Hello,
Below is the proposed mapping for a new report that we are developing to send advance notice of high severity events before the nightly report run.
| Field | Description | ----- | ----------- | timestamp | Timestamp when the IP was seen in UTC+0 | type | Event type | protocol | Packet type of the connection traffic (UDP/TCP) | ip | IP of the device | port | port of the IP connection | asn | ASN of the device | geo | Country of the device | region | Region of the device | city | City of the device | hostname | Reverse DNS of the device IP | hostname_source | Source of the hostname | naics | North American Industry Classification System Code | sector | Sector to which the IP in question belongs; e.g. Communications, Commercial | device_vendor | Source device vendor | device_type | Source device type | device_model | Source device model | severity | Severity level | dst_ip | Destination IP | dst_port | Destination port of the IP connection | dst_asn | ASN of the destination IP | dst_geo | Country of the destination IP | dst_region | Region of the destination IP | dst_city | City of the destination IP | dst_hostname | Reverse DNS of the destination IP | dst_naics | North American Industry Classification System Code | dst_sector | Sector to which the IP in question belongs; e.g. Communications, Commercial | domain_name | Domain name referenced in the request | public_source | Source of the event data | infection | Description of the malware/infection | family | Malware family or campaign associated with the event | tag | Event attributes | application | Application name associated with the event | version | Software version associated with the event | event_id | Unique identifier assigned to the event | ssl_cipher | SSL cipher | detail | Additional details about the event
Regards,
Jason
--
{ "constant_fields" : { "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "Alert", "file_name" : "alert", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "extra.", "type", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "src_isp_name", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "src_county", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "domain_name", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }