[Question] "Does Mordor support ECS fields mapping" for winlogbeat 7.x?

OTRF / Security-Datasets

Re-play Security Events

MIT License

1.59k stars 237 forks source link

[Question] "Does Mordor support ECS fields mapping" for winlogbeat 7.x? #29

Closed barvhaim closed 4 years ago

barvhaim commented 4 years ago

addition following closed issue #26

Currently the recorded data is winlogbeat data of version 6.7 which does not follow the ECS field mappings of current version 7+ (7.8 to be specific..) is there a way to get the recorded datasets for winlogbeat 7+ mapping? or just raw windows logs events?

thanks :+1:

Cyb3rWard0g commented 4 years ago

Hey @barvhaim , thats a great question! yes most of the datasets were collected with a previous version of Winlogbeat and hence the ECS field mapping constraints. unfortunately, I will not be using Winlogbeat for future datasets and record them again with a flat schema to make all datasets schema and product agnostic. I am in the process of doing that and adding new ones.

Thank you for the support :)

barvhaim commented 4 years ago

@Cyb3rWard0g - I made a script to convert Mordor's large raw events to follow winlogbeat ECS schema 7.8, available here - https://github.com/barvhaim/mordor2ecs/tree/master

Cyb3rWard0g commented 4 years ago

That's awesome @barvhaim ! Thank you for doing that and sharing it with the community. Deff helpful!