[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    Re: [Zeek] What version of Zeek is going to map to ECS ?
From:       Steve Smoot <smoot () corelight ! com>
Date:       2020-07-17 4:17:41
Message-ID: CADOXQ8aTHVmRV5P2uGgnjqnp0q7902PCdT_6YA9eeTnvF3u5gw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


If you have other avenues in mind, see also:
https://github.com/corelight/ecs-mapping

-s

On Thu, Jul 16, 2020 at 7:38 PM Eric Ooi <ericooi@gmail.com> wrote:

> Hi Don,
>
> Assuming you're using Filebeat's Zeek module, it looks like ECS mapping is
> supported as of Zeek 2.6.1 (
> https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html).
> This Github PR (https://github.com/elastic/beats/pull/17738) references
> an update to the Zeek module to support ECS 1.5 (latest).
>
> I have Zeek 3.1.4 sending logs to Elasticsearch 7.8 and can confirm that
> fields appear to be mapped properly.
>
> Hope that helps!
> Eric
> ericooi.com
>
>
> On Jul 16, 2020, at 6:21 PM, Don Thomas <don.thomas.cissp@gmail.com>
> wrote:
>
> Just curious what version of Zeek is going to have the ECS mapping ?
>
> Thank you,
>
> *Don Thomas, CISSP, CISA*
>
> _______________________________________________
> Zeek mailing list
> zeek@zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> _______________________________________________
> Zeek mailing list
> zeek@zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
*Stephen R. Smoot, PhD*
VP, Customer Success
Corelight

[Attachment #5 (text/html)]

<div dir="ltr">If you have other avenues in mind, see also:<div><a \
href="https://github.com/corelight/ecs-mapping">https://github.com/corelight/ecs-mapping</a><br></div><div><br></div><div>-s</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 16, 2020 at 7:38 PM \
Eric Ooi &lt;<a href="mailto:ericooi@gmail.com">ericooi@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
style="overflow-wrap: break-word;"><div>Hi Don,</div><div><br></div><div>Assuming \
you're using Filebeat's Zeek module, it looks like ECS mapping is supported as of \
Zeek 2.6.1 (<a href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html" \
target="_blank">https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html</a>). \
This Github PR (<a href="https://github.com/elastic/beats/pull/17738" \
target="_blank">https://github.com/elastic/beats/pull/17738</a>)  references an \
update to the Zeek module to support ECS 1.5 (latest).</div><div><br></div><div>I \
have Zeek 3.1.4 sending logs to Elasticsearch 7.8 and can confirm that fields appear \
to be mapped properly.</div><div><br></div><div>Hope that \
helps!</div><div>Eric</div><div><a href="http://ericooi.com" \
target="_blank">ericooi.com</a></div><div><br></div><div><div><br><blockquote \
type="cite"><div>On Jul 16, 2020, at 6:21 PM, Don Thomas &lt;<a \
href="mailto:don.thomas.cissp@gmail.com" \
target="_blank">don.thomas.cissp@gmail.com</a>&gt; wrote:</div><br><div><div \
dir="ltr"><div>Just curious what version of Zeek is going to have the ECS mapping ? \
<br></div><div><br></div><div>Thank you, <br></div><div><br></div><div><div><div \
dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><i><font color="#0000ff">Don \
Thomas, CISSP, CISA</font></i></div><div><span><br></span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
 _______________________________________________<br>Zeek mailing list<br><a \
href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br><a \
href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></div></blockquote></div><br></div></div>_______________________________________________<br>
 Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div \
dir="ltr"><div><div dir="ltr"><div \
style="color:rgb(136,136,136);font-size:12.8px"><font face="arial, helvetica, \
sans-serif" size="2" color="#000000"><b>Stephen R. Smoot, \
PhD</b></font></div><div><font color="#000000" face="arial, helvetica, sans-serif" \
size="2">VP, Customer Success</font></div><div \
style="color:rgb(136,136,136);font-size:12.8px"><font face="arial, helvetica, \
sans-serif" size="2" color="#000000">Corelight</font></div><div \
style="color:rgb(136,136,136);font-size:12.8px"></div></div></div></div></div>



_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic