valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1673 from frack113/ecs

Browse Source 
Add mapping for auditbeat and filebeat
This commit is contained in:
Florian Roth 2021-07-12 15:36:07 +02:00 committed by GitHub
commit a16ce3b828
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 311 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

266
tools/config/ecs-auditd.yml Normal file
View File

@ -0,0 +1,266 @@
title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- elasticsearch-rule
- ee-outliers
logsources:
linux_auditd:
product: linux
service: auditd
conditions:
event.provider: auditd
defaultindex: auditd-*
fieldmappings:
# https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv
#a[0-3]: a[0-3]
#a[[:digit:]+]\[.*\]: a[[:digit:]+]\[.*\]
a0: process.args
a1: process.args
a2: process.args
a3: process.args
acct: acct
acl: acl
action: action
added: added
addr: addr
apparmor: apparmor
arch: arch
argc: argc
audit_backlog_limit: audit_backlog_limit
audit_backlog_wait_time: audit_backlog_wait_time
audit_enabled: audit_enabled
audit_failure: audit_failure
auid: auid
banners: banners
bool: bool
bus: bus
capability: capability
cap_fe: cap_fe
cap_fi: cap_fi
cap_fp: cap_fp
cap_fver: cap_fver
cap_pa: cap_pa
cap_pe: cap_pe
cap_pi: cap_pi
cap_pp: cap_pp
category: category
cgroup: cgroup
changed: changed
cipher: cipher
class: class
cmd: cmd
code: code
comm: comm
compat: compat
cwd: cwd
daddr: daddr
data: data
default-context: default-context
dev: dev
dev: dev
device: device
dir: dir
direction: direction
dmac: dmac
dport: dport
egid: egid
enforcing: enforcing
entries: entries
errno: errno
euid: euid
exe: process.executable
exit: exit
fam: fam
family: family
fd: fd
file: file
flags: flags
fe: fe
feature: feature
fi: fi
fp: fp
fp: fp
format: format
fsgid: fsgid
fsuid: fsuid
fver: fver
gid: gid
grantors: grantors
grp: grp
hook: hook
hostname: hostname
icmp_type: icmp_type
id: id
igid: igid
img-ctx: img-ctx
inif: inif
ip: ip
ipid: ipid
ino: ino
inode: inode
inode_gid: inode_gid
inode_uid: inode_uid
invalid_context: invalid_context
ioctlcmd: ioctlcmd
ipx-net: ipx-net
item: item
items: items
iuid: iuid
kernel: kernel
key: key
kind: kind
ksize: ksize
laddr: laddr
len: len
lport: lport
list: list
mac: mac
macproto: macproto
maj: maj
major: major
minor: minor
mode: mode
model: model
msg: msg
nargs: nargs
name: name
nametype: nametype
net: net
new: new
new-chardev: new-chardev
new-disk: new-disk
new-enabled: new-enabled
new-fs: new-fs
new_gid: new_gid
new-level: new-level
new_lock: new_lock
new-log_passwd: new-log_passwd
new-mem: new-mem
new-net: new-net
new_pe: new_pe
new_pi: new_pi
new_pp: new_pp
new-range: new-range
new-rng: new-rng
new-role: new-role
new-seuser: new-seuser
new-vcpu: new-vcpu
nlnk-fam: nlnk-fam
nlnk-grp: nlnk-grp
nlnk-pid: nlnk-pid
oauid: oauid
obj: obj
obj_gid: obj_gid
obj_uid: obj_uid
oflag: oflag
ogid: ogid
ocomm: ocomm
old: old
old: old
old-auid: old-auid
old-chardev: old-chardev
old-disk: old-disk
old-enabled: old-enabled
old_enforcing: old_enforcing
old-fs: old-fs
old-level: old-level
old_lock: old_lock
old-log_passwd: old-log_passwd
old-mem: old-mem
old-net: old-net
old_pa: old_pa
old_pe: old_pe
old_pi: old_pi
old_pp: old_pp
old_prom: old_prom
old-range: old-range
old-rng: old-rng
old-role: old-role
old-ses: old-ses
old-seuser: old-seuser
old_val: old_val
old-vcpu: old-vcpu
op: op
opid: opid
oses: oses
ouid: ouid
outif: outif
pa: pa
pe: pe
pi: pi
pp: pp
parent: parent
path: path
per: per
perm: perm
perm_mask: perm_mask
permissive: permissive
pfs: pfs
pid: pid
ppid: ppid
printer: printer
prom: prom
proctitle: proctitle
proto: proto
qbytes: qbytes
range: range
rdev: rdev
reason: reason
removed: removed
res: res
resrc: resrc
result: result
role: role
rport: rport
saddr: saddr
sauid: sauid
scontext: scontext
selected-context: selected-context
seperm: seperm
seqno: seqno
seperms: seperms
seresult: seresult
ses: ses
seuser: seuser
sgid: sgid
sig: sig
sigev_signo: sigev_signo
smac: smac
spid: spid
sport: sport
state: state
subj: subj
success: success
suid: suid
syscall: syscall
table: table
tclass: tclass
tcontext: tcontext
terminal: terminal
tty: tty
type: type
uid: uid
unit: unit
uri: uri
user: user
uuid: uuid
val: val
ver: ver
virt: virt
vm: vm
vm-ctx: vm-ctx
vm-pid: vm-pid
watch: watch

45
tools/config/ecs-filebeat.yml Normal file
View File

@ -0,0 +1,45 @@
title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema
order: 20
backends:
- es-qs
- es-dsl
- es-rule
- es-rule-eql
- es-eql
- kibana
- kibana-ndjson
- xpack-watcher
- elastalert
- elastalert-dsl
- elasticsearch-rule
- ee-outliers
defaultindex: filebeat-*
fieldmappings:
# iptable
message: log.original
IN: iptables.input_device
OUT: iptables.output_device
MAC: destination.mac
SRC: source.ip
SPT: source.port
DST: destination.ip
DPT: destination.port
SEQ: iptables.tcp.seq
ACK: iptables.tcp.ack
PROTO: network.transport
# rule network
action: event.action
dst_ip: destination.ip
dst_port: destination.port
src_ip: source.ip
answer: dns.answers.name
c-dns: dns.question.name
dns_query: dns.question.name
parent_domain: dns.question.registered_domain
query: dns.question.name
QueryName: dns.question.name
r-dns: dns.question.name
record_type: dns.type
response: dns.answers