SigmaHQ/tools/config/ecs-proxy.yml

title: Elastic Common Schema mapping for proxy and webserver logs including NSM logs (zeek/suricata)
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - corelight_elasticsearch-rule
  - kibana
  - xpack-watcher
  - elastalert
  - elastalert-dsl
  - ee-outliers
defaultindex:
  - filebeat-*
fieldmappings:
  # All Logs Applied Mapping & Taxonomy
  dst:
    - destination.address
    - destination.ip
  dst_ip:
    - destination.address
    - destination.ip
  dst_port: destination.port
  src:
    - source.address
    - source.ip
  src_ip:
    - source.address
    - source.ip
  src_port: source.port
  # Web/Proxy Taxonomy
  cs-bytes: http.request.body.bytes
  cs-cookie-vars: http.cookie_vars
  c-uri-extension: url.extension
  c-uri-query: url.query
  c-uri-stem: url.original
  c-uri: url.original
  c-useragent: user_agent.original
  cs-bytes: http.request.body.bytes
  cs-cookie: http.cookie
  cs-host:
    - url.domain
    - destination.domain
  cs-method: http.request.method
  cs-referrer: http.request.referrer
  cs-version: http.version
  r-dns:
    - destination.domain
    - url.domain
  sc-bytes: http.response.body.bytes
  sc-status: http.response.status_code
  # Temporary one off rule name fields
  destination.domain:
  # destination.ip:
  # destination.port:
  # http.response.status_code
  # http.request.body.content
  # source.domain:
  # source.ip:
  # source.port:
  agent.version: http.version
  c-ip:
    - source.address
    - source.ip
  clientip:
    - source.address
    - source.ip
  clientIP:
    - source.address
    - source.ip
  dest_domain:
    - destination.domain
    - url.domain
  dest_ip:
    - destination.address
    - destination.ip
  dest_port: destination.port
  #TODO:WhatShouldThisBe?==dest:
  #TODO:WhatShouldThisBe?==destination:
  #TODO:WhatShouldThisBe?==Destination:
  destination.hostname:
    - destination.domain
    - url.domain
  DestinationAddress:
  DestinationHostname:
    - destination.domain
    - url.domain
  DestinationIp:
    - destination.address
    - destination.ip
  DestinationIP:
    - destination.address
    - destination.ip
  DestinationPort: destination.port
  dst-ip:
    - destination.address
    - destination.ip
  dstip:
    - destination.address
    - destination.ip
  dstport: destination.port
  Host:
    - destination.domain
    - url.domain
  host:
    - destination.domain
    - url.domain
  HostVersion: http.version
  http_host:
    - destination.domain
    - url.domain
  http_uri: url.original
  http_url: url.original
  http_user_agent: user_agent.original
  http.request.url-query-params: url.original
  HttpMethod: http.request.method
  in_url: url.original
  parent_domain:
    - url.registered_domain
    - destination.registered_domain
  post_url_parameter: url.original
  Request Url: url.original
  request_url: url.original
  request_URL: url.original
  RequestUrl: url.original
  response: http.response.status_code
  resource.url: url.original
  resource.URL: url.original
  sc_status: http.response.status_code
  sender_domain:
    - destination.domain
    - url.domain
  service.response_code: http.response.status_code
  source:
    - source.address
    - source.ip
  SourceAddr:
    - source.address
    - source.ip
  SourceAddress:
    - source.address
    - source.ip
  SourceIP:
    - source.address
    - source.ip
  SourceIp:
    - source.address
    - source.ip
  SourceNetworkAddress:
    - source.address
    - source.ip
  SourcePort: source.port
  srcip:
    - source.address
    - source.ip
  Status: http.response.status_code
  status: http.response.status_code
  url: url.original
  URL: url.original
  url_query: url.original
  url.query: url.original
  uri_path: url.original
  user_agent: user_agent.original
  user_agent.name: user_agent.original
  user-agent: user_agent.original
  User-Agent: user_agent.original
  useragent: user_agent.original
  UserAgent: user_agent.original
  web_dest:
    - url.domain
    - destination.domain
  web.dest:
    - url.domain
    - destination.domain
  Web.dest:
    - url.domain
    - destination.domain
  web.host:
    - url.domain
    - destination.domain
  Web.host:
    - url.domain
    - destination.domain
  web_method: http.request.method
  Web_method: http.request.method
  web.method: http.request.method
  Web.method: http.request.method
  web_src:
    - source.address
    - source.ip
  web_status: http.response.status_code
  Web_status: http.response.status_code
  web.status: http.response.status_code
  Web.status: http.response.status_code
  web_uri: url.original
  web_url: url.original
  # Zeek HTTP as Proxy/Web
  client_header_names: http.client_header_names
  cookie_vars: http.cookie_vars
  flash_version: http.flash_version
  info_code: http.info_code
  info_msg: http.info_msg
  method: http.request.method
  omniture: http.omniture
  orig_filenames: http.orig_filenames
  orig_mime_types: http.orig_mime_types
  origin: http.origin
  #password: source.user.password
  post_body: http.post_body
  proxied: http.proxied
  referrer: http.request.referrer
  request_body_len: http.request.body.bytes
  resp_filenames: http.resp_filenames
  resp_mime_types: http.resp_mime_types
  response_body_len: http.response.body.bytes
  server_header_names: http.server_header_names
  status_code: http.response.status_code
  status_msg: http.status_msg
  trans_depth: http.trans_depth
  uri_vars: http.uri_vars
  username: source.user.name
  version: http.version