SigmaHQ/tools/config/ecs-suricata.yml

title: Elastic Common Schema And Elastic Exported Fields Mapping For Suricata Logs
order: 20
backends:
  - es-qs
  - es-dsl
  - es-rule
  - kibana
  - xpack-watcher
  - elastalert
  - elastalert-dsl
fieldmappings:
  timestamp: '@timestamp'
  flow_id: suricata.eve.flow_id
  in_iface: suricata.eve.in_iface
  event_type: event.kind
  src_ip: source.ip
  src_port: source.port
  dest_ip: destination.ip
  dest_port: destination.port
  proto: network.transport
  tx_id: suricata.eve.tx_id
  alert.action: event.type
  alert.gid: suricata.eve.alert.gid
  alert.signature_id: rule.id
  alert.rev: suricata.eve.alert.rev
  alert.signature: rule.name
  alert.category: rule.category
  alert.severity: event.severity
  alert.metadata.updated_at: suricata.eve.alert.metadata.updated_at
  alert.metadata.created_at: suricata.eve.alert.metadata.created_at
  alert.metadata.signature_severity: suricata.eve.alert.metadata.signature_severity
  alert.metadata.deployment: suricata.eve.alert.metadata.deployment
  alert.metadata.attack_target: suricata.eve.alert.metadata.attack_target
  alert.metadata.affected_product: suricata.eve.alert.metadata.affected_product
  dns.query: suricata.eve.dns.query
  app_proto: network.protocol
  flow.pkts_toserver: source.packets
  flow.pkts_toclient: destination.packets
  flow.bytes_toserver: source.bytes
  flow.bytes_toclient: destination.bytes
  flow.start: event.start
  payload_printable: suricata.eve.payload_printable
  stream: suricata.eve.stream
  http.hostname: url.domain
  http.url: url.original
  http.http_user_agent: user_agent.original
  http.http_method: http.request.method
  http.protocol: suricata.eve.http.protocol
  http.length: http.response.body.bytes
  http.status: http.response.status_code
  http.http_refer: http.request.referrer
  fileinfo.filename: file.path
  fileinfo.size: file.size