SigmaHQ/tools/config/splunk-zeek.yml

470 lines
10 KiB
YAML
Raw Normal View History

2020-02-21 21:31:14 +00:00
title: Splunk Zeek sourcetype mappings
order: 20
backends:
- splunk
- splunkxml
- corelight_splunk
logsources:
zeek-category-accounting:
category: accounting
rewrite:
product: zeek
service: syslog
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-category-webserver:
category: webserver
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
rewrite:
product: zeek
service: conn
zeek-conn_long:
product: zeek
service: conn_long
conditions:
sourcetype: 'bro:conn_long:json'
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
sourcetype: 'bro:dce_rpc:json'
zeek-dns:
product: zeek
service: dns
conditions:
sourcetype: 'bro:dns:json'
zeek-dnp3:
product: zeek
service: dnp3
conditions:
sourcetype: 'bro:dnp3:json'
zeek-dpd:
product: zeek
service: dpd
conditions:
sourcetype: 'bro:dpd:json'
zeek-files:
product: zeek
service: files
conditions:
sourcetype: 'bro:files:json'
zeek-ftp:
product: zeek
service: ftp
conditions:
sourcetype: 'bro:ftp:json'
zeek-gquic:
product: zeek
service: gquic
conditions:
sourcetype: 'bro:gquic:json'
zeek-http:
product: zeek
service: http
conditions:
sourcetype: 'bro:http:json'
zeek-http2:
product: zeek
service: http2
conditions:
sourcetype: 'bro:http2:json'
zeek-intel:
product: zeek
service: intel
conditions:
sourcetype: 'bro:intel:json'
zeek-irc:
product: zeek
service: irc
conditions:
sourcetype: 'bro:irc:json'
zeek-kerberos:
product: zeek
service: kerberos
conditions:
sourcetype: 'bro:kerberos:json'
zeek-known_certs:
product: zeek
service: known_certs
conditions:
sourcetype: 'bro:known_certs:json'
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
sourcetype: 'bro:known_hosts:json'
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
sourcetype: 'bro:known_modbus:json'
zeek-known_services:
product: zeek
service: known_services
conditions:
sourcetype: 'bro:known_services:json'
zeek-modbus:
product: zeek
service: modbus
conditions:
sourcetype: 'bro:modbus:json'
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
sourcetype: 'bro:modbus_register_change:json'
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
sourcetype: 'bro:mqtt_connect:json'
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
sourcetype: 'bro:mqtt_publish:json'
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
sourcetype: 'bro:mqtt_subscribe:json'
zeek-mysql:
product: zeek
service: mysql
conditions:
sourcetype: 'bro:mysql:json'
zeek-notice:
product: zeek
service: notice
conditions:
sourcetype: 'bro:notice:json'
zeek-ntlm:
product: zeek
service: ntlm
conditions:
sourcetype: 'bro:ntlm:json'
zeek-ntp:
product: zeek
service: ntp
conditions:
sourcetype: 'bro:ntp:json'
zeek-ocsp:
product: zeek
service: ntp
conditions:
sourcetype: 'bro:ocsp:json'
zeek-pe:
product: zeek
service: pe
conditions:
sourcetype: 'bro:pe:json'
zeek-pop3:
product: zeek
service: pop3
conditions:
sourcetype: 'bro:pop3:json'
zeek-radius:
product: zeek
service: radius
conditions:
sourcetype: 'bro:radius:json'
zeek-rdp:
product: zeek
service: rdp
conditions:
sourcetype: 'bro:rdp:json'
zeek-rfb:
product: zeek
service: rfb
conditions:
sourcetype: 'bro:rfb:json'
zeek-sip:
product: zeek
service: sip
conditions:
sourcetype: 'bro:sip:json'
zeek-smb_files:
product: zeek
service: smb_files
conditions:
sourcetype: 'bro:smb_files:json'
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
sourcetype: 'bro:smb_mapping:json'
zeek-smtp:
product: zeek
service: smtp
conditions:
sourcetype: 'bro:smtp:json'
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
sourcetype: 'bro:smtp_links:json'
zeek-snmp:
product: zeek
service: snmp
conditions:
sourcetype: 'bro:snmp:json'
zeek-socks:
product: zeek
service: socks
conditions:
sourcetype: 'bro:socks:json'
zeek-software:
product: zeek
service: software
conditions:
sourcetype: 'bro:software:json'
zeek-ssh:
product: zeek
service: ssh
conditions:
sourcetype: 'bro:ssh:json'
zeek-ssl:
product: zeek
service: ssl
conditions:
sourcetype: 'bro:ssl:json'
zeek-tls: # In case people call it TLS even though log is called ssl
product: zeek
service: tls
conditions:
sourcetype: 'bro:ssl:json'
zeek-syslog:
product: zeek
service: syslog
conditions:
sourcetype: 'bro:syslog:json'
zeek-tunnel:
product: zeek
service: tunnel
conditions:
sourcetype: 'bro:tunnel:json'
zeek-traceroute:
product: zeek
service: traceroute
conditions:
sourcetype: 'bro:traceroute:json'
zeek-weird:
product: zeek
service: weird
conditions:
sourcetype: 'bro:weird:json'
zeek-x509:
product: zeek
service: x509
conditions:
2020-02-21 21:31:14 +00:00
sourcetype: 'bro:x509:json'
zeek-ip_search:
product: zeek
service: network
conditions:
sourcetype:
- 'bro:conn:json'
- 'bro:conn_long:json'
- 'bro:dce_rpc:json'
- 'bro:dhcp:json'
- 'bro:dnp3:json'
- 'bro:dns:json'
- 'bro:ftp:json'
- 'bro:gquic:json'
- 'bro:http:json'
- 'bro:irc:json'
- 'bro:kerberos:json'
- 'bro:modbus:json'
- 'bro:mqtt_connect:json'
- 'bro:mqtt_publish:json'
- 'bro:mqtt_subscribe:json'
- 'bro:mysql:json'
- 'bro:ntlm:json'
- 'bro:ntp:json'
- 'bro:radius:json'
- 'bro:rfb:json'
- 'bro:sip:json'
- 'bro:smb_files:json'
- 'bro:smb_mapping:json'
- 'bro:smtp:json'
- 'bro:smtp_links:json'
- 'bro:snmp:json'
- 'bro:socks:json'
- 'bro:ssh:json'
- 'bro:ssl:json'
- 'bro:tunnel:json'
- 'bro:weird:json'
fieldmappings:
# All Logs Applied Mapping & Taxonomy
dst_ip: id.resp_h
dst_port: id.resp_p
network_protocol: proto
src_ip: id.orig_h
src_port: id.orig_p
# DNS matching Taxonomy & DNS Category
answer: answers
#question_length: # Does not exist in open source version
record_type: qtype_name
#parent_domain: # Does not exist in open source version
# HTTP matching Taxonomy & Web/Proxy Category
cs-bytes: request_body_len
cs-cookie: cookie
r-dns: host
sc-bytes: response_body_len
sc-status: status_code
c-uri: uri
c-uri-extension: uri
c-uri-query: uri
c-uri-stem: uri
c-useragent: user_agent
cs-host: host
cs-method: method
cs-referrer: referrer
cs-version: version
# Few other variations of names from zeek source itself
id_orig_h: id.orig_h
id_orig_p: id.orig_p
id_resp_h: id.resp_h
2020-05-20 09:35:00 +00:00
id_resp_p: id.resp_p
2020-05-08 10:41:52 +00:00
# Temporary one off rule name fields
agent.version: version
c-cookie: cookie
c-ip: id.orig_h
cs-uri: uri
clientip: id.orig_h
clientIP: id.orig_h
dest_domain:
- query
- host
- server_name
dest_ip: id.resp_h
dest_port: id.resp_p
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
- query
- host
- server_name
2020-05-20 09:35:00 +00:00
DestinationAddress: id.resp_h
2020-05-08 10:41:52 +00:00
DestinationHostname:
- host
- query
- server_name
DestinationIp: id.resp_h
DestinationIP: id.resp_h
DestinationPort: id.resp_p
dst-ip: id.resp_h
dstip: id.resp_h
dstport: id.resp_p
Host:
- host
- query
- server_name
HostVersion: http.version
http_host:
- host
- query
- server_name
http_uri: uri
http_url: uri
http_user_agent: user_agent
http.request.url-query-params: uri
HttpMethod: method
in_url: uri
# parent_domain: # Not in open source zeek
post_url_parameter: uri
Request Url: uri
request_url: uri
request_URL: uri
RequestUrl: uri
#response: status_code
resource.url: uri
resource.URL: uri
sc_status: status_code
sender_domain:
- query
- server_name
service.response_code: status_code
source: id.orig_h
SourceAddr: id.orig_h
SourceAddress: id.orig_h
SourceIP: id.orig_h
SourceIp: id.orig_h
SourceNetworkAddress: id.orig_h
SourcePort: id.orig_p
srcip: id.orig_h
Status: status_code
status: status_code
url: uri
URL: uri
url_query: uri
url.query: uri
uri_path: uri
user_agent: user_agent
user_agent.name: user_agent
user-agent: user_agent
User-Agent: user_agent
useragent: user_agent
UserAgent: user_agent
User Agent: user_agent
web_dest:
- host
- query
- server_name
web.dest:
- host
- query
- server_name
Web.dest:
- host
- query
- server_name
web.host:
- host
- query
- server_name
Web.host:
- host
- query
- server_name
web_method: method
Web_method: method
web.method: method
Web.method: method
web_src: id.orig_h
web_status: status_code
Web_status: status_code
web.status: status_code
Web.status: status_code
web_uri: uri
web_url: uri
# Most are in ECS, but for things not using Elastic - these need renamed
destination.ip: id.resp_h
destination.port: id.resp_p
http.request.body.content: post_body
source.domain:
- host
- query
- server_name
source.ip: id.orig_h
source.port: id.orig_p