mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
53 lines
2.5 KiB
YAML
53 lines
2.5 KiB
YAML
title: Suricata logs mapping for Azure Log Analytics
|
|
order: 20
|
|
backends:
|
|
- ala
|
|
- ala-rule
|
|
fieldmappings:
|
|
timestamp: parse_json(RawData).timestamp
|
|
flow_id: parse_json(RawData).flow_id
|
|
in_iface: parse_json(RawData).in_iface
|
|
event_type: parse_json(RawData).event_type
|
|
src_ip: parse_json(RawData).src_ip
|
|
src_port: parse_json(RawData).src_port
|
|
dest_ip: parse_json(RawData).dest_ip
|
|
dest_port: parse_json(RawData).dest_port
|
|
proto: parse_json(RawData).proto
|
|
tx_id: parse_json(RawData).tx_id
|
|
alert.action: parse_json(RawData).alert.action
|
|
alert.gid: parse_json(RawData).alert.gid
|
|
alert.signature_id: parse_json(RawData).alert.signature_id
|
|
alert.rev: parse_json(RawData).alert.rev
|
|
alert.signature: parse_json(RawData).alert.signature
|
|
alert.category: parse_json(RawData).alert.category
|
|
alert.severity: parse_json(RawData).alert.severity
|
|
alert.metadata.updated_at: parse_json(RawData).alert.metadata.updated_at
|
|
alert.metadata.created_at: parse_json(RawData).alert.metadata.created_at
|
|
alert.metadata.cve: parse_json(RawData).alert.metadata.cve
|
|
suricata.eve.alert.metadata.cve: parse_json(RawData).alert.metadata.cve
|
|
alert.metadata.signature_severity: parse_json(RawData).alert.metadata.signature_severity
|
|
alert.metadata.deployment: parse_json(RawData).alert.metadata.deployment
|
|
alert.metadata.tag: parse_json(RawData).alert.metadata.tag
|
|
suricata.eve.alert.metadata.tag: parse_json(RawData).alert.metadata.tag
|
|
alert.metadata.attack_target: parse_json(RawData).alert.metadata.attack_target
|
|
alert.metadata.affected_product: parse_json(RawData).alert.metadata.affected_product
|
|
dns.query: parse_json(RawData).dns.query
|
|
app_proto: parse_json(RawData).app_proto
|
|
flow.pkts_toserver: parse_json(RawData).flow.pkts_toserver
|
|
flow.pkts_toclient: parse_json(RawData).flow.pkts_toclient
|
|
flow.bytes_toserver: parse_json(RawData).flow.bytes_toserver
|
|
flow.bytes_toclient: parse_json(RawData).flow.bytes_toclient
|
|
flow.start: parse_json(RawData).flow.start
|
|
payload_printable: parse_json(RawData).payload_printable
|
|
stream: parse_json(RawData).stream
|
|
http.hostname: parse_json(RawData).http.hostname
|
|
http.url: parse_json(RawData).http.url
|
|
http.http_user_agent: parse_json(RawData).http.http_user_agent
|
|
http.http_method: parse_json(RawData).http.http_method
|
|
http.protocol: parse_json(RawData).http.protocol
|
|
http.length: parse_json(RawData).http.length
|
|
http.status: parse_json(RawData).http.status
|
|
http.http_refer: parse_json(RawData).http.http_refer
|
|
fileinfo.filename: parse_json(RawData).file.path
|
|
fileinfo.size: parse_json(RawData).file.size
|