title: Elastic Common Schema mapping for proxy and webserver logs including NSM DNS logs (zeek/suricata)
order: 20
backends:
  - es-qs
  - es-dsl
  - elasticsearch-rule
  - kibana
  - kibana-ndjson
  - xpack-watcher
  - elastalert
  - elastalert-dsl
# zeek-category-dns:
  # category: dns
  # conditions:
    # event.dataset: dns
# zeek-dns:
  # product: zeek
  # service: dns
  # conditions:
    # event.dataset: dns
defaultindex:
  - filebeat-*
# logsourcemerging: or 
fieldmappings:
  # All Logs Applied Mapping & Taxonomy
  dst:
    - destination.address
    - destination.ip
  dst_ip:
    - destination.address
    - destination.ip
  dst_port: destination.port
  src:
    - source.address
    - source.ip
  src_ip:
    - source.address
    - source.ip
  src_port: source.port  
  # DNS Taxonomy
  answer: dns.answers.name
  c-dns: dns.question.name
  parent_domain: dns.question.registered_domain
  query: dns.question.name
  QueryName: dns.question.name
  r-dns: dns.question.name
  record_type: dns.answers.type
  response: dns.answers
  #question_length:
  # Zeek DNS specific
  AA: dns.AA
  addl: dns.addl
  answers: dns.answers.name
  auth: dns.auth
  qclass_name: dns.question.class
  qclass: dns.qclass
  qtype_name: dns.question.type
  qtype: dns.qtype
  query: dns.question.name
  #question_length: labels.dns.query_length
  RA: dns.RA
  rcode_name: dns.response_code
  rcode: dns.rcode
  RD: dns.RD
  rejected: dns.rejected
  rtt: dns.rtt
  TC: dns.TC
  trans_id: dns.id
  TTLs: dns.answers.ttl
  Z: dns.Z