From e5abad4f912c7e5d604006e9e2adf74a45bf5d40 Mon Sep 17 00:00:00 2001 From: Carol Fenijn Date: Thu, 5 Oct 2023 11:56:16 +0200 Subject: [PATCH] Addition of related.mac and related.port --- schemas/related.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/schemas/related.yml b/schemas/related.yml index b052fa3c00..956a9a4a4f 100644 --- a/schemas/related.yml +++ b/schemas/related.yml @@ -70,3 +70,25 @@ identifiers include FQDNs, domain names, workstation names, or aliases. normalize: - array + + - name: mac + level: extended + type: keyword + short: All the mac addresses seen on your event. + description: > + All the mac addresses seen on your event. The mac addresses should be standardized + before they populate this array. For this, The notation format from RFC 7042 is suggested: + Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving + the value of the octet as an unsigned integer. Successive octets are separated by a + hyphen. + normalize: + - array + + - name: port + level: extended + type: long + short: All the port numbers seen on your event. + description: > + All the port numbers seen on your event, as specified by RFC 6335 + normalize: + - array