  alert.signature: rule.name
+  alert.category: rule.category
+  alert.severity: event.severity
+  alert.metadata.updated_at: suricata.eve.alert.metadata.updated_at
+  alert.metadata.created_at: suricata.eve.alert.metadata.created_at
+  alert.metadata.signature_severity: suricata.eve.alert.metadata.signature_severity
+  alert.metadata.deployment: suricata.eve.alert.metadata.deployment
+  alert.metadata.attack_target: suricata.eve.alert.metadata.attack_target
+  alert.metadata.affected_product: suricata.eve.alert.metadata.affected_product
+  dns.query: suricata.eve.dns.query
+  app_proto: network.protocol
+  flow.pkts_toserver: source.packets
+  flow.pkts_toclient: destination.packets
+  flow.bytes_toserver: source.bytes
+  flow.bytes_toclient: destination.bytes
+  flow.start: event.start
+  payload_printable: suricata.eve.payload_printable
+  stream: suricata.eve.stream
+  http.hostname: url.domain
+  http.url: url.original
+  http.http_user_agent: user_agent.original
+  http.http_method: http.request.method
+  http.protocol: suricata.eve.http.protocol
+  http.lenght: http.response.body.bytes
+  http.status: http.response.status_code
+  http.http_refer: http.request.referrer
+  fileinfo.filename: file.path
+  fileinfo.size: file.size