Hello,
Below is the proposed mapping for a new report that we are developing to
send advance notice of high severity events before the nightly report run.
| Field | Description
| ----- | -----------
| timestamp | Timestamp when the IP was seen in UTC+0
| type | Event type
| protocol | Packet type of the connection traffic (UDP/TCP)
| ip | IP of the device
| port | port of the IP connection
| asn | ASN of the device
| geo | Country of the device
| region | Region of the device
| city | City of the device
| hostname | Reverse DNS of the device IP
| hostname_source | Source of the hostname
| naics | North American Industry Classification System Code
| sector | Sector to which the IP in question belongs; e.g.
Communications, Commercial
| device_vendor | Source device vendor
| device_type | Source device type
| device_model | Source device model
| severity | Severity level
| dst_ip | Destination IP
| dst_port | Destination port of the IP connection
| dst_asn | ASN of the destination IP
| dst_geo | Country of the destination IP
| dst_region | Region of the destination IP
| dst_city | City of the destination IP
| dst_hostname | Reverse DNS of the destination IP
| dst_naics | North American Industry Classification System Code
| dst_sector | Sector to which the IP in question belongs; e.g.
Communications, Commercial
| domain_name | Domain name referenced in the request
| public_source | Source of the event data
| infection | Description of the malware/infection
| family | Malware family or campaign associated with the event
| tag | Event attributes
| application | Application name associated with the event
| version | Software version associated with the event
| event_id | Unique identifier assigned to the event
| ssl_cipher | SSL cipher
| detail | Additional details about the event
Regards,
Jason
--
{
"constant_fields" : {
"classification.taxonomy" : "other",
"classification.type" : "other"
},
"feed_name" : "Alert",
"file_name" : "alert",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"extra.",
"type",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"src_isp_name",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"src_county",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"domain_name",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"detail",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
}