From ccfca01effd2413794555073db75bca9a0d1e85e Mon Sep 17 00:00:00 2001
From: Dennis Toepker <toepkerd@amazon.com>
Date: Tue, 29 Oct 2024 17:19:54 -0700
Subject: [PATCH] Adding various OCSF 1.1 fields to log type static mappings

Signed-off-by: Dennis Toepker <toepkerd@amazon.com>
---
 .../logtype/LogTypeService.java               |   9 +-
 .../mapper/MapperService.java                 |   8 ++
 .../securityanalytics/model/LogType.java      |  11 +-
 .../OSMapping/cloudtrail_logtype.json         |  19 ++--
 src/main/resources/OSMapping/dns_logtype.json |  15 ++-
 .../resources/OSMapping/network_logtype.json  | 101 ++++++++++++------
 .../resources/OSMapping/vpcflow_logtype.json  |   7 +-
 src/main/resources/OSMapping/waf_logtype.json |  40 ++++---
 .../resources/OSMapping/windows_logtype.json  |  51 ++++++---
 .../LogTypeServiceTests.java                  |   6 +-
 .../model/WriteableTests.java                 |   4 +-
 .../writable/LogTypeTests.java                |   4 +-
 12 files changed, 188 insertions(+), 87 deletions(-)

diff --git a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
index 9efe57402..cc950aac2 100644
--- a/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
+++ b/src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
@@ -563,6 +563,9 @@ private List<FieldMappingDoc> createFieldMappingDocs(List<LogType> logTypes) {
                         if (mapping.getOcsf() != null) {
                             schemaFields.put("ocsf", mapping.getOcsf());
                         }
+                        if (mapping.getOcsf11() != null) {
+                            schemaFields.put("ocsf11", mapping.getOcsf11());
+                        }
                         fieldMappingMap.put(
                                 key,
                                 new FieldMappingDoc(
@@ -574,6 +577,7 @@ private List<FieldMappingDoc> createFieldMappingDocs(List<LogType> logTypes) {
                     } else {
                         // merge with existing doc
                         existingDoc.getSchemaFields().put("ocsf", mapping.getOcsf());
+                        existingDoc.getSchemaFields().put("ocsf11", mapping.getOcsf11());
                         existingDoc.getLogTypes().add(logType.getName());
                     }
                 }));
@@ -702,7 +706,7 @@ public void getRuleFieldMappingsAllSchemas(String logType, ActionListener<List<L
                         (delegatedListener, fieldMappingDocs) -> {
                             List<LogType.Mapping> ruleFieldMappings = new ArrayList<>();
                             fieldMappingDocs.forEach( e -> {
-                                ruleFieldMappings.add(new LogType.Mapping(e.getRawField(), e.getSchemaFields().get("ecs"), e.getSchemaFields().get("ocsf")));
+                                ruleFieldMappings.add(new LogType.Mapping(e.getRawField(), e.getSchemaFields().get("ecs"), e.getSchemaFields().get("ocsf"), e.getSchemaFields().get("ocsf11")));
                             });
                             delegatedListener.onResponse(ruleFieldMappings);
                         }
@@ -725,7 +729,8 @@ public void getRequiredFields(String logType, ActionListener<List<LogType.Mappin
                                 LogType.Mapping requiredField = new LogType.Mapping(
                                         e.getRawField(),
                                         e.getSchemaFields().get(defaultSchemaField),
-                                        e.getSchemaFields().get("ocsf")
+                                        e.getSchemaFields().get("ocsf"),
+                                        e.getSchemaFields().get("ocsf11")
                                 );
                                 requiredFields.add(requiredField);
                             });
diff --git a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
index 42b374735..4ea64d1ef 100644
--- a/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
+++ b/src/main/java/org/opensearch/securityanalytics/mapper/MapperService.java
@@ -234,6 +234,8 @@ public void onResponse(List<LogType.Mapping> mappings) {
                                     aliasMappingFields.put(mapping.getEcs(), Map.of("type", "alias", "path", mapping.getRawField()));
                                 } else if (indexFields.contains(mapping.getOcsf())) {
                                     aliasMappingFields.put(mapping.getEcs(), Map.of("type", "alias", "path", mapping.getOcsf()));
+                                } else if (indexFields.contains(mapping.getOcsf11())) {
+                                    aliasMappingFields.put(mapping.getEcs(), Map.of("type", "alias", "path", mapping.getOcsf11()));
                                 }
                             }
                             aliasMappingsObj.field("properties", aliasMappingFields);
@@ -483,6 +485,7 @@ public void onResponse(GetMappingsResponse getMappingsResponse) {
                             String alias = requiredField.getEcs();
                             String rawPath = requiredField.getRawField();
                             String ocsfPath = requiredField.getOcsf();
+                            String ocsf11Path = requiredField.getOcsf11();
                             if (allFieldsFromIndex.contains(rawPath)) {
                                 // if the alias was already added into applyable aliases, then skip to avoid duplicates
                                 if (!applyableAliases.contains(alias) && !applyableAliases.contains(rawPath)) {
@@ -497,6 +500,9 @@ public void onResponse(GetMappingsResponse getMappingsResponse) {
                             } else if (allFieldsFromIndex.contains(ocsfPath)) {
                                 applyableAliases.add(alias);
                                 pathsOfApplyableAliases.add(ocsfPath);
+                            } else if (allFieldsFromIndex.contains(ocsf11Path)) {
+                                applyableAliases.add(alias);
+                                pathsOfApplyableAliases.add(ocsf11Path);
                             } else if ((alias == null && allFieldsFromIndex.contains(rawPath) == false) || allFieldsFromIndex.contains(alias) == false) {
                                 if (alias != null) {
                                     // we don't want to send back aliases which have same name as existing field in index
@@ -520,6 +526,8 @@ public void onResponse(GetMappingsResponse getMappingsResponse) {
                         for (LogType.Mapping mapping : requiredFields) {
                             if (allFieldsFromIndex.contains(mapping.getOcsf())) {
                                 aliasMappingFields.put(mapping.getEcs(), Map.of("type", "alias", "path", mapping.getOcsf()));
+                            } else if (allFieldsFromIndex.contains(mapping.getOcsf11())) {
+                                aliasMappingFields.put(mapping.getEcs(), Map.of("type", "alias", "path", mapping.getOcsf11()));
                             } else if (mapping.getEcs() != null) {
                                 shouldUpdateEcsMappingAndMaybeUpdates(mapping, aliasMappingFields, pathsOfApplyableAliases);
                             } else if (mapping.getEcs() == null) {
diff --git a/src/main/java/org/opensearch/securityanalytics/model/LogType.java b/src/main/java/org/opensearch/securityanalytics/model/LogType.java
index f70a462e2..1901c7426 100644
--- a/src/main/java/org/opensearch/securityanalytics/model/LogType.java
+++ b/src/main/java/org/opensearch/securityanalytics/model/LogType.java
@@ -27,6 +27,7 @@ public class LogType implements Writeable {
     private static final String RAW_FIELD = "raw_field";
     public static final String ECS = "ecs";
     public static final String OCSF = "ocsf";
+    public static final String OCSF11 = "ocsf11";
     public static final String IOC_FIELDS = "ioc_fields";
     public static final String IOC = "ioc";
     public static final String FIELDS = "fields";
@@ -67,7 +68,7 @@ public LogType(Map<String, Object> logTypeAsMap) {
         if (mappings.size() > 0) {
             this.mappings = new ArrayList<>(mappings.size());
             this.mappings = mappings.stream().map(e ->
-                    new Mapping(e.get(RAW_FIELD), e.get(ECS), e.get(OCSF))
+                    new Mapping(e.get(RAW_FIELD), e.get(ECS), e.get(OCSF), e.get(OCSF11))
             ).collect(Collectors.toList());
         }
         if (logTypeAsMap.containsKey(IOC_FIELDS)) {
@@ -120,17 +121,20 @@ public static class Mapping implements Writeable {
         private String rawField;
         private String ecs;
         private String ocsf;
+        private String ocsf11;
 
         public Mapping(StreamInput sin) throws IOException {
             this.rawField = sin.readString();
             this.ecs = sin.readOptionalString();
             this.ocsf = sin.readOptionalString();
+            this.ocsf11 = sin.readOptionalString();
         }
 
-        public Mapping(String rawField, String ecs, String ocsf) {
+        public Mapping(String rawField, String ecs, String ocsf, String ocsf11) {
             this.rawField = rawField;
             this.ecs = ecs;
             this.ocsf = ocsf;
+            this.ocsf11 = ocsf11;
         }
 
         public String getRawField() {
@@ -145,11 +149,14 @@ public String getOcsf() {
             return ocsf;
         }
 
+        public String getOcsf11() { return ocsf11; }
+
         @Override
         public void writeTo(StreamOutput out) throws IOException {
             out.writeString(rawField);
             out.writeOptionalString(ecs);
             out.writeOptionalString(ocsf);
+            out.writeOptionalString(ocsf11);
         }
 
         public static Mapping readFrom(StreamInput sin) throws IOException {
diff --git a/src/main/resources/OSMapping/cloudtrail_logtype.json b/src/main/resources/OSMapping/cloudtrail_logtype.json
index 8c2ea3b3a..6bb9fc742 100644
--- a/src/main/resources/OSMapping/cloudtrail_logtype.json
+++ b/src/main/resources/OSMapping/cloudtrail_logtype.json
@@ -34,7 +34,7 @@
     {
       "raw_field":"eventType",
       "ecs":"aws.cloudtrail.event_type",
-      "ocsf": "unmapped.eventType"
+      "ocsf11": "metadata.event_code"
     },
     {
       "raw_field":"eventCategory",
@@ -69,7 +69,8 @@
     {
       "raw_field":"additionalEventData.MFAUsed",
       "ecs":"aws.cloudtrail.additional_event_data.mfaUsed",
-      "ocsf": "mfa"
+      "ocsf": "mfa",
+      "ocsf11": "is_mfa"
     },
     {
       "raw_field":"responseElements",
@@ -124,12 +125,12 @@
     {
       "raw_field":"requestParameters.userName",
       "ecs":"aws.cloudtrail.request_parameters.username",
-      "ocsf": "unmapped.requestParameters.userName"
+      "ocsf": "user.name"
     },
     {
       "raw_field":"requestParameters.roleArn",
       "ecs":"aws.cloudtrail.request_parameters.roleArn",
-      "ocsf": "user.uuid"
+      "ocsf": "user.uid"
     },
     {
       "raw_field":"requestParameters.roleSessionName",
@@ -149,17 +150,18 @@
     {
       "raw_field":"userIdentity.principalId",
       "ecs":"aws.cloudtrail.user_identity.principalId",
-      "ocsf": "actor.user.uid"
+      "ocsf11":"actor.user.uid_alt"
     },
     {
       "raw_field":"userIdentity.arn",
       "ecs":"aws.cloudtrail.user_identity.arn",
-      "ocsf": "actor.user.uuid"
+      "ocsf": "actor.user.uid"
     },
     {
       "raw_field":"userIdentity.accountId",
       "ecs":"aws.cloudtrail.user_identity.accountId",
-      "ocsf": "actor.user.account_uid"
+      "ocsf": "actor.user.account_uid",
+      "ocsf11": "actor.user.account.uid"
     },
     {
       "raw_field":"userIdentity.accessKeyId",
@@ -199,7 +201,8 @@
     {
       "raw_field":"userIdentity.sessionContext.attributes.mfaAuthenticated",
       "ecs":"aws.cloudtrail.user_identity.session_context.attributes.mfaAuthenticated",
-      "ocsf": "actor.session.mfa"
+      "ocsf": "actor.session.mfa",
+      "ocsf11": "actor.session.is_mfa"
     },
     {
       "raw_field":"userIdentity.webIdFederationData.federatedProvider",
diff --git a/src/main/resources/OSMapping/dns_logtype.json b/src/main/resources/OSMapping/dns_logtype.json
index ef012407f..ca2551353 100644
--- a/src/main/resources/OSMapping/dns_logtype.json
+++ b/src/main/resources/OSMapping/dns_logtype.json
@@ -54,7 +54,8 @@
     {
       "raw_field":"account_id",
       "ecs":"aws.route53.account_id",
-      "ocsf": "cloud.account_uid"
+      "ocsf": "cloud.account_uid",
+      "ocsf11": "cloud.account.uid"
     },
     {
       "raw_field":"region",
@@ -114,12 +115,22 @@
     {
       "raw_field":"firewall_rule_action",
       "ecs":"aws.route53.srcids.firewall_rule_action",
-      "ocsf": "disposition_id"
+      "ocsf": "disposition"
     },
     {
       "raw_field":"creationTime",
       "ecs":"timestamp",
       "ocsf": "unmapped.creationTime"
+    },
+    {
+      "raw_field":"rcode",
+      "ecs":"aws.route53.rcode",
+      "ocsf":"rcode"
+    },
+    {
+      "raw_field":"firewall_rule_group_id",
+      "ecs":"aws.route53.srcids.firewall_rule_group_id",
+      "ocsf":"firewall_rule.uid"
     }
   ]
 }
diff --git a/src/main/resources/OSMapping/network_logtype.json b/src/main/resources/OSMapping/network_logtype.json
index 2ca92a1ad..2a247840b 100644
--- a/src/main/resources/OSMapping/network_logtype.json
+++ b/src/main/resources/OSMapping/network_logtype.json
@@ -14,131 +14,168 @@
   "mappings":[
     {
       "raw_field":"action",
-      "ecs":"netflow.firewall_event"
+      "ecs":"netflow.firewall_event",
+      "ocsf": "unmapped.action"
     },
     {
       "raw_field":"certificate.serial",
-      "ecs":"zeek.x509.certificate.serial"
+      "ecs":"zeek.x509.certificate.serial",
+      "ocsf": "unmapped.certificate.serial"
     },
     {
       "raw_field":"name",
-      "ecs":"zeek.smb_files.name"
+      "ecs":"zeek.smb_files.name",
+      "ocsf": "unmapped.name"
     },
     {
       "raw_field":"path",
-      "ecs":"zeek.smb_files.path"
+      "ecs":"zeek.smb_files.path",
+      "ocsf": "unmapped.path"
     },
     {
       "raw_field":"dst_port",
-      "ecs":"destination.port"
+      "ecs":"destination.port",
+      "ocsf": "unmapped.dst_port"
     },
     {
       "raw_field":"qtype_name",
-      "ecs":"zeek.dns.qtype_name"
+      "ecs":"zeek.dns.qtype_name",
+      "ocsf": "query.type"
     },
     {
       "raw_field":"operation",
-      "ecs":"zeek.dce_rpc.operation"
+      "ecs":"zeek.dce_rpc.operation",
+      "ocsf": "unmapped.operation"
     },
     {
       "raw_field":"endpoint",
-      "ecs":"zeek.dce_rpc.endpoint"
+      "ecs":"zeek.dce_rpc.endpoint",
+      "ocsf": "unmapped.endpoint"
     },
     {
       "raw_field":"zeek.dce_rpc.endpoint",
-      "ecs":"zeek.dce_rpc.endpoint"
+      "ecs":"zeek.dce_rpc.endpoint",
+      "ocsf": "unmapped.zeek.dce_rpc.endpoint"
     },
     {
       "raw_field":"answers",
-      "ecs":"zeek.dns.answers"
+      "ecs":"zeek.dns.answers",
+      "ocsf": "answers.rdata"
     },
     {
       "raw_field":"query",
-      "ecs":"zeek.dns.query"
+      "ecs":"zeek.dns.query",
+      "ocsf": "query.hostname"
     },
     {
       "raw_field":"client_header_names",
-      "ecs":"zeek.http.client_header_names"
+      "ecs":"zeek.http.client_header_names",
+      "ocsf": "unmapped.client_header_names"
     },
     {
       "raw_field":"resp_mime_types",
-      "ecs":"zeek.http.resp_mime_types"
+      "ecs":"zeek.http.resp_mime_types",
+      "ocsf": "unmapped.resp_mime_types"
     },
     {
       "raw_field":"cipher",
-      "ecs":"zeek.kerberos.cipher"
+      "ecs":"zeek.kerberos.cipher",
+      "ocsf": "cipher"
     },
     {
       "raw_field":"request_type",
-      "ecs":"zeek.kerberos.request_type"
+      "ecs":"zeek.kerberos.request_type",
+      "ocsf": "unmapped.request_type"
     },
     {
       "raw_field":"creationTime",
-      "ecs":"timestamp"
+      "ecs":"timestamp",
+      "ocsf": "unmapped.creationTime"
     },
     {
       "raw_field":"method",
-      "ecs":"http.request.method"
+      "ecs":"http.request.method",
+      "ocsf": "unmapped.method"
     },
     {
       "raw_field":"id.resp_p",
-      "ecs":"id.resp_p"
+      "ecs":"id.resp_p",
+      "ocsf": "dst_endpoint.port"
     },
     {
       "raw_field":"blocked",
-      "ecs":"blocked-flag"
+      "ecs":"blocked-flag",
+      "ocsf": "unmapped.blocked"
+    },
+    {
+      "raw_field": "id.orig_p",
+      "ecs": "id.orig_p",
+      "ocsf": "src_endpoint.port"
     },
     {
       "raw_field":"id.orig_h",
-      "ecs":"id.orig_h"
+      "ecs":"id.orig_h",
+      "ocsf": "src_endpoint.ip"
     },
     {
       "raw_field":"Z",
-      "ecs":"Z-flag"
+      "ecs":"Z-flag",
+      "ocsf": "answers.flag_ids.99"
     },
     {
       "raw_field":"id.resp_h",
-      "ecs":"id.resp_h"
+      "ecs":"id.resp_h",
+      "ocsf": "dst_endpoint.ip"
     },
     {
       "raw_field":"uri",
-      "ecs":"url.path"
+      "ecs":"url.path",
+      "ocsf": "unmapped.uri"
     },
     {
       "raw_field":"c-uri",
-      "ecs":"url.path"
+      "ecs":"url.path",
+      "ocsf": "unmapped.c-uri"
     },
     {
       "raw_field":"c-useragent",
-      "ecs":"user_agent.name"
+      "ecs":"user_agent.name",
+      "ocsf": "unmapped.c-useragent"
     },
     {
       "raw_field":"status_code",
-      "ecs":"http.response.status_code"
+      "ecs":"http.response.status_code",
+      "ocsf": "unmapped.status_code"
     },
     {
       "raw_field":"rejected",
-      "ecs":"rejected"
+      "ecs":"rejected",
+      "ocsf": "unmapped.rejected"
     },
     {
       "raw_field":"dst_ip",
-      "ecs":"destination.ip"
+      "ecs":"destination.ip",
+      "ocsf": "unmapped.dst_ip"
     },
     {
       "raw_field":"src_ip",
-      "ecs":"source.ip"
+      "ecs":"source.ip",
+      "ocsf": "unmapped.src_ip"
     },
     {
       "raw_field":"user_agent",
-      "ecs":"user_agent.name"
+      "ecs":"user_agent.name",
+      "ocsf": "unmapped.user_agent"
     },
     {
       "raw_field":"request_body_len",
-      "ecs":"http.request.body.bytes"
+      "ecs":"http.request.body.bytes",
+      "ocsf": "unmapped.request_body_len"
     },
     {
       "raw_field":"service",
-      "ecs":"service"
+      "ecs":"service",
+      "ocsf": "unmapped.service"
     }
   ]
 }
diff --git a/src/main/resources/OSMapping/vpcflow_logtype.json b/src/main/resources/OSMapping/vpcflow_logtype.json
index 29d9f38c2..4e0c59272 100644
--- a/src/main/resources/OSMapping/vpcflow_logtype.json
+++ b/src/main/resources/OSMapping/vpcflow_logtype.json
@@ -20,7 +20,8 @@
     {
       "raw_field":"account_id",
       "ecs":"netflow.account_id",
-      "ocsf": "cloud.account_uid"
+      "ocsf": "cloud.account_uid",
+      "ocsf11":  "cloud.account.uid"
     },
     {
       "raw_field":"region",
@@ -90,12 +91,12 @@
     {
       "raw_field":"action",
       "ecs":"netflow.action",
-      "ocsf": "disposition_id"
+      "ocsf": "disposition"
     },
     {
       "raw_field":"traffic_path",
       "ecs":"netflow.traffic_path",
-      "ocsf": "boundary_id"
+      "ocsf": "connection_info.boundary_id"
     },
     {
       "raw_field":"flow_direction",
diff --git a/src/main/resources/OSMapping/waf_logtype.json b/src/main/resources/OSMapping/waf_logtype.json
index 3e5b1f4f1..c024ae55a 100644
--- a/src/main/resources/OSMapping/waf_logtype.json
+++ b/src/main/resources/OSMapping/waf_logtype.json
@@ -6,51 +6,63 @@
   "mappings":[
     {
       "raw_field":"cs-method",
-      "ecs":"waf.request.method"
+      "ecs":"waf.request.method",
+      "ocsf": "unmapped.cs-method"
     },
     {
       "raw_field":"httpRequest.httpMethod",
-      "ecs":"waf.request.method"
+      "ecs":"waf.request.method",
+      "ocsf": "http_request.http_method"
     },
     {
       "raw_field":"cs-uri-query",
-      "ecs":"waf.request.uri_query"
+      "ecs":"waf.request.uri_query",
+      "ocsf": "unmapped.cs-uri-query"
     },
     {
       "raw_field":"httpRequest.uri",
-      "ecs":"waf.request.uri_query"
+      "ecs":"waf.request.uri_query",
+      "ocsf": "http_request.url.path"
     },
     {
       "raw_field":"httpRequest.args",
-      "ecs":"waf.request.uri_query"
+      "ecs":"waf.request.uri_query",
+      "ocsf": "http_request.args"
     },
     {
       "raw_field":"cs-user-agent",
-      "ecs":"waf.request.headers.user_agent"
+      "ecs":"waf.request.headers.user_agent",
+      "ocsf": "unmapped.cs-user-agent"
     },
     {
       "raw_field":"httpRequest.headers",
-      "ecs":"waf.request.headers"
+      "ecs":"waf.request.headers",
+      "ocsf": "unmapped.httpRequest.headers"
     },
     {
       "raw_field":"sc-status",
-      "ecs":"waf.response.code"
+      "ecs":"waf.response.code",
+      "ocsf": "unmapped.sc-status"
     },
     {
       "raw_field":"responseCodeSent",
-      "ecs":"waf.response.code"
+      "ecs":"waf.response.code",
+      "ocsf": "status_code"
     },
     {
       "raw_field":"timestamp",
-      "ecs":"timestamp"
+      "ecs":"timestamp",
+      "ocsf": "unmapped.timestamp"
     },
     {
-      "raw_field":"httpRequest.headers.value",
-      "ecs":"waf.request.headers.value"
+      "raw_field":"httpRequest.headers[].value",
+      "ecs":"waf.request.headers.value",
+      "ocsf": "http_request.http_headers[].value"
     },
     {
-      "raw_field":"httpRequest.headers.name",
-      "ecs":"waf.request.headers.name"
+      "raw_field":"httpRequest.headers[].name",
+      "ecs":"waf.request.headers.name",
+      "ocsf": "http_request.http_headers[].name"
     }
   ]
 }
diff --git a/src/main/resources/OSMapping/windows_logtype.json b/src/main/resources/OSMapping/windows_logtype.json
index ec9b3ed1a..1f68cc160 100644
--- a/src/main/resources/OSMapping/windows_logtype.json
+++ b/src/main/resources/OSMapping/windows_logtype.json
@@ -15,7 +15,8 @@
     },
     {
       "raw_field":"AuthenticationPackageName",
-      "ecs":"winlog.event_data.AuthenticationPackageName"
+      "ecs":"winlog.event_data.AuthenticationPackageName",
+      "ocsf": "auth_protocol"
     },
     {
       "raw_field":"Channel",
@@ -27,7 +28,8 @@
     },
     {
       "raw_field":"ComputerName",
-      "ecs":"winlog.computer_name"
+      "ecs":"winlog.computer_name",
+      "ocsf": "device.name"
     },
     {
       "raw_field":"Description",
@@ -71,11 +73,13 @@
     },
     {
       "raw_field":"LogonProcessName",
-      "ecs":"winlog.event_data.LogonProcessName"
+      "ecs":"winlog.event_data.LogonProcessName",
+      "ocsf": "logon_process.name"
     },
     {
       "raw_field":"LogonType",
-      "ecs":"winlog.event_data.LogonType"
+      "ecs":"winlog.event_data.LogonType",
+      "ocsf": "logon_type_id"
     },
     {
       "raw_field":"OriginalFilename",
@@ -91,7 +95,8 @@
     },
     {
       "raw_field":"ProcessId",
-      "ecs":"winlog.event_data.ProcessId"
+      "ecs":"winlog.event_data.ProcessId",
+      "ocsf": "actor.process.pid"
     },
     {
       "raw_field":"Product",
@@ -127,11 +132,13 @@
     },
     {
       "raw_field":"Status",
-      "ecs":"winlog.event_data.Status"
+      "ecs":"winlog.event_data.Status",
+      "ocsf": "status"
     },
     {
       "raw_field":"SubjectDomainName",
-      "ecs":"winlog.event_data.SubjectDomainName"
+      "ecs":"winlog.event_data.SubjectDomainName",
+      "ocsf": "actor.user.domain"
     },
     {
       "raw_field":"SubjectLogonId",
@@ -139,11 +146,13 @@
     },
     {
       "raw_field":"SubjectUserName",
-      "ecs":"winlog.event_data.SubjectUserName"
+      "ecs":"winlog.event_data.SubjectUserName",
+      "ocsf": "actor.user.name"
     },
     {
       "raw_field":"SubjectUserSid",
-      "ecs":"winlog.event_data.SubjectUserSid"
+      "ecs":"winlog.event_data.SubjectUserSid",
+      "ocsf": "actor.user.uid"
     },
     {
       "raw_field":"TargetLogonId",
@@ -159,11 +168,13 @@
     },
     {
       "raw_field":"TargetUserName",
-      "ecs":"winlog.event_data.TargetUserName"
+      "ecs":"winlog.event_data.TargetUserName",
+      "ocsf": "process.user.domain"
     },
     {
       "raw_field":"TargetUserSid",
-      "ecs":"winlog.event_data.TargetUserSid"
+      "ecs":"winlog.event_data.TargetUserSid",
+      "ocsf": "process.user.uid"
     },
     {
       "raw_field":"TaskName",
@@ -183,11 +194,13 @@
     },
     {
       "raw_field":"Workstation",
-      "ecs":"winlog.event_data.Workstation"
+      "ecs":"winlog.event_data.Workstation",
+      "ocsf": "src_endpoint.name"
     },
     {
       "raw_field":"WorkstationName",
-      "ecs":"winlog.event_data.Workstation"
+      "ecs":"winlog.event_data.Workstation",
+      "ocsf": "src_endpoint.name"
     },
     {
       "raw_field":"event_uid",
@@ -219,7 +232,8 @@
     },
     {
       "raw_field":"ProcessName",
-      "ecs":"winlog.event_data.ProcessName"
+      "ecs":"winlog.event_data.ProcessName",
+      "ocsf": "actor.process.file"
     },
     {
       "raw_field":"ObjectName",
@@ -615,7 +629,8 @@
     },
     {
       "raw_field":"Message",
-      "ecs":"winlog.event_data.Message"
+      "ecs":"winlog.event_data.Message",
+      "ocsf": "message"
     },
     {
       "raw_field":"ShareName",
@@ -623,11 +638,13 @@
     },
     {
       "raw_field":"SourcePort",
-      "ecs":"source.port"
+      "ecs":"source.port",
+      "ocsf":"src_endpoint.port"
     },
     {
       "raw_field":"CallerProcessName",
-      "ecs":"winlog.event_data.CallerProcessName"
+      "ecs":"winlog.event_data.CallerProcessName",
+      "ocsf": "actor.process.file"
     },
     {
       "raw_field":"ServiceFileName",
diff --git a/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java b/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java
index 217fa0a03..cd467313b 100644
--- a/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java
@@ -47,9 +47,9 @@ protected void beforeTest() throws Exception {
             List<LogType> dummyLogTypes = List.of(
                 new LogType(null, "test_logtype", "", true,
                         List.of(
-                                new LogType.Mapping("rawFld1", "ecsFld1", "ocsfFld1"),
-                                new LogType.Mapping("rawFld2", "ecsFld2", "ocsfFld2"),
-                                new LogType.Mapping("rawFld3", "ecsFld3", "ocsfFld3")
+                                new LogType.Mapping("rawFld1", "ecsFld1", "ocsfFld1", "ocsf11Fld1"),
+                                new LogType.Mapping("rawFld2", "ecsFld2", "ocsfFld2", "ocsf11Fld2"),
+                                new LogType.Mapping("rawFld3", "ecsFld3", "ocsfFld3", "ocsf11Fld3")
                         ),
                         List.of(new LogType.IocFields("ip", List.of("dst.ip")))
                 )
diff --git a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
index 2c5639c95..d50317333 100644
--- a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java
@@ -77,7 +77,7 @@ public void testEmptyUserAsStream() throws IOException {
     public void testLogTypeAsStreamRawFieldOnly() throws IOException {
         LogType logType = new LogType(
                 "1", "my_log_type", "description", false,
-                List.of(new LogType.Mapping("rawField", null, null)),
+                List.of(new LogType.Mapping("rawField", null, null, null)),
                 List.of(new LogType.IocFields("ip", List.of("dst.ip")))
         );
         BytesStreamOutput out = new BytesStreamOutput();
@@ -94,7 +94,7 @@ public void testLogTypeAsStreamRawFieldOnly() throws IOException {
     public void testLogTypeAsStreamFull() throws IOException {
         LogType logType = new LogType(
                 "1", "my_log_type", "description", false,
-                List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")),
+                List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field", "some_ocsf11_field")),
                 List.of(new LogType.IocFields("ip", List.of("dst.ip")))
         );
         BytesStreamOutput out = new BytesStreamOutput();
diff --git a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
index d9d592641..626ec6ac3 100644
--- a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
+++ b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java
@@ -21,7 +21,7 @@ public class LogTypeTests {
     public void testLogTypeAsStreamRawFieldOnly() throws IOException {
         LogType logType = new LogType(
                 "1", "my_log_type", "description", false,
-                List.of(new LogType.Mapping("rawField", null, null)),
+                List.of(new LogType.Mapping("rawField", null, null, null)),
                 List.of(new LogType.IocFields("ip", List.of("dst.ip")))
         );
         BytesStreamOutput out = new BytesStreamOutput();
@@ -41,7 +41,7 @@ public void testLogTypeAsStreamRawFieldOnly() throws IOException {
     public void testLogTypeAsStreamFull() throws IOException {
         LogType logType = new LogType(
                 "1", "my_log_type", "description", false,
-                List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")),
+                List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field", "some_ocsf11_field")),
                 List.of(new LogType.IocFields("ip", List.of("dst.ip")))
         );
         BytesStreamOutput out = new BytesStreamOutput();