Skip to main content

Field Mappings

Sigma rules use standardized field names. Your logs likely use different names. Field mappings translate between them.

Why Field Mappings?

Sigma rule: 
detection:
  selection:
    CommandLine|contains: 'mimikatz'
Your logs: 
{
  "process": {
    "command_line": "C:\\tools\\mimikatz.exe"
  }
}
Field mapping: CommandLineprocess.command_line Without mappings, the rule can’t find the field.

ECS (Elastic Common Schema)

CHAD uses ECS as its mapping framework. ECS provides standardized field names for common security data.

Common ECS Mappings

Sigma FieldECS FieldDescription
CommandLineprocess.command_lineProcess command line
Useruser.nameUsername
SourceIPsource.ipSource IP address
DestinationIPdestination.ipDestination IP
FileNamefile.nameFile name
FilePathfile.pathFull file path
ProcessIdprocess.pidProcess ID
ParentProcessIdprocess.parent.pidParent process ID
EventIDevent.codeWindows Event ID
TargetFilenamefile.pathTarget file path

Configuring Mappings

Field mappings are configured per index pattern. Each log source can have its own mappings to match its schema.

Adding Mappings

  1. Navigate to Index Patterns
  2. Open the index pattern you want to configure
  3. Click Field Mappings tab
  4. Click Add Mapping
  5. Enter:
    • Sigma Field: The field name used in Sigma rules (e.g., CommandLine)
    • Target Field: Your actual log field (e.g., process.command_line)
  6. Save

Auto-Correction

CHAD automatically handles text field keyword suffixes:
  • If you map to a text field, CHAD adds .keyword automatically for exact matching
  • Field existence is validated against the actual OpenSearch index

Mapping Types

Direct Mapping

Simple one-to-one mapping: 
CommandLine → process.command_line
User → user.name

Nested Fields

Use dot notation for nested JSON: 
{
  "process": {
    "command_line": "...",
    "executable": "..."
  }
}
Mapping: CommandLineprocess.command_line

Array Fields

If your field is an array, mappings still work: 
{
  "tags": ["admin", "privileged"]
}
Sigma modifiers like |contains and |all handle arrays.

AI-Assisted Mapping

CHAD can suggest mappings using AI:
  1. Go to Settings > AI Mapping
  2. Configure AI provider (Ollama, OpenAI, Anthropic)
  3. When adding mappings, click Suggest
  4. AI analyzes your index schema and suggests matches
AI suggestions require sending field names to the AI provider. Review your data privacy requirements.

Testing Mappings

Validate mappings work correctly:
  1. Create or edit a rule
  2. Click Validate
  3. CHAD checks all fields exist in the index
  4. Errors show which fields are unmapped

Validation Errors

ErrorMeaningSolution
Field not foundNo mapping existsAdd field mapping
Field type mismatchIncompatible typeCheck mapping target
Index pattern not configuredNo index for logsourceCreate index pattern

Common Scenarios

Windows Event Logs (Winlogbeat)

EventID → winlog.event_id
Channel → winlog.channel
Computer → host.name
User → user.name
ProcessId → process.pid
CommandLine → process.command_line
ParentProcessId → process.parent.pid
Image → process.executable
TargetFilename → file.path

Sysmon

Image → process.executable
CommandLine → process.command_line
User → user.name
SourceIp → source.ip
DestinationIp → destination.ip
DestinationPort → destination.port
Hashes → process.hash.*

Linux Auditd

exe → process.executable
comm → process.name
uid → user.id
auid → user.audit.id
addr → source.ip

Network Logs (Zeek)

src → source.ip
dst → destination.ip
src_port → source.port
dst_port → destination.port
proto → network.transport

Bulk Import

Import mappings from a CSV:
  1. Go to Field Mappings
  2. Click Import
  3. Upload CSV with columns: sigma_field,your_field
  4. Review and confirm
Export existing mappings:
  1. Click Export
  2. Download CSV
  3. Edit externally
  4. Re-import

Best Practices

If your logs use ECS already, you need fewer custom mappings.
Configure field mappings before importing SigmaHQ rules.
Validate rules against actual logs, not just schema.
Note why non-standard mappings exist.
If your log schema changes, update mappings.

Troubleshooting

Rule validation fails

  1. Check the field name in the error
  2. Add mapping for that field
  3. Re-validate

Rule matches nothing

  1. Verify mapping targets exist in your logs
  2. Check for typos in field names
  3. Test with sample log

Mapping not applied

  1. Verify the mapping exists on the correct index pattern
  2. Check the rule is deployed to that index pattern
  3. Ensure the Sigma field name matches exactly (case-sensitive)

Next Steps

Index Patterns

Configure log sources

Rule Management

Create rules with mapped fields