Elastic Common Schema defines a field for storing the complete URL as
url.full, as documented here.
Packetbeat populates the
url.full field for http events (i.e., where
url.full is not populated in DNS or TLS events from Packetbeat, because the URL is either not present or not visible in those protocols.
Perhaps instead of using a "URL" threat list, you might consider a "DNS" or "Domain"-based threat list, which you will be able to match against your DNS events. You could then compare the
dns.question.name field in your events against the values in this list.
Here's an interesting example of such as list (https://feeds.alphasoc.net/ryuk.txt) that you might want to investigate.
I want to ensure that you are aware of Elastic Common Schema (ECS).
The Elastic SIEM/Security app, including its detection rules, signals, and detection alerts, requires your data to be indexed in an ECS-compliant format. ECS is an open source, community-developed schema that specifies field names and Elasticsearch data types for each field, and provides descriptions and example usage.
The easiest way to get your data in ECS-compliant format is to use an Elastic-supplied beat module, (e.g., filebeat or Elastic Agent integration), which will ingest and index your data in an ECS-compliant format. Elastic provides a growing list of these integrations that you can find on our Integrations page.
If you're using a custom data ingestion method (like your use of Logstash), or one provided by a third-party, then you may need to convert your data so that it is in an ECS-compliant format before you can use the SIEM/security app. This can be done by creating your own beat/module, or your own Logstash configuration for each data source, which will convert your data to ECS during the ingestion process.
General guidelines for creating ECS-compliant data:
- Each indexed document (e.g., your log, event, etc.) MUST have the
- Your index mapping template must specify the Elasticsearch field data type for each field as defined by ECS. For example, your
@timestamp field must be of the
date field data type, etc.. This ensures that there will not be any mapping conflicts in your indices.
- The original fields from your log/event SHOULD be copied/renamed/converted to the corresponding ECS-defined field name and data type.
- Additional ECS fields, such as the ECS Categorization fields SHOULD be populated for each log/event, to allow proper inclusion of your data into dashboards and detection rules.
A list of the specific ECS fields used by the SIEM/Security app is provided in this reference.