mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
71 lines
1.5 KiB
YAML
71 lines
1.5 KiB
YAML
title: Elastic Common Schema mapping for proxy and webserver logs including NSM DNS logs (zeek/suricata)
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- elasticsearch-rule
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
# zeek-category-dns:
|
|
# category: dns
|
|
# conditions:
|
|
# event.dataset: dns
|
|
# zeek-dns:
|
|
# product: zeek
|
|
# service: dns
|
|
# conditions:
|
|
# event.dataset: dns
|
|
defaultindex:
|
|
- filebeat-*
|
|
# logsourcemerging: or
|
|
fieldmappings:
|
|
# All Logs Applied Mapping & Taxonomy
|
|
dst:
|
|
- destination.address
|
|
- destination.ip
|
|
dst_ip:
|
|
- destination.address
|
|
- destination.ip
|
|
dst_port: destination.port
|
|
src:
|
|
- source.address
|
|
- source.ip
|
|
src_ip:
|
|
- source.address
|
|
- source.ip
|
|
src_port: source.port
|
|
# DNS Taxonomy
|
|
answer: dns.answers.name
|
|
c-dns: dns.question.name
|
|
parent_domain: dns.question.registered_domain
|
|
query: dns.question.name
|
|
QueryName: dns.question.name
|
|
r-dns: dns.question.name
|
|
record_type: dns.answers.type
|
|
response: dns.answers
|
|
#question_length:
|
|
# Zeek DNS specific
|
|
AA: dns.AA
|
|
addl: dns.addl
|
|
answers: dns.answers.name
|
|
auth: dns.auth
|
|
qclass_name: dns.question.class
|
|
qclass: dns.qclass
|
|
qtype_name: dns.question.type
|
|
qtype: dns.qtype
|
|
query: dns.question.name
|
|
#question_length: labels.dns.query_length
|
|
RA: dns.RA
|
|
rcode_name: dns.response_code
|
|
rcode: dns.rcode
|
|
RD: dns.RD
|
|
rejected: dns.rejected
|
|
rtt: dns.rtt
|
|
TC: dns.TC
|
|
trans_id: dns.id
|
|
TTLs: dns.answers.ttl
|
|
Z: dns.Z
|