ECS与CIM常用字段映射表

元数据字段 | meta data

CIM	ECS
_time	@timestamp
tag	tags
_raw	message
sourcetype	labels

常用字段 | Common Fields

CIM	ECS	Description	Name
src_ip	source.ip	IP address of the source (IPv4 or IPv6).	源地址
dest_ip	destination.ip	IP address of the destination (IPv4 or IPv6).	目的地址
id	event.id	The unique identifier of the alert event.	事件ID
severity	event.severity	The severity of the alert event.	事件等级
action	event.action	The action taken by the network device.	结果
dvc_ip	device.ip	The device IP that detected the intrusion event.	设备IP
dvc_name	device.name	The device hostname that detected the intrusion event	设备名称
dvc_type	device.type	The device type that detected the intrusion even	设备类型
signature	event.reason	The human readable event name.	告警名称

参考资料：
[1] ECS Field Reference
https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html

[2] Base Fields
https://www.elastic.co/guide/en/ecs/current/ecs-base.html

[3] ECS Categorization Fields
https://www.elastic.co/guide/en/ecs/current/ecs-category-field-values-reference.html

[4] ECS Categorization Field: event.kind
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-kind.html

[5] ECS Categorization Field: event.category
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html

[6] ECS Categorization Field: event.type
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html

[7] ECS Categorization Field: event.outcome
https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html

[8] Source Fields
https://www.elastic.co/guide/en/ecs/current/ecs-source.html

[9] Destination Fields
https://www.elastic.co/guide/en/ecs/current/ecs-destination.html

[10] Common Information Model Add-on Manual
https://docs.splunk.com/Documentation/CIM/5.3.2/User/Howtousethesereferencetables

[11] Network Traffic
https://docs.splunk.com/Documentation/CIM/5.3.2/User/NetworkTraffic

[12] Intrusion Detection
https://docs.splunk.com/Documentation/CIM/5.3.2/User/IntrusionDetection