This is a sample mapping of connector, entity, and system fields required by Siemplify to source events in Elasticsearch mapped to the Elastic Common Schema.
For this to be valid you must be storing your logs in Elasticsearch using ECS as well.
ECS is essentially a field naming convention adopted by Elasticsearch for use within its products. As the engineers at Elastic develop new dashboards (like for the new SIEM App in 7.2), and new machine learning jobs (a SIEM App improvement in 7.3), they will do so using ECS defined fields. All of the 7.x Beats agents already use ECS to name their fields (and provide a good reference to those just starting with ECS). What this means for the end-user is that if you map your incoming logs to use ECS field names before the document is stored in Elasticsearch, then many of the dashboards and machine learning jobs will work without any further effort on your part. If you decide instead to keep your current field names then you’ll have to re-map all the existing visualizations and ML jobs to your custom fields.
So now that you’re storing log fields in Elasticsearch using ECS we need to map those fields to the Siemplify schema. What follows is my suggested mapping, subject to change.
You’ll notice that some Siemplify fields reference the same ECS field, such as DestinationDnsDomain and DestinationNtDomain. In these cases it may be necessary to use the Siemplify transform function EXTRACT_BY_REGEX in order to capture a subset of the ECS field to use.
I also have a spreadsheet available for download.
Update Aug 27: Having just discovered that ECS version 1.1 was recently released I’ve made some modifications to the process and file hash field mappings.
| Siemplify Connector Setting | ECS Field |
|---|---|
| Product Field Name | event.module |
| Event Field Name | event.category |
| Alert Name Field | event.action |
| Timestamp Field | @timestamp |
| Siemplify Entity Mapping | ECS Extracted Field | ECS Alternative Field | ECS Alternative Field |
|---|---|---|---|
| SourceUserName | user.name | ||
| SourceHostName | source.hostname | client.hostname | |
| DestinationUserName | user.name | ||
| DestinationHostName | destination.hostname | server.hostname | |
| SourceAddress | source.ip | client.ip | |
| DestinationAddress | destination.ip | server.ip | |
| SourceProcessName | process.pid | process.name | |
| DestinationProcessName | process.pid | process.name | |
| DestinationURL | url.full | url.original | |
| FileName | file.name | ||
| FileHash | hash.md5 | hash.sha1 | hash.sha256 |
| EmailSubject | email.subject | ||
| USB | |||
| Deployment | |||
| DestinationMacAddress | destination.mac | server.mac | |
| SourceMacAddress | source.mac | client.mac | |
| CreditCard | |||
| PhoneNumber | |||
| CVE | |||
| ThreatActor | |||
| ThreatCampaign | |||
| ThreatSignature | |||
| GenericEntity |
| Siemplify System Field | ECS Extracted Field | ECS Alternative Field | ECS Alternative Field |
|---|---|---|---|
| StartTime | event.start | @timestamp | |
| EndTime | event.end | ||
| Message | message | event.original | log.original |
| Name | event.action | ||
| CategoryOutcome | event.outcome | ||
| DestinationDnsDomain | destination.domain | server.domain | |
| DestinationNtDomain | destination.domain | server.domain | |
| DestinationPort | destination.port | server.port | |
| SourceDnsDomain | source.domain | client.domain | |
| SourceNtDomain | source.domain | client.domain | user.domain |