Elastic Common Schema mapping

All,

Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!

Best,

Brian

This is great, thanks for sharing.

All,

Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!

This is great!

The project README notes:

The mapping can be done using either an ElasticSearch ingest node or directly in Kibana

For users that ingest and enrich through a Logstash pipeline, how does this apply? (i.e. would they then have to maintain ingestion content in multiple layers)?

Following up on my brief comments at ZeekWeek, happy to share that we’ve developed a mapping of Zeek fields to the Elastic Common Schema. It is posted at https://github.com/corelight/ecs-mapping - looking forward to feedback and of course if there are any issues let us know (big thanks to Richard, cc’d above, for his work as the first deployment!). We’ll work to update this as the ECS revs - there are several field they don’t have in the schema yet. Happy mapping!

This is great!

The project README notes:

The mapping can be done using either an ElasticSearch ingest node or directly in Kibana

For users that ingest and enrich through a Logstash pipeline, how does this apply? (i.e. would they then have to maintain ingestion content in multiple layers)?

Yes it still applies, when Logstash forwards the data to Elastic it will go through the ingest pipelines and go through ECS.

-s