Skip to content

Commit

Permalink
update others_cloud mappings (opensearch-project#301)
Browse files Browse the repository at this point in the history
Signed-off-by: Grant Haywood <[email protected]>
  • Loading branch information
phaseshiftg authored and petardz committed Feb 22, 2023
1 parent 38175a5 commit d12fce5
Show file tree
Hide file tree
Showing 2 changed files with 87 additions and 26 deletions.
27 changes: 22 additions & 5 deletions src/main/resources/OSMapping/others_cloud/fieldmappings.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,24 @@
# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under cloud log group to their corresponding ECS Fields.
fieldmappings:
EventID: event_uid
HiveName: unmapped.HiveName
fieldB: mappedB
fieldA1: mappedA
creationTime: timestamp
eventSource: winlog-provider_name
status: azure-platformlogs-status
eventService: winlog-event_data-ServiceName
ResultType: azure-platformlogs-result_type
ResultDescription: azure-signinlogs-result_description
Operation: azure-activitylogs-operation_name
Resultdescription: azure-signinlogs-result_description
AuthenticationRequirement: azure-signinlogs-properties-authentication_requirement
Status: azure-platformlogs-status
OperationName: azure-auditlogs-operation_name
ResourceId: azure-resource-id
OperationNameValue: azure-auditlogs-operation_name
TargetResources: azure-auditlogs-properties-target_resources
NetworkLocationDetails: azure-signinlogs-properties-network_location_details
DeviceDetail.deviceId: azure-signinlogs-properties-device_detail-device_id
ResourceDisplayName: azure-signinlogs-properties-resource_display_name
conditionalAccessStatus: azure-signinlogs-properties-conditional_access_status
LoggedByService: azure-auditlogs-properties-logged_by_service
DeviceDetail.isCompliant: azure-signinlogs-properties-device_detail-is_compliant
ActivityDisplayName: azure-auditlogs-properties-activity_display_name
gcp.audit.method_name: gcp-audit-method_name

86 changes: 65 additions & 21 deletions src/main/resources/OSMapping/others_cloud/mappings.json
Original file line number Diff line number Diff line change
@@ -1,32 +1,76 @@
{
"properties": {
"windows-event_data-CommandLine": {
"type": "alias",
"path": "CommandLine"
"winlog-provider_name": {
"path": "winlog.provider_name",
"type": "alias"
},
"azure-platformlogs-status": {
"path": "azure.platformlogs.status",
"type": "alias"
},
"winlog-event_data-ServiceName": {
"path": "winlog.event_data.ServiceName",
"type": "alias"
},
"azure-platformlogs-result_type": {
"path": "azure.platformlogs.result_type",
"type": "alias"
},
"azure-signinlogs-result_description": {
"path": "azure.signinlogs.result_description",
"type": "alias"
},
"azure-activitylogs-operation_name": {
"path": "azure.activitylogs.operation_name",
"type": "alias"
},
"azure-signinlogs-properties-authentication_requirement": {
"path": "azure.signinlogs.properties.authentication_requirement",
"type": "alias"
},
"azure-auditlogs-operation_name": {
"path": "azure.auditlogs.operation_name",
"type": "alias"
},
"azure-resource-id": {
"path": "azure.resource.id",
"type": "alias"
},
"azure-auditlogs-properties-target_resources": {
"path": "azure.auditlogs.properties.target_resources",
"type": "alias"
},
"azure-signinlogs-properties-network_location_details": {
"path": "azure.signinlogs.properties.network_location_details",
"type": "alias"
},
"event_uid": {
"type": "alias",
"path": "EventID"
"azure-signinlogs-properties-device_detail-device_id": {
"path": "azure.signinlogs.properties.device_detail.device_id",
"type": "alias"
},
"windows-hostname": {
"type": "alias",
"path": "HostName"
"azure-signinlogs-properties-resource_display_name": {
"path": "azure.signinlogs.properties.resource_display_name",
"type": "alias"
},
"windows-message": {
"type": "alias",
"path": "Message"
"azure-signinlogs-properties-conditional_access_status": {
"path": "azure.signinlogs.properties.conditional_access_status",
"type": "alias"
},
"windows-provider-name": {
"type": "alias",
"path": "Provider_Name"
"azure-auditlogs-properties-logged_by_service": {
"path": "azure.auditlogs.properties.logged_by_service",
"type": "alias"
},
"windows-servicename": {
"type": "alias",
"path": "ServiceName"
"azure-signinlogs-properties-device_detail-is_compliant": {
"path": "azure.signinlogs.properties.device_detail.is_compliant",
"type": "alias"
},
"azure-auditlogs-properties-activity_display_name": {
"path": "azure.auditlogs.properties.activity_display_name",
"type": "alias"
},
"creationTime": {
"path": "creationTime",
"gcp-audit-method_name": {
"path": "gcp.audit.method_name",
"type": "alias"
}
}
}
}

0 comments on commit d12fce5

Please sign in to comment.