Mapping¶
After all declared fields are obtained from parsers, the fields typically have to be renamed according to some schema (ECS, CEF) in a process called mapping.
Why is mapping necessary?
To store event data in Elasticsearch, it's essential that the field names in the logs align with the Elastic Common Schema (ECS), a standardized, open-source collection of field names that are compatible with Elasticsearch. The mapping process renames the fields of the parsed logs according to this schema. Mapping ensures that logs from various sources have unified, consistent field names, which enables Elasticsearch to interpret them accurately.
Important
By default, mapping works as a filter. Make sure to include all fields you want in the parsed output in the mapping declaration. Any field not specified in mapping will be removed from the event.
Writing a mapping declaration¶
Write mapping delcarations in YAML. (Mapping declarations do not use SP-Lang expressions.)
define:
type: parser/mapping
schema: /Schemas/ECS.yaml
mapping:
<original_key>: <new_key>
<original_key>: <new_key>
...
Specify parser/mapping
as the type
in the define
section. In the schema
field, specify the filepath to the schema you're using. If you use Elasticsearch, use the Elastic Common Schema (ECS).
Standard mapping¶
To rename the key and change the data type of the value:
Warning
New data type must respond to the data type specified in the schema for this field.
By specifying type: auto
, the data type will be automatically determined from the schema based of field name.
mapping:
<original_key>:
field: <new_key>
type: <new_type>
Find available data types here.
To rename the key without changing the data type of the value:
mapping:
<original_key>: <new_key>
Mapping from JSON¶
To rename the key stored in JSON object:
mapping:
<jsonObject> <jsonPointer>: <new_key>
/
, and each subsequent level is separated by /
.
To rename the key stored in JSON object with specific key-value pair:
mapping:
<jsonObject> <jsonPointer/[key:value]/jsonPointer>: <new_key>
Name of the JSON object and JSON pointer must be separated by a space. JSON pointer always starts with /
, and each subsequent level is separated by /
.
The specified key-value pair allows choosing the required JSON object (see example below).
To rename the key stored in JSON object and change the data type of the value:
mapping:
<jsonObject> <jsonPointer>:
field: <new_key>
type: <new_type>
As before, it is possible to change the data type by specifying the type
field.
Example¶
Example 1: Mapping from JSON
For the purpose of the example, let's say that we want to parse a simple event in JSON format:
{
"act": "user login",
"ip": "178.2.1.20",
"usr": "harry_potter",
"id": "6514-abb6-a5f2"
}
and we would like the final output look like this:
{
"event.action": "user login",
"source.ip": "178.2.1.20",
"user.name": "harry_potter"
}
Notice that the key names in the original event differ from the key names in the desired output.
For the initial parser declaration in this case, we can use a simple JSON parser:
define:
type: parser/json
This parser will create a JSON object and will store it in json
field.
To change the names of individual fields, we create this mapping delcaration file, 20_mapping_ECS.yaml
, in which we describe what fields to map and how:
---
define:
type: parser/mapping # determine the type of declaration
schema: /Schemas/ECS.yaml # which schema is applied
mapping:
json /act: 'event.action'
json /ip:
field: 'source.ip'
type: auto
json /usr: 'user.name'
This declaration will produce the desired output. Data type for the source.ip
field will be determined automatically based on the schema and changed accordingly.
Example 2: Mapping from JSON with specific key-value pair
Another example is a mapping for a complex event in JSON format which consists JSON object with a specific key-value pair:
{
"CreationTime": "2022-01-19T11:07:41",
"ExtendedProperties": [
{
"Name": "ResultStatusDetail",
"Value": "Redirect"
},
{
"Name": "UserAgent",
"Value": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) MicrosoftTeams-Preview/1.4.00.26453 Chrome/85.0.4183.121 Electron/10.4.7 Safari/537.36"
},
{
"Name": "RequestType",
"Value": "OAuth2:Authorize"
}
],
}
To get a field from a JSON object that contains specific key-value pair, use the following syntax:
---
define:
type: parser/mapping # determine the type of declaration
schema: /Schemas/ECS.yaml # which schema is applied
mapping:
json /ExtendedProperties/[Name:ResultStatusDetail]/Value: 'o365.audit.ExtendedProperties.ResultStatusDetail'
json /ExtendedProperties/[Name:UserAgent]/Value: 'o365.audit.ExtendedProperties.UserAgent'
json /ExtendedProperties/[Name:RequestType]/Value: 'o365.audit.ExtendedProperties.RequestType'