[Question] "Does Mordor support ECS fields mapping" for winlogbeat 7.x?

Question

[Question] "Does Mordor support ECS fields mapping" for winlogbeat 7.x?

barvhaim opened this issue 4 years ago · 3 comments

addition following closed issue #26

Currently the recorded data is winlogbeat data of version 6.7 which does not follow the ECS field mappings of current version 7+ (7.8 to be specific..) is there a way to get the recorded datasets for winlogbeat 7+ mapping? or just raw windows logs events?

thanks 👍

Answer 1 · 2020-08-03T21:18:25.000Z

Hey @barvhaim , thats a great question! yes most of the datasets were collected with a previous version of Winlogbeat and hence the ECS field mapping constraints. unfortunately, I will not be using Winlogbeat for future datasets and record them again with a flat schema to make all datasets schema and product agnostic. I am in the process of doing that and adding new ones.

Thank you for the support :)

Answer 2 · 2020-08-14T10:45:53.000Z

@Cyb3rWard0g - I made a script to convert Mordor's large raw events to follow winlogbeat ECS schema 7.8, available here - https://github.com/barvhaim/mordor2ecs/tree/master

Answer 3 · 2020-08-18T15:07:44.000Z

That's awesome @barvhaim ! Thank you for doing that and sharing it with the community. Deff helpful!