Description
This issue describes critical ECS field mapping updates for the Symantec Endpoint Security integration, including broad mapping improvements and proper handling of Windows event logs embedded within SES events. Customers have specifically requested these mappings to correlate SES events with their other security telemetry and leverage standard ECS fields.
Requested fields include:
- Windows event logs (critical for correlating with other Windows telemetry)
- Threat/attack field mapping (MITRE ATT&CK related fields)
- File and process hash mappings
- Network/URL field mappings
- Registry field mappings
See the Integrated Cyber Defense Schema documentation for full event type reference. Examples are available on request.
Enhancements
- Implement ECS-compliant field mappings for various event types
- Map Windows Event Logs (type_id 8015) to standard winlog ECS fields
- Populate the
message field for multiple event types
1a. General mapping improvements
The following fields need proper ECS mappings:
| SES Field |
Requested ECS Field |
Event Type (if specific) |
| ses.feature_name |
event.module |
|
| ses.file.sha2 |
file.hash.sha256 |
|
| ses.threat.risk_id |
risk.calculated_score |
|
| ses.threat.risk_value |
risk.calculated_level |
|
| ses.attacks.tactic_uids |
threat.tactic.id |
|
| ses.attacks.technique_uid |
threat.technique.id |
|
| ses.attacks.technique_name |
threat.technique.name |
|
| ses.attacks.sub_technique_uid |
threat.technique.subtechnique.id |
|
| ses.attacks.sub_technique_name |
threat.technique.subtechnique.name |
|
| ses.device_group |
group.name |
|
| ses.device_networks.mac |
host.mac |
|
| ses.device_networks.ipv4 |
host.ip |
|
| ses.actor.file.folder |
file.path |
|
| ses.actor.file.original_name |
file.name |
|
| ses.lineage |
process.previous.* |
|
| ses.process.file.original_name |
process.name |
|
| ses.cybox.files.folder |
file.path |
|
| ses.cybox.files.product_name |
file.name |
|
| ses.cybox.files.sha2 |
file.hash.sha256 |
|
| ses.actor.user.sid |
user.id |
|
| ses.file.folder |
file.path |
|
| ses.process.file.sha2 |
process.hash.* |
|
| ses.process.user.name |
process.user |
8001, 8027, 8015 |
| ses.connection.dst_name |
related.host |
8040 |
| ses.connection.url.domain_name |
url.domain |
8040 |
| ses.connection.url.host |
url.original |
8040, 8007 |
| ses.connection.url.scheme |
url.scheme |
8040, 8007 |
| ses.reg_value.path |
registry.path |
8006, 8005 |
| ses.reg_value.name |
registry.value |
8006, 8005 |
| ses.reg_value_result.data |
registry.data.strings |
8006, 8005 |
1b. Special handling for message fields:
For type_id 8027 and 8031, extract bpe_description from the ses.product_data field (if present) and map it to threat.enrichments.indicator.description or message:
Example value: "Suspicious PowerShell command line for downloading and executing a remote file detected - Method 180"
For type_id 42, map ses.type to message field:
Example value: "URL_REPUTATION", "FILE_REPUTATION"
For type_id 8003,8002,8006,8018,8001,8007,8005, 8000: Linux is correctly parsed/mapped, but for ses.device_os_type_value: Windows, map ses.edr_enriched_data.rule_description to message:
Example value: "Ps1 PowerShell script file created"
2a. Windows event log handling (type_id 8015)
For events with type_id 8015 (monitored source):
- Map
ses.ref_event to winlog.event_id (contains Windows Event ID)
- Map
ses.data to message field (currently empty). The ses.data field is a JSON string that needs to be parsed before mapping individual fields.
2b. Implement specific mappings for different Windows Event IDs as follows:
| SES Field |
Requested ECS field |
Applicable Event IDs |
| CallerProcessId |
winlog.event_data.CallerProcessId |
4798 |
| CallerProcessName |
winlog.event_data.CallerProcessName |
4798 |
| ClientMachine |
related.hosts |
11 |
| ClientProcessId |
winlog.event_data.Client.ProcessId |
5379 |
| CountOfCredentialsReturned |
winlog.event_data.CountOfCredentialsReturned |
5379 |
| FailureReason |
winlog.event_data.FailureReason |
4624, 4625 |
| IPAddress |
related.ip |
4624, 4625 |
| LogonType |
winlog.event_data.LogonType |
4624, 4625 |
| ProcessName |
winlog.event_data.LogonProcessName |
4624, 4625 |
| ReadOperation |
winlog.event_data.ReadOperation |
5379 |
| ReturnCode |
winlog.event_data.ReturnCode |
5379 |
| Status |
winlog.event_data.Status |
4624, 4625 |
| SubjectDomain |
winlog.event_data.SubjectDomainName |
5379 |
| SubjectDomainName |
winlog.event_data.SubjectDomainName |
4624, 4625, 4798 |
| SubjectLogonId |
winlog.event_data.SubjectLogonId |
4624, 4625 |
| SubjectUserName |
winlog.event_data.SubjectUserName |
4798 |
| SubjectUserName |
related.user |
5379 |
| SubjectUserSid |
winlog.event_data.SubjectUserSid |
4798 |
| Substatus |
winlog.event_data.SubStatus |
4624, 4625 |
| TargetDomainName |
winlog.event_data.TargetDomainName |
4624, 4625, 4798 |
| TargetName |
winlog.event_data.TargetName |
5379 |
| TargetUserName |
winlog.event_data.TargetUserName |
4624, 4625, 4798 |
| TargetUserSid |
winlog.event_data.TargetUserSid |
4798 |
| User |
related.user |
11 |
| WorkstationName |
related.hosts |
4624, 4625 |
Description
This issue describes critical ECS field mapping updates for the Symantec Endpoint Security integration, including broad mapping improvements and proper handling of Windows event logs embedded within SES events. Customers have specifically requested these mappings to correlate SES events with their other security telemetry and leverage standard ECS fields.
Requested fields include:
See the Integrated Cyber Defense Schema documentation for full event type reference. Examples are available on request.
Enhancements
messagefield for multiple event types1a. General mapping improvements
The following fields need proper ECS mappings:
1b. Special handling for
messagefields:For type_id 8027 and 8031, extract
bpe_descriptionfrom theses.product_datafield (if present) and map it tothreat.enrichments.indicator.descriptionormessage:Example value: "Suspicious PowerShell command line for downloading and executing a remote file detected - Method 180"
For type_id 42, map
ses.typetomessage field:Example value: "URL_REPUTATION", "FILE_REPUTATION"
For type_id 8003,8002,8006,8018,8001,8007,8005, 8000: Linux is correctly parsed/mapped, but for
ses.device_os_type_value: Windows, mapses.edr_enriched_data.rule_descriptiontomessage:Example value: "Ps1 PowerShell script file created"
2a. Windows event log handling (type_id 8015)
For events with type_id 8015 (monitored source):
ses.ref_eventtowinlog.event_id(contains Windows Event ID)ses.datatomessagefield (currently empty). The ses.data field is a JSON string that needs to be parsed before mapping individual fields.2b. Implement specific mappings for different Windows Event IDs as follows: