title: Basic STIX backends: - stix order: 20 fieldmappings: action: - x-event:action User: - user-account:user_id c-ip: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value cs-ip: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value destinationip: - ipv4-addr:value - ipv6-addr:value - network-traffic:dst_ref.value destinationmac: - mac-addr:value - network-traffic:dst_ref.value destinationport: - network-traffic:dst_port dst_port: - network-traffic:dst_port domainname: - domain-name:value dst: - ipv4-addr:value - ipv6-addr:value - network-traffic:dst_ref.value dst_ip: - ipv4-addr:value - ipv6-addr:value - network-traffic:dst_ref.value endtime: - network-traffic:end event_data.DestinationIp: - ipv4-addr:value - ipv6-addr:value - network-traffic:dst_ref.value DestinationIp: - ipv4-addr:value - ipv6-addr:value - network-traffic:dst_ref.value event_data.DestinationPort: - network-traffic:dst_port DestinationPort: - network-traffic:dst_port destination.port: - network-traffic:dst_port event_data.SubjectUserName: - user-account:user_id event_data.User: - user-account:user_id filehash: - file:hashes.SHA-256 - file:hashes.MD5 - file:hashes.SHA-1 filename: - file:name filepath: - file:parent_directory_ref - directory:path identityip: - ipv4-addr:value protocolid: - network-traffic:protocols[*] sourceip: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value sourcemac: - mac-addr:value - network-traffic:src_ref.value sourceport: - network-traffic:src_port SourcePort: - network-traffic:src_port src: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value src_ip: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value starttime: - network-traffic:start url: - url:value user: - user-account:user_id username: - user-account:user_id utf8_payload: - artifact:payload_bin # Web + Proxy mapping c-uri: - network-traffic:extensions.'http-request-ext'.request_value - url:value c-uri-query: - network-traffic:extensions.'http-request-ext'.request_value - url:value c-uri-stem: - network-traffic:extensions.'http-request-ext'.request_value - url:value keywords: - artifact:payload_bin cs-method: - network-traffic:extensions.'http-request-ext'.request_method sc-status: - x-web:status_code clientip: - ipv4-addr:value - ipv6-addr:value - network-traffic:src_ref.value c-useragent: - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' r-dns: - domain-name:value - url:value - x-dns:query cs-host: - x-host:name - domain-name:value cs-cookie: - network-traffic:extensions.'http-request-ext'.request_header.Cookie query: - domain-name:value - url:value - x-dns:query record_type: - x-dns:record_type operation: - x-event:action # Compliance mapping event.category: - x-event:action host.scan.vuln_name: - vulnerability:name host.scan.vuln: - vulnerability:external_references[*].external_id # Cloud mapping eventSource: - x-host:name eventName: - x-event:action requestParameters.attribute: - x-cloud:request_parameters responseElements.publiclyAccessible: - x-cloud:publicly_accessible errorMessage: - x-error:message errorCode: - x-error:code responseElements: - x-cloud:response_elements requestParameters.userData: - x-cloud:request_parameters userIdentity.type: - user-account:account_login eventType: - x-event:action userIdentity.arn: - user-account:account_login - user-account:display_name responseElements.pendingModifiedValues.masterUserPassword: - user-account:credential