Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5, 2.5, Ubuntu, Safari
Describe the issue:
Following question:
Is it correct that the mapping of the ECS fields takes place in the following yml file, such as for linux
github:
security-analytics/src/main/resources/OSMapping/linux/mappings.json
Is it correct that the mapping of the SIGMA rules to the ECS fields takes place in the following yml file, such as for linux
github:
security-analytics/src/main/resources/OSMapping/linux/fieldmappings.yml
If that’s the case, then I don’t think the ECS field mapping in the process exe is correct, for example.
“process-exe”: {
“path”: “process.exe”,
“type”: “alias”
},
Shouldn’t the path be “process.executable” here?
best regards