Arnaud Loos


  • elasticsearch
  • security

This is a sample mapping of connector, entity, and system fields required by Siemplify to source events in Elasticsearch mapped to the Elastic Common Schema.

For this to be valid you must be storing your logs in Elasticsearch using ECS as well.

ECS is essentially a field naming convention adopted by Elasticsearch for use within its products. As the engineers at Elastic develop new dashboards (like for the new SIEM App in 7.2), and new machine learning jobs (a SIEM App improvement in 7.3), they will do so using ECS defined fields. All of the 7.x Beats agents already use ECS to name their fields (and provide a good reference to those just starting with ECS). What this means for the end-user is that if you map your incoming logs to use ECS field names before the document is stored in Elasticsearch, then many of the dashboards and machine learning jobs will work without any further effort on your part. If you decide instead to keep your current field names then you’ll have to re-map all the existing visualizations and ML jobs to your custom fields.

So now that you’re storing log fields in Elasticsearch using ECS we need to map those fields to the Siemplify schema. What follows is my suggested mapping, subject to change.

You’ll notice that some Siemplify fields reference the same ECS field, such as DestinationDnsDomain and DestinationNtDomain. In these cases it may be necessary to use the Siemplify transform function EXTRACT_BY_REGEX in order to capture a subset of the ECS field to use.

I also have a spreadsheet available for download.

Update Aug 27: Having just discovered that ECS version 1.1 was recently released I’ve made some modifications to the process and file hash field mappings.

Siemplify Connector Setting ECS Field
Product Field Name event.module
Event Field Name event.category
Alert Name Field event.action
Timestamp Field @timestamp
Siemplify Entity Mapping ECS Extracted Field ECS Alternative Field ECS Alternative Field
SourceHostName source.hostname client.hostname  
DestinationHostName destination.hostname server.hostname  
SourceAddress source.ip client.ip  
DestinationAddress destination.ip server.ip  
DestinationURL url.full url.original  
FileHash hash.md5 hash.sha1 hash.sha256
EmailSubject email.subject    
DestinationMacAddress destination.mac server.mac  
SourceMacAddress source.mac client.mac  
Siemplify System Field ECS Extracted Field ECS Alternative Field ECS Alternative Field
StartTime event.start @timestamp  
EndTime event.end    
Message message event.original log.original
Name event.action    
CategoryOutcome event.outcome    
DestinationDnsDomain destination.domain server.domain  
DestinationNtDomain destination.domain server.domain  
DestinationPort destination.port server.port  
SourceDnsDomain source.domain client.domain  
SourceNtDomain source.domain client.domain user.domain