2020-02-21 21:31:14 +00:00
|
|
|
title: Splunk Zeek sourcetype mappings
|
|
|
|
order: 20
|
|
|
|
backends:
|
|
|
|
- splunk
|
|
|
|
- splunkxml
|
2020-05-02 11:23:11 +00:00
|
|
|
- corelight_splunk
|
2020-02-13 05:24:03 +00:00
|
|
|
logsources:
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-category-accounting:
|
|
|
|
category: accounting
|
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: syslog
|
|
|
|
zeek-category-firewall:
|
|
|
|
category: firewall
|
2020-05-19 09:02:45 +00:00
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: conn
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-category-dns:
|
|
|
|
category: dns
|
2020-05-19 09:02:45 +00:00
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: dns
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-category-proxy:
|
|
|
|
category: proxy
|
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: http
|
|
|
|
zeek-category-webserver:
|
|
|
|
category: webserver
|
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: http
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-conn:
|
|
|
|
product: zeek
|
|
|
|
service: conn
|
2020-05-19 09:02:45 +00:00
|
|
|
rewrite:
|
|
|
|
product: zeek
|
|
|
|
service: conn
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-conn_long:
|
|
|
|
product: zeek
|
|
|
|
service: conn_long
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:conn_long:json'
|
|
|
|
zeek-dce_rpc:
|
|
|
|
product: zeek
|
|
|
|
service: dce_rpc
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:dce_rpc:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-dns:
|
|
|
|
product: zeek
|
|
|
|
service: dns
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:dns:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-dnp3:
|
|
|
|
product: zeek
|
|
|
|
service: dnp3
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:dnp3:json'
|
|
|
|
zeek-dpd:
|
|
|
|
product: zeek
|
|
|
|
service: dpd
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:dpd:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-files:
|
|
|
|
product: zeek
|
|
|
|
service: files
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:files:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-ftp:
|
2020-02-13 05:24:03 +00:00
|
|
|
product: zeek
|
2020-05-02 11:23:11 +00:00
|
|
|
service: ftp
|
2020-02-13 05:24:03 +00:00
|
|
|
conditions:
|
2020-05-02 11:23:11 +00:00
|
|
|
sourcetype: 'bro:ftp:json'
|
|
|
|
zeek-gquic:
|
|
|
|
product: zeek
|
|
|
|
service: gquic
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:gquic:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-http:
|
|
|
|
product: zeek
|
|
|
|
service: http
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:http:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-http2:
|
|
|
|
product: zeek
|
|
|
|
service: http2
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:http2:json'
|
|
|
|
zeek-intel:
|
|
|
|
product: zeek
|
|
|
|
service: intel
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:intel:json'
|
|
|
|
zeek-irc:
|
|
|
|
product: zeek
|
|
|
|
service: irc
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:irc:json'
|
|
|
|
zeek-kerberos:
|
|
|
|
product: zeek
|
|
|
|
service: kerberos
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:kerberos:json'
|
|
|
|
zeek-known_certs:
|
|
|
|
product: zeek
|
|
|
|
service: known_certs
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:known_certs:json'
|
|
|
|
zeek-known_hosts:
|
|
|
|
product: zeek
|
|
|
|
service: known_hosts
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:known_hosts:json'
|
|
|
|
zeek-known_modbus:
|
|
|
|
product: zeek
|
|
|
|
service: known_modbus
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:known_modbus:json'
|
|
|
|
zeek-known_services:
|
|
|
|
product: zeek
|
|
|
|
service: known_services
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:known_services:json'
|
|
|
|
zeek-modbus:
|
|
|
|
product: zeek
|
|
|
|
service: modbus
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:modbus:json'
|
|
|
|
zeek-modbus_register_change:
|
|
|
|
product: zeek
|
|
|
|
service: modbus_register_change
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:modbus_register_change:json'
|
|
|
|
zeek-mqtt_connect:
|
|
|
|
product: zeek
|
|
|
|
service: mqtt_connect
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:mqtt_connect:json'
|
|
|
|
zeek-mqtt_publish:
|
|
|
|
product: zeek
|
|
|
|
service: mqtt_publish
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:mqtt_publish:json'
|
|
|
|
zeek-mqtt_subscribe:
|
|
|
|
product: zeek
|
|
|
|
service: mqtt_subscribe
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:mqtt_subscribe:json'
|
|
|
|
zeek-mysql:
|
|
|
|
product: zeek
|
|
|
|
service: mysql
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:mysql:json'
|
|
|
|
zeek-notice:
|
|
|
|
product: zeek
|
|
|
|
service: notice
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:notice:json'
|
|
|
|
zeek-ntlm:
|
|
|
|
product: zeek
|
|
|
|
service: ntlm
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ntlm:json'
|
|
|
|
zeek-ntp:
|
|
|
|
product: zeek
|
|
|
|
service: ntp
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ntp:json'
|
|
|
|
zeek-ocsp:
|
|
|
|
product: zeek
|
|
|
|
service: ntp
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ocsp:json'
|
|
|
|
zeek-pe:
|
|
|
|
product: zeek
|
|
|
|
service: pe
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:pe:json'
|
|
|
|
zeek-pop3:
|
|
|
|
product: zeek
|
|
|
|
service: pop3
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:pop3:json'
|
|
|
|
zeek-radius:
|
|
|
|
product: zeek
|
|
|
|
service: radius
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:radius:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-rdp:
|
|
|
|
product: zeek
|
|
|
|
service: rdp
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:rdp:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-rfb:
|
|
|
|
product: zeek
|
|
|
|
service: rfb
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:rfb:json'
|
|
|
|
zeek-sip:
|
|
|
|
product: zeek
|
|
|
|
service: sip
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:sip:json'
|
|
|
|
zeek-smb_files:
|
|
|
|
product: zeek
|
|
|
|
service: smb_files
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:smb_files:json'
|
|
|
|
zeek-smb_mapping:
|
|
|
|
product: zeek
|
|
|
|
service: smb_mapping
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:smb_mapping:json'
|
|
|
|
zeek-smtp:
|
|
|
|
product: zeek
|
|
|
|
service: smtp
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:smtp:json'
|
|
|
|
zeek-smtp_links:
|
|
|
|
product: zeek
|
|
|
|
service: smtp_links
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:smtp_links:json'
|
|
|
|
zeek-snmp:
|
|
|
|
product: zeek
|
|
|
|
service: snmp
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:snmp:json'
|
|
|
|
zeek-socks:
|
|
|
|
product: zeek
|
|
|
|
service: socks
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:socks:json'
|
|
|
|
zeek-software:
|
|
|
|
product: zeek
|
|
|
|
service: software
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:software:json'
|
|
|
|
zeek-ssh:
|
|
|
|
product: zeek
|
|
|
|
service: ssh
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ssh:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-ssl:
|
|
|
|
product: zeek
|
|
|
|
service: ssl
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ssl:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-tls: # In case people call it TLS even though log is called ssl
|
|
|
|
product: zeek
|
|
|
|
service: tls
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:ssl:json'
|
|
|
|
zeek-syslog:
|
|
|
|
product: zeek
|
|
|
|
service: syslog
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:syslog:json'
|
|
|
|
zeek-tunnel:
|
|
|
|
product: zeek
|
|
|
|
service: tunnel
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:tunnel:json'
|
|
|
|
zeek-traceroute:
|
|
|
|
product: zeek
|
|
|
|
service: traceroute
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:traceroute:json'
|
|
|
|
zeek-weird:
|
|
|
|
product: zeek
|
|
|
|
service: weird
|
|
|
|
conditions:
|
|
|
|
sourcetype: 'bro:weird:json'
|
2020-02-13 05:24:03 +00:00
|
|
|
zeek-x509:
|
|
|
|
product: zeek
|
|
|
|
service: x509
|
|
|
|
conditions:
|
2020-02-21 21:31:14 +00:00
|
|
|
sourcetype: 'bro:x509:json'
|
2020-05-02 11:23:11 +00:00
|
|
|
zeek-ip_search:
|
|
|
|
product: zeek
|
|
|
|
service: network
|
|
|
|
conditions:
|
|
|
|
sourcetype:
|
|
|
|
- 'bro:conn:json'
|
|
|
|
- 'bro:conn_long:json'
|
|
|
|
- 'bro:dce_rpc:json'
|
|
|
|
- 'bro:dhcp:json'
|
|
|
|
- 'bro:dnp3:json'
|
|
|
|
- 'bro:dns:json'
|
|
|
|
- 'bro:ftp:json'
|
|
|
|
- 'bro:gquic:json'
|
|
|
|
- 'bro:http:json'
|
|
|
|
- 'bro:irc:json'
|
|
|
|
- 'bro:kerberos:json'
|
|
|
|
- 'bro:modbus:json'
|
|
|
|
- 'bro:mqtt_connect:json'
|
|
|
|
- 'bro:mqtt_publish:json'
|
|
|
|
- 'bro:mqtt_subscribe:json'
|
|
|
|
- 'bro:mysql:json'
|
|
|
|
- 'bro:ntlm:json'
|
|
|
|
- 'bro:ntp:json'
|
|
|
|
- 'bro:radius:json'
|
|
|
|
- 'bro:rfb:json'
|
|
|
|
- 'bro:sip:json'
|
|
|
|
- 'bro:smb_files:json'
|
|
|
|
- 'bro:smb_mapping:json'
|
|
|
|
- 'bro:smtp:json'
|
|
|
|
- 'bro:smtp_links:json'
|
|
|
|
- 'bro:snmp:json'
|
|
|
|
- 'bro:socks:json'
|
|
|
|
- 'bro:ssh:json'
|
|
|
|
- 'bro:ssl:json'
|
|
|
|
- 'bro:tunnel:json'
|
|
|
|
- 'bro:weird:json'
|
|
|
|
fieldmappings:
|
|
|
|
# All Logs Applied Mapping & Taxonomy
|
|
|
|
dst_ip: id.resp_h
|
|
|
|
dst_port: id.resp_p
|
|
|
|
network_protocol: proto
|
|
|
|
src_ip: id.orig_h
|
|
|
|
src_port: id.orig_p
|
|
|
|
# DNS matching Taxonomy & DNS Category
|
|
|
|
answer: answers
|
|
|
|
#question_length: # Does not exist in open source version
|
|
|
|
record_type: qtype_name
|
|
|
|
#parent_domain: # Does not exist in open source version
|
|
|
|
# HTTP matching Taxonomy & Web/Proxy Category
|
|
|
|
cs-bytes: request_body_len
|
|
|
|
cs-cookie: cookie
|
|
|
|
r-dns: host
|
|
|
|
sc-bytes: response_body_len
|
|
|
|
sc-status: status_code
|
|
|
|
c-uri: uri
|
|
|
|
c-uri-extension: uri
|
|
|
|
c-uri-query: uri
|
|
|
|
c-uri-stem: uri
|
|
|
|
c-useragent: user_agent
|
|
|
|
cs-host: host
|
|
|
|
cs-method: method
|
|
|
|
cs-referrer: referrer
|
2020-05-19 09:02:45 +00:00
|
|
|
cs-version: version
|
|
|
|
# Few other variations of names from zeek source itself
|
|
|
|
id_orig_h: id.orig_h
|
|
|
|
id_orig_p: id.orig_p
|
|
|
|
id_resp_h: id.resp_h
|
2020-05-20 09:35:00 +00:00
|
|
|
id_resp_p: id.resp_p
|
2020-05-08 10:41:52 +00:00
|
|
|
# Temporary one off rule name fields
|
|
|
|
agent.version: version
|
|
|
|
c-cookie: cookie
|
|
|
|
c-ip: id.orig_h
|
|
|
|
cs-uri: uri
|
|
|
|
clientip: id.orig_h
|
|
|
|
clientIP: id.orig_h
|
|
|
|
dest_domain:
|
|
|
|
- query
|
|
|
|
- host
|
|
|
|
- server_name
|
|
|
|
dest_ip: id.resp_h
|
|
|
|
dest_port: id.resp_p
|
|
|
|
#TODO:WhatShouldThisBe?==dest:
|
|
|
|
#TODO:WhatShouldThisBe?==destination:
|
|
|
|
#TODO:WhatShouldThisBe?==Destination:
|
|
|
|
destination.hostname:
|
|
|
|
- query
|
|
|
|
- host
|
|
|
|
- server_name
|
2020-05-20 09:35:00 +00:00
|
|
|
DestinationAddress: id.resp_h
|
2020-05-08 10:41:52 +00:00
|
|
|
DestinationHostname:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
DestinationIp: id.resp_h
|
|
|
|
DestinationIP: id.resp_h
|
|
|
|
DestinationPort: id.resp_p
|
|
|
|
dst-ip: id.resp_h
|
|
|
|
dstip: id.resp_h
|
|
|
|
dstport: id.resp_p
|
|
|
|
Host:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
HostVersion: http.version
|
|
|
|
http_host:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
http_uri: uri
|
|
|
|
http_url: uri
|
|
|
|
http_user_agent: user_agent
|
|
|
|
http.request.url-query-params: uri
|
|
|
|
HttpMethod: method
|
|
|
|
in_url: uri
|
|
|
|
# parent_domain: # Not in open source zeek
|
|
|
|
post_url_parameter: uri
|
|
|
|
Request Url: uri
|
|
|
|
request_url: uri
|
|
|
|
request_URL: uri
|
|
|
|
RequestUrl: uri
|
|
|
|
#response: status_code
|
|
|
|
resource.url: uri
|
|
|
|
resource.URL: uri
|
|
|
|
sc_status: status_code
|
|
|
|
sender_domain:
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
service.response_code: status_code
|
|
|
|
source: id.orig_h
|
|
|
|
SourceAddr: id.orig_h
|
|
|
|
SourceAddress: id.orig_h
|
|
|
|
SourceIP: id.orig_h
|
|
|
|
SourceIp: id.orig_h
|
|
|
|
SourceNetworkAddress: id.orig_h
|
|
|
|
SourcePort: id.orig_p
|
|
|
|
srcip: id.orig_h
|
|
|
|
Status: status_code
|
|
|
|
status: status_code
|
|
|
|
url: uri
|
|
|
|
URL: uri
|
|
|
|
url_query: uri
|
|
|
|
url.query: uri
|
|
|
|
uri_path: uri
|
|
|
|
user_agent: user_agent
|
|
|
|
user_agent.name: user_agent
|
|
|
|
user-agent: user_agent
|
|
|
|
User-Agent: user_agent
|
|
|
|
useragent: user_agent
|
|
|
|
UserAgent: user_agent
|
|
|
|
User Agent: user_agent
|
|
|
|
web_dest:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
web.dest:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
Web.dest:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
web.host:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
Web.host:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
web_method: method
|
|
|
|
Web_method: method
|
|
|
|
web.method: method
|
|
|
|
Web.method: method
|
|
|
|
web_src: id.orig_h
|
|
|
|
web_status: status_code
|
|
|
|
Web_status: status_code
|
|
|
|
web.status: status_code
|
|
|
|
Web.status: status_code
|
|
|
|
web_uri: uri
|
|
|
|
web_url: uri
|
|
|
|
# Most are in ECS, but for things not using Elastic - these need renamed
|
|
|
|
destination.ip: id.resp_h
|
|
|
|
destination.port: id.resp_p
|
|
|
|
http.request.body.content: post_body
|
|
|
|
source.domain:
|
|
|
|
- host
|
|
|
|
- query
|
|
|
|
- server_name
|
|
|
|
source.ip: id.orig_h
|
2020-05-24 15:06:32 +00:00
|
|
|
source.port: id.orig_p
|