security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da54e89f3045fdf23daa2dbdfd712aceb393ae90
blue-team-tools/tools/config/stix.yml
T
bar 5019f2f160 added mapping for stix web, cloud, linux
2020-07-22 21:41:46 +03:00

136 lines
2.9 KiB
YAML
Raw Blame History

title: Basic STIX
backends:
- stix
order: 20
fieldmappings:
User:
- user-account:user_id
c-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
cs-ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
destinationip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
destinationmac:
- mac-addr:value
- network-traffic:dst_ref.value
destinationport:
- network-traffic:dst_port
domainname:
- domain-name:value
dst:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
dst_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
endtime:
- network-traffic:end
event_data.DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
DestinationIp:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:dst_ref.value
event_data.DestinationPort:
- network-traffic:dst_port
DestinationPort:
- network-traffic:dst_port
event_data.SubjectUserName:
- user-account:user_id
event_data.User:
- user-account:user_id
filehash:
- file:hashes.SHA-256
- file:hashes.MD5
- file:hashes.SHA-1
filename:
- file:name
filepath:
- file:parent_directory_ref
- directory:path
identityip:
- ipv4-addr:value
protocolid:
- network-traffic:protocols[*]
sourceip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
sourcemac:
- mac-addr:value
- network-traffic:src_ref.value
sourceport:
- network-traffic:src_port
SourcePort:
- network-traffic:src_port
src:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
src_ip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
starttime:
- network-traffic:start
url:
- url:value
user:
- user-account:user_id
username:
- user-account:user_id
utf8_payload:
- artifact:payload_bin
# Web mapping
c-uri:
- url:value
keywords:
- x-sigma:keywords
cs-method:
- http-request-ext:request_method
sc-status:
- x-web:status_code
clientip:
- ipv4-addr:value
- ipv6-addr:value
- network-traffic:src_ref.value
# Cloud mapping
eventSource:
- x-host:name
eventName:
- x-event:action
requestParameters.attribute:
- x-cloud:request_parameters
responseElements.publiclyAccessible:
- x-cloud:publicly_accessible
errorMessage:
- x-error:message
errorCode:
- x-error:code
responseElements:
- x-cloud:response_elements
requestParameters.userData:
- x-cloud:request_parameters
userIdentity.type:
- user-account:account_login
eventType:
- x-event:action
userIdentity.arn:
- user-account:account_login
- user-account:display_name
responseElements.pendingModifiedValues.masterUserPassword:
- user-account:credential
Reference in New Issue View Git Blame Copy Permalink