vh
181 lines
6.2 KiB
YAML
181 lines
6.2 KiB
YAML
title: Google Chronicle field mapping
|
|
order: 20
|
|
backends:
|
|
- chronicle
|
|
fieldmappings:
|
|
EventID: metadata.product_event_type
|
|
EventId: metadata.product_event_type
|
|
event_id: metadata.product_event_type
|
|
CommandLine: target.process.command_line
|
|
Commandline: target.process.command_line
|
|
Command: target.process.command_line
|
|
ComputerName: target.hostname
|
|
CurrentDirectory: principal.file.full_path
|
|
DestinationHostname: target.hostname
|
|
dest-domain: target.hostname
|
|
DestinationIp: target.ip
|
|
event_data.DestinationIp: target.ip
|
|
destinationIp: target.ip
|
|
dst_ip: target.ip
|
|
dest_ip: target.ip
|
|
DestinationIP: target.ip
|
|
DestinationIsIpv6: target.ip
|
|
DestinationAddress: target.ip
|
|
#DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279
|
|
DestinationPort: target.port
|
|
dst_port: target.port
|
|
dest_port: target.port
|
|
DestinationPortName: protocol
|
|
Details: metadata.description
|
|
EventType: metadata.event_type
|
|
type: metadata.event_type
|
|
|
|
FileName: target.file.full_path
|
|
OriginalFileName: target.file.full_path
|
|
TargetFileName: target.file.full_path
|
|
event_data.TargetFilename: target.file.full_path
|
|
file_name: target.file.full_path
|
|
Targetfilename: target.file.full_path
|
|
FilePath: target.file.full_path
|
|
|
|
Hashes: target.file.md5
|
|
event_data.Hashes: target.file.md5
|
|
Hash: target.file.md5
|
|
hash: target.file.md5
|
|
Imphash: target.file.md5
|
|
file_hash: target.file.md5
|
|
file_hash_imphash: target.file.md5
|
|
|
|
Image: target.process.file.full_path
|
|
event_data.Image: target.process.file.full_path
|
|
baseImage: src.process.file.full_path
|
|
ImageLoaded: target.process.file.full_path
|
|
ImageLoad: target.process.file.full_path
|
|
ImagePath: target.file.full_path
|
|
|
|
IpAddress: principal.ip
|
|
IpPort: principal.port
|
|
logonType: extensions.auth.mechanism
|
|
LogonType: extensions.auth.mechanism
|
|
ObjectValueName: target.registry.registry_value_name
|
|
|
|
ParentCommandLine: src.process.command_line
|
|
ParentProcessName: src.process.file.full_path
|
|
ServiceFileName: target.process.command_line
|
|
ServiceName: target.process.command_line
|
|
ParentImage: src.process.file.full_path
|
|
Path: target.file.full_path
|
|
PipeName: file.name
|
|
ProcessCommandLine: target.process.command_line
|
|
ProcessName: target.process.file.full_path
|
|
process.name: target.process.command_line
|
|
process.args: target.process.command_line
|
|
exe: target.process.file.full_path
|
|
TaskName: target.resource.name
|
|
TargetProcessAddress: target.process.file.file_metadata.pe.import_hash
|
|
StartAddress: target.process.file.file_metadata.pe.import_hash
|
|
event_data.StartAddress: target.process.file.file_metadata.pe.import_hash
|
|
FailureCode: security_result.description
|
|
Status: security_result.description
|
|
TicketOptions: security_result.about.labels.value
|
|
|
|
SourceHostname: principal.hostname
|
|
cs_host:
|
|
- principal.hostname
|
|
- target.hostname
|
|
Host: principal.hostname
|
|
SourceImage: src.process.file.full_path
|
|
SourceIp: principal.ip
|
|
SourceIP: principal.ip
|
|
SourceAddress: principal.ip
|
|
src_ip: principal.ip
|
|
SourceNetworkAddress: principal.ip
|
|
ip: principal.ip
|
|
SourcePort: principal.port
|
|
src_port: principal.port
|
|
SubjectDomainName: src.user.domain
|
|
SubjectUserName: src.user.user_display_name
|
|
SubjectUserSid: src.user.userid
|
|
TargetFilename: target.file.full_path
|
|
TargetImage: target.process.file.full_path
|
|
TargetObject: target.registry.registry_key
|
|
event_data.TargetObject: target.registry.registry_key
|
|
TargetDomainName: target.user.domain
|
|
TargetUserName: target.user.user_display_name
|
|
TargetUserSid: target.user.userid
|
|
SidHistory: target.process.product_specific_process_id
|
|
sid: target.process.product_specific_process_id
|
|
Sid: target.process.product_specific_process_id
|
|
User: src.user.user_display_name
|
|
domain: src.hostname
|
|
WorkstationName: principal.hostname
|
|
URL: target.url
|
|
url: target.url
|
|
http_uri: target.url
|
|
c_uri_query: target.url
|
|
query: target.url
|
|
c-uri-path: target.url
|
|
c-useragent: src.application
|
|
StartModule: src.application
|
|
UserAgent: src.application
|
|
User-Agent: src.application
|
|
http_userAgent: src.application
|
|
http_url_rootDomain: target.hostname
|
|
dns_query_name: network.dns.questions.name
|
|
r_dns: target.hostname
|
|
r-dns: target.hostname
|
|
Signature: target.registry.registry_value_data
|
|
signature: target.registry.registry_value_data
|
|
Value: target.registry.registry_value_data
|
|
TargetValue: target.registry.registry_value_data
|
|
ObjectName:
|
|
- target.registry.registry_value_data
|
|
- target.file.full_path
|
|
ScriptBlockText: target.process.command_line
|
|
Command_Line: target.process.command_line
|
|
event_data.CommandLine: target.process.command_line
|
|
commandLine: target.process.command_line
|
|
c-uri: target.url
|
|
cs-uri-query: target.url
|
|
c-uri-query: target.url
|
|
c_uri: target.url
|
|
request_url: target.url
|
|
cs_uri_query: target.url
|
|
c-uri-extension: target.url
|
|
resource.URL: target.url
|
|
web.url: target.url
|
|
web.payload: target.url
|
|
http_method: network.http.method
|
|
cs_method: network.http.method
|
|
cs-method: network.http.method
|
|
HttpMethod: network.http.method
|
|
web.method: network.http.method
|
|
web.status: network.http.response_code
|
|
application: network.http.user_agent
|
|
Application: network.http.user_agent
|
|
AccountName: src.user.user_display_name
|
|
objectType: src.user.user_display_name
|
|
ObjectType: src.user.user_display_name
|
|
ShareName: target.resource.name
|
|
RelativeTargetName: target.file.full_path
|
|
AccessMask: target.process.access_mask
|
|
Properties: target.process.file.file_metadata.pe.import_hash
|
|
Product: metadata.product_name
|
|
product: metadata.product_name
|
|
FileVersion: metadata.description
|
|
description: metadata.description
|
|
Description: metadata.description
|
|
Company: metadata.description
|
|
Source: src.application
|
|
app: src.application
|
|
AuthenticationPackageName: src.application
|
|
action: security_result.action
|
|
NewProcessName: target.process.command_line
|
|
answers: network.dns.answers.data
|
|
answer: network.dns.answers.data
|
|
sc-status: network.http.response_code
|
|
cs-host: target.hostname
|
|
eventName: metadata.description
|
|
destination.domain: target.hostname
|
|
destination: target.hostname
|