[QUESTION] Does Mordor support ECS fields mapping

OTRF / Security-Datasets

Re-play Security Events

MIT License

1.61k stars 239 forks source link

[QUESTION] Does Mordor support ECS fields mapping #26

Closed Cyb3rSn0rlax closed 4 years ago

Cyb3rSn0rlax commented 4 years ago

Hello Hunters,

I have an elastic cluster up and running and i was kinda interested in using Mordor's datasets in order to test rules created with signals and elastalert to display a Detection Capabilities Dashboard. My question is does the mordor project support ECS since I am mapping all of my event with it.

Thank you for your great work

Cyb3rWard0g commented 4 years ago

Hey @H1L021 ! Several of the Small datasets were shipped by Winlogbeat to a kafka broker to be exported. It has the raw Winlogbeat schema winlog. I believe. You should be fine ingesting it.

barvhaim commented 4 years ago

@H1L021 - I made a script to convert Mordor's large raw events to follow winlogbeat ECS schema 7.8, available here - https://github.com/barvhaim/mordor2ecs/tree/master

Cyb3rWard0g commented 4 years ago

Thank you @barvhaim !