Skip to content

Commit

Permalink
Remove the x-ecs-process and x-ecs-file entities from elastic_ecs map…
Browse files Browse the repository at this point in the history 
…ping (#1335)
  • Loading branch information
@cmadam
cmadam committed Mar 2, 2023
1 parent 8a82d3f commit cd24c2d
Show file tree
Hide file tree
Showing 7 changed files with 581 additions and 536 deletions.
118 changes: 47 additions & 71 deletions stix_shifter_modules/elastic_ecs/stix_translation/json/beats_from_stix_map.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,44 +46,39 @@
"file": {
"fields": {
"name": ["file.name", "file.path", "process.name.keyword", "process.executable.keyword", "process.parent.name.keyword", "process.parent.executable.keyword"],
"created": ["file.created"],
"created": ["file.created", "file.ctime"],
"modified": ["file.mtime"],
"accessed": ["file.accessed"],
"size": ["file.size"],
"mime_type": ["file.mime_type"],
"hashes.MD5": ["file.hash.md5"],
"hashes.'SHA-1'": ["file.hash.sha1"],
"hashes.'SHA-256'": ["file.hash.sha256"],
"hashes.'SHA-512'": ["file.hash.sha512"],
"parent_directory_ref.path": ["file.directory"]
}
},
"x-ecs-file": {
"fields": {
"accessed": ["file.accessed"],
"attributes": ["file.attributes"],
"ctime": ["file.ctime"],
"device": ["file.device"],
"drive_letter": ["file.drive_letter"],
"extension": ["file.extension"],
"gid": ["file.gid"],
"group": ["file.group"],
"inode": ["file.inode"],
"mime_type": ["file.mime_type"],
"mode": ["file.mode"],
"mtime": ["file.mtime"],
"owner": ["file.owner"],
"path": ["file.path"],
"target_path": ["file.target_path"],
"type": ["file.type"],
"uid": ["file.uid"],
"pe.company": ["file.pe.company"],
"pe.description": ["file.pe.description"],
"pe.file_version": ["file.pe.file_version"],
"pe.original_file_name": ["file.pe.original_file_name"],
"pe.product": ["file.pe.product"],
"code_signature.exists": ["file.code_signature.exists"],
"code_signature.status": ["file.code_signature.status"],
"code_signature.subject_name": ["file.code_signature.subject_name"],
"code_signature.trusted": ["file.code_signature.trusted"],
"code_signature.valid": ["file.code_signature.valid"]
"parent_directory_ref.path": ["file.directory"],
"x_attributes": ["file.attributes"],
"x_extension": ["file.extension"],
"x_path": ["file.path"],
"x_target_path": ["file.target_path"],
"x_type": ["file.type"],
"x_unix.device": ["file.device"],
"x_unix.group_id": ["file.gid"],
"x_unix.group": ["file.group"],
"x_unix.inode": ["file.inode"],
"x_unix.mode": ["file.mode"],
"x_owner_ref.user_id": ["file.uid"],
"x_owner_ref.account_login": ["file.owner"],
"x_win_drive_letter": ["file.drive_letter"],
"x_pe.company": ["file.pe.company"],
"x_pe.description": ["file.pe.description"],
"x_pe.file_version": ["file.pe.file_version"],
"x_pe.original_file_name": ["file.pe.original_file_name"],
"x_pe.product": ["file.pe.product"],
"x_code_signature.exists": ["file.code_signature.exists"],
"x_code_signature.status": ["file.code_signature.status"],
"x_code_signature.subject_name": ["file.code_signature.subject_name"],
"x_code_signature.trusted": ["file.code_signature.trusted"],
"x_code_signature.valid": ["file.code_signature.valid"]
}
},
"directory": {
Expand Down Expand Up @@ -112,51 +107,32 @@
"fields": {
"command_line": ["process.command_line.keyword", "powershell.command.value"],
"created": ["process.start"],
"cwd": ["process.working_directory.keyword"],
"pid": ["process.pid", "process.ppid", "process.parent.pid", "process.parent.ppid"],
"name": ["process.name.keyword", "process.parent.name.keyword"],
"creator_user_ref.user_id": ["user.name.keyword"],
"parent_ref.pid": ["process.ppid", "process.parent.ppid"],
"parent_ref.name": ["process.parent.name.keyword"],
"parent_ref.x_exit_code": ["process.parent.exit_code"],
"parent_ref.pgid": ["process.parent.pgid"],
"parent_ref.x_window_title": ["process.parent.title.keyword"],
"parent_ref.x_thread_id": ["process.parent.thread.id"],
"parent_ref.x_uptime": ["process.parent.uptime"],
"parent_ref.cwd": ["process.parent.working_directory"],
"parent_ref.binary_ref.path": ["process.parent.executable"],
"parent_ref.binary_ref.parent_directory_ref.path": ["process.parent.executable"],
"binary_ref.name": ["process.executable.keyword", "process.parent.executable.keyword"],
"binary_ref.parent_directory_ref.path": ["process.executable", "process.parent.executable"],
"binary_ref.hashes.MD5": ["process.hash.md5"],
"binary_ref.hashes.'SHA-1'": ["process.hash.sha1"],
"binary_ref.hashes.'SHA-256'": ["process.hash.sha256"],
"binary_ref.hashes.'SHA-512'": ["process.hash.sha512"],
"x_window_title": ["process.title"],
"x_exit_code": ["process.exit_code"],
"x_thread_id": ["process.thread.id"],
"x_ttp_tags": ["tags"],
"x_unique_id": ["process.entity_id.keyword", "process.parent.entity_id.keyword"]
}
},
"x-ecs-process": {
"fields": {
"args": ["process.args.keyword"],
"args_count": ["process.args_count"],
"executable": ["process.executable.keyword"],
"exit_code": ["process.exit_code"],
"thread.id": ["process.thread.id"],
"thread.name": ["process.thread.name"],
"title": ["process.title.keyword"],
"uptime": ["process.uptime"],
"working_directory": ["process.working_directory.keyword"],
"parent.args": ["process.parent.args.keyword"],
"parent.args_count": ["process.parent.args_count"],
"parent.exit_code": ["process.parent.exit_code"],
"parent.pgid": ["process.parent.pgid"],
"parent.thread.id": ["process.parent.thread.id"],
"parent.thread.name": ["process.parent.thread.name"],
"parent.title": ["process.parent.title"],
"parent.uptime": ["process.parent.uptime"],
"parent.working_directory": ["process.parent.working_directory"],
"pe.company": ["process.pe.company.keyword"],
"pe.description": ["process.pe.description.keyword"],
"pe.file_version": ["process.pe.file_version.keyword"],
"pe.original_file_name": ["process.pe.original_file_name.keyword"],
"pe.product": ["process.pe.product.keyword"],
"code_signature.exists": ["process.code_signature.exists"],
"code_signature.status": ["process.code_signature.status"],
"code_signature.subject_name": ["process.code_signature.subject_name"],
"code_signature.trusted": ["process.code_signature.trusted"],
"code_signature.valid": ["process.code_signature.valid"],
"parent.code_signature.exists": ["process.parent.code_signature.exists"],
"parent.code_signature.status": ["process.parent.code_signature.status"],
"parent.code_signature.subject_name": ["process.parent.code_signature.subject_name"],
"parent.code_signature.trusted": ["process.parent.code_signature.trusted"],
"parent.code_signature.valid": ["process.parent.code_signature.valid"]
"x_unique_id": ["process.entity_id.keyword", "process.parent.entity_id.keyword"],
"x_uptime": ["process.uptime"]
}
},
"url": {
Expand Down
118 changes: 47 additions & 71 deletions stix_shifter_modules/elastic_ecs/stix_translation/json/from_stix_map.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,44 +46,39 @@
"file": {
"fields": {
"name": ["file.name", "file.path", "process.name", "process.executable", "process.parent.name", "process.parent.executable"],
"created": ["file.created"],
"created": ["file.created", "file.ctime"],
"modified": ["file.mtime"],
"accessed": ["file.accessed"],
"size": ["file.size"],
"mime_type": ["file.mime_type"],
"hashes.MD5": ["file.hash.md5"],
"hashes.'SHA-1'": ["file.hash.sha1"],
"hashes.'SHA-256'": ["file.hash.sha256"],
"hashes.'SHA-512'": ["file.hash.sha512"],
"parent_directory_ref.path": ["file.directory"]
}
},
"x-ecs-file": {
"fields": {
"accessed": ["file.accessed"],
"attributes": ["file.attributes"],
"ctime": ["file.ctime"],
"device": ["file.device"],
"drive_letter": ["file.drive_letter"],
"extension": ["file.extension"],
"gid": ["file.gid"],
"group": ["file.group"],
"inode": ["file.inode"],
"mime_type": ["file.mime_type"],
"mode": ["file.mode"],
"mtime": ["file.mtime"],
"owner": ["file.owner"],
"path": ["file.path"],
"target_path": ["file.target_path"],
"type": ["file.type"],
"uid": ["file.uid"],
"pe.company": ["file.pe.company"],
"pe.description": ["file.pe.description"],
"pe.file_version": ["file.pe.file_version"],
"pe.original_file_name": ["file.pe.original_file_name"],
"pe.product": ["file.pe.product"],
"code_signature.exists": ["file.code_signature.exists"],
"code_signature.status": ["file.code_signature.status"],
"code_signature.subject_name": ["file.code_signature.subject_name"],
"code_signature.trusted": ["file.code_signature.trusted"],
"code_signature.valid": ["file.code_signature.valid"]
"parent_directory_ref.path": ["file.directory"],
"x_attributes": ["file.attributes"],
"x_extension": ["file.extension"],
"x_path": ["file.path"],
"x_target_path": ["file.target_path"],
"x_type": ["file.type"],
"x_unix.device": ["file.device"],
"x_unix.group_id": ["file.gid"],
"x_unix.group": ["file.group"],
"x_unix.inode": ["file.inode"],
"x_unix.mode": ["file.mode"],
"x_owner_ref.user_id": ["file.uid"],
"x_owner_ref.account_login": ["file.owner"],
"x_win_drive_letter": ["file.drive_letter"],
"x_pe.company": ["file.pe.company"],
"x_pe.description": ["file.pe.description"],
"x_pe.file_version": ["file.pe.file_version"],
"x_pe.original_file_name": ["file.pe.original_file_name"],
"x_pe.product": ["file.pe.product"],
"x_code_signature.exists": ["file.code_signature.exists"],
"x_code_signature.status": ["file.code_signature.status"],
"x_code_signature.subject_name": ["file.code_signature.subject_name"],
"x_code_signature.trusted": ["file.code_signature.trusted"],
"x_code_signature.valid": ["file.code_signature.valid"]
}
},
"directory": {
Expand Down Expand Up @@ -112,51 +107,32 @@
"fields": {
"command_line": ["process.command_line", "powershell.command.value"],
"created": ["process.start"],
"cwd": ["process.working_directory"],
"pid": ["process.pid", "process.ppid", "process.parent.pid", "process.parent.ppid"],
"name": ["process.name", "process.parent.name"],
"creator_user_ref.user_id": ["user.name"],
"parent_ref.pid": ["process.ppid", "process.parent.ppid"],
"parent_ref.name": ["process.parent.name"],
"parent_ref.x_exit_code": ["process.parent.exit_code"],
"parent_ref.pgid": ["process.parent.pgid"],
"parent_ref.x_window_title": ["process.parent.title"],
"parent_ref.x_thread_id": ["process.parent.thread.id"],
"parent_ref.x_uptime": ["process.parent.uptime"],
"parent_ref.cwd": ["process.parent.working_directory"],
"parent_ref.binary_ref.path": ["process.parent.executable"],
"parent_ref.binary_ref.parent_directory_ref.path": ["process.parent.executable"],
"binary_ref.name": ["process.executable", "process.parent.executable"],
"binary_ref.parent_directory_ref.path": ["process.executable", "process.parent.executable"],
"binary_ref.hashes.MD5": ["process.hash.md5"],
"binary_ref.hashes.'SHA-1'": ["process.hash.sha1"],
"binary_ref.hashes.'SHA-256'": ["process.hash.sha256"],
"binary_ref.hashes.'SHA-512'": ["process.hash.sha512"],
"x_window_title": ["process.title"],
"x_exit_code": ["process.exit_code"],
"x_thread_id": ["process.thread.id"],
"x_ttp_tags": ["tags"],
"x_unique_id": ["process.entity_id", "process.parent.entity_id"]
}
},
"x-ecs-process": {
"fields": {
"args": ["process.args"],
"args_count": ["process.args_count"],
"executable": ["process.executable"],
"exit_code": ["process.exit_code"],
"thread.id": ["process.thread.id"],
"thread.name": ["process.thread.name"],
"title": ["process.title"],
"uptime": ["process.uptime"],
"working_directory": ["process.working_directory"],
"parent.args": ["process.parent.args"],
"parent.args_count": ["process.parent.args_count"],
"parent.exit_code": ["process.parent.exit_code"],
"parent.pgid": ["process.parent.pgid"],
"parent.thread.id": ["process.parent.thread.id"],
"parent.thread.name": ["process.parent.thread.name"],
"parent.title": ["process.parent.title"],
"parent.uptime": ["process.parent.uptime"],
"parent.working_directory": ["process.parent.working_directory"],
"pe.company": ["process.pe.company"],
"pe.description": ["process.pe.description"],
"pe.file_version": ["process.pe.file_version"],
"pe.original_file_name": ["process.pe.original_file_name"],
"pe.product": ["process.pe.product"],
"code_signature.exists": ["process.code_signature.exists"],
"code_signature.status": ["process.code_signature.status"],
"code_signature.subject_name": ["process.code_signature.subject_name"],
"code_signature.trusted": ["process.code_signature.trusted"],
"code_signature.valid": ["process.code_signature.valid"],
"parent.code_signature.exists": ["process.parent.code_signature.exists"],
"parent.code_signature.status": ["process.parent.code_signature.status"],
"parent.code_signature.subject_name": ["process.parent.code_signature.subject_name"],
"parent.code_signature.trusted": ["process.parent.code_signature.trusted"],
"parent.code_signature.valid": ["process.parent.code_signature.valid"]
"x_unique_id": ["process.entity_id", "process.parent.entity_id"],
"x_uptime": ["process.uptime"]
}
},
"url": {
Expand Down
Loading

0 comments on commit cd24c2d

Please sign in to comment.