frack113
263 lines
4.9 KiB
YAML
263 lines
4.9 KiB
YAML
title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- es-rule
|
|
- es-rule-eql
|
|
- es-eql
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
|
|
logsources:
|
|
linux_auditd:
|
|
product: linux
|
|
service: auditd
|
|
conditions:
|
|
event.provider: auditd
|
|
|
|
defaultindex: auditd-*
|
|
|
|
fieldmappings:
|
|
# https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv
|
|
#a[0-3]: a[0-3]
|
|
#a[[:digit:]+]\[.*\]: a[[:digit:]+]\[.*\]
|
|
a0: process.args
|
|
a1: process.args
|
|
a2: process.args
|
|
a3: process.args
|
|
acct: acct
|
|
acl: acl
|
|
action: action
|
|
added: added
|
|
addr: addr
|
|
apparmor: apparmor
|
|
arch: arch
|
|
argc: argc
|
|
audit_backlog_limit: audit_backlog_limit
|
|
audit_backlog_wait_time: audit_backlog_wait_time
|
|
audit_enabled: audit_enabled
|
|
audit_failure: audit_failure
|
|
auid: auid
|
|
banners: banners
|
|
bool: bool
|
|
bus: bus
|
|
capability: capability
|
|
cap_fe: cap_fe
|
|
cap_fi: cap_fi
|
|
cap_fp: cap_fp
|
|
cap_fver: cap_fver
|
|
cap_pa: cap_pa
|
|
cap_pe: cap_pe
|
|
cap_pi: cap_pi
|
|
cap_pp: cap_pp
|
|
category: category
|
|
cgroup: cgroup
|
|
changed: changed
|
|
cipher: cipher
|
|
class: class
|
|
cmd: cmd
|
|
code: code
|
|
comm: comm
|
|
compat: compat
|
|
cwd: cwd
|
|
daddr: daddr
|
|
data: data
|
|
default-context: default-context
|
|
dev: dev
|
|
device: device
|
|
dir: dir
|
|
direction: direction
|
|
dmac: dmac
|
|
dport: dport
|
|
egid: egid
|
|
enforcing: enforcing
|
|
entries: entries
|
|
errno: errno
|
|
euid: euid
|
|
exe: process.executable
|
|
exit: exit
|
|
fam: fam
|
|
family: family
|
|
fd: fd
|
|
file: file
|
|
flags: flags
|
|
fe: fe
|
|
feature: feature
|
|
fi: fi
|
|
fp: fp
|
|
format: format
|
|
fsgid: fsgid
|
|
fsuid: fsuid
|
|
fver: fver
|
|
gid: gid
|
|
grantors: grantors
|
|
grp: grp
|
|
hook: hook
|
|
hostname: hostname
|
|
icmp_type: icmp_type
|
|
id: id
|
|
igid: igid
|
|
img-ctx: img-ctx
|
|
inif: inif
|
|
ip: ip
|
|
ipid: ipid
|
|
ino: ino
|
|
inode: inode
|
|
inode_gid: inode_gid
|
|
inode_uid: inode_uid
|
|
invalid_context: invalid_context
|
|
ioctlcmd: ioctlcmd
|
|
ipx-net: ipx-net
|
|
item: item
|
|
items: items
|
|
iuid: iuid
|
|
kernel: kernel
|
|
key: key
|
|
kind: kind
|
|
ksize: ksize
|
|
laddr: laddr
|
|
len: len
|
|
lport: lport
|
|
list: list
|
|
mac: mac
|
|
macproto: macproto
|
|
maj: maj
|
|
major: major
|
|
minor: minor
|
|
mode: mode
|
|
model: model
|
|
msg: msg
|
|
nargs: nargs
|
|
name: name
|
|
nametype: nametype
|
|
net: net
|
|
new: new
|
|
new-chardev: new-chardev
|
|
new-disk: new-disk
|
|
new-enabled: new-enabled
|
|
new-fs: new-fs
|
|
new_gid: new_gid
|
|
new-level: new-level
|
|
new_lock: new_lock
|
|
new-log_passwd: new-log_passwd
|
|
new-mem: new-mem
|
|
new-net: new-net
|
|
new_pe: new_pe
|
|
new_pi: new_pi
|
|
new_pp: new_pp
|
|
new-range: new-range
|
|
new-rng: new-rng
|
|
new-role: new-role
|
|
new-seuser: new-seuser
|
|
new-vcpu: new-vcpu
|
|
nlnk-fam: nlnk-fam
|
|
nlnk-grp: nlnk-grp
|
|
nlnk-pid: nlnk-pid
|
|
oauid: oauid
|
|
obj: obj
|
|
obj_gid: obj_gid
|
|
obj_uid: obj_uid
|
|
oflag: oflag
|
|
ogid: ogid
|
|
ocomm: ocomm
|
|
old: old
|
|
old-auid: old-auid
|
|
old-chardev: old-chardev
|
|
old-disk: old-disk
|
|
old-enabled: old-enabled
|
|
old_enforcing: old_enforcing
|
|
old-fs: old-fs
|
|
old-level: old-level
|
|
old_lock: old_lock
|
|
old-log_passwd: old-log_passwd
|
|
old-mem: old-mem
|
|
old-net: old-net
|
|
old_pa: old_pa
|
|
old_pe: old_pe
|
|
old_pi: old_pi
|
|
old_pp: old_pp
|
|
old_prom: old_prom
|
|
old-range: old-range
|
|
old-rng: old-rng
|
|
old-role: old-role
|
|
old-ses: old-ses
|
|
old-seuser: old-seuser
|
|
old_val: old_val
|
|
old-vcpu: old-vcpu
|
|
op: op
|
|
opid: opid
|
|
oses: oses
|
|
ouid: ouid
|
|
outif: outif
|
|
pa: pa
|
|
pe: pe
|
|
pi: pi
|
|
pp: pp
|
|
parent: parent
|
|
path: path
|
|
per: per
|
|
perm: perm
|
|
perm_mask: perm_mask
|
|
permissive: permissive
|
|
pfs: pfs
|
|
pid: pid
|
|
ppid: ppid
|
|
printer: printer
|
|
prom: prom
|
|
proctitle: proctitle
|
|
proto: proto
|
|
qbytes: qbytes
|
|
range: range
|
|
rdev: rdev
|
|
reason: reason
|
|
removed: removed
|
|
res: res
|
|
resrc: resrc
|
|
result: result
|
|
role: role
|
|
rport: rport
|
|
saddr: saddr
|
|
sauid: sauid
|
|
scontext: scontext
|
|
selected-context: selected-context
|
|
seperm: seperm
|
|
seqno: seqno
|
|
seperms: seperms
|
|
seresult: seresult
|
|
ses: ses
|
|
seuser: seuser
|
|
sgid: sgid
|
|
sig: sig
|
|
sigev_signo: sigev_signo
|
|
smac: smac
|
|
spid: spid
|
|
sport: sport
|
|
state: state
|
|
subj: subj
|
|
success: success
|
|
suid: suid
|
|
syscall: syscall
|
|
table: table
|
|
tclass: tclass
|
|
tcontext: tcontext
|
|
terminal: terminal
|
|
tty: tty
|
|
type: type
|
|
uid: uid
|
|
unit: unit
|
|
uri: uri
|
|
user: user
|
|
uuid: uuid
|
|
val: val
|
|
ver: ver
|
|
virt: virt
|
|
vm: vm
|
|
vm-ctx: vm-ctx
|
|
vm-pid: vm-pid
|
|
watch: watch
|