Merge pull request #5373 from Security-Onion-Solutions/truclusterrator

Add eventfields for new default logs
2025-12-06 17:22:49 +01:00 · 2021-09-01 16:48:51 -04:00
parent 34a5d6e56a 556bad6925
commit e3dffcc2cb
1 changed files with 5 additions and 1 deletions
--- a/salt/soc/files/soc/hunt.eventfields.json
+++ b/salt/soc/files/soc/hunt.eventfields.json
@@ -40,5 +40,9 @@
          ":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ],
          ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ],
          ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
-          ":windows_eventlog:": ["soc_timestamp", "user.name" ] 
+          ":windows_eventlog:": ["soc_timestamp", "user.name" ],
+          ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ],
+          ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ],
+          "::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
+          "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "event.dataset", "event.module" ]
          }