title: Corelight Zeek and Corelight Opensource Zeek Elastic Common Schema (ECS) implementation description: Uses the mappings as created by Corelight here https://github.com/corelight/ecs-mapping order: 20 backends: - es-qs - corelight_es-qs - es-dsl - elasticsearch-rule - corelight_elasticsearch-rule - kibana - corelight_kibana - xpack-watcher - corelight_xpack-watcher - elastalert - elastalert-dsl - ee-outliers logsources: zeek: product: zeek index: '*ecs-*' #'*ecs-corelight*' #'*ecs-zeek-* zeek-category-accounting: category: accounting rewrite: product: zeek service: syslog zeek-category-firewall: category: firewall rewrite: product: zeek service: conn zeek-category-dns: category: dns rewrite: product: zeek service: dns conditions: event.dataset: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-category-webserver: category: webserver rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: event.dataset: conn zeek-conn_long: product: zeek service: conn_long conditions: event.dataset: conn_long zeek-dce_rpc: product: zeek service: dce_rpc conditions: event.dataset: dce_rpc zeek-dns: product: zeek service: dns conditions: event.dataset: dns zeek-dnp3: product: zeek service: dnp3 conditions: event.dataset: dnp3 zeek-dpd: product: zeek service: dpd conditions: event.dataset: dpd zeek-files: product: zeek service: files conditions: event.dataset: files zeek-ftp: product: zeek service: ftp conditions: event.dataset: ftp zeek-gquic: product: zeek service: gquic conditions: event.dataset: gquic zeek-http: product: zeek service: http conditions: event.dataset: http zeek-http2: product: zeek service: http2 conditions: event.dataset: http2 zeek-intel: product: zeek service: intel conditions: event.dataset: intel zeek-irc: product: zeek service: irc conditions: event.dataset: irc zeek-kerberos: product: zeek service: kerberos conditions: event.dataset: kerberos zeek-known_certs: product: zeek service: known_certs conditions: event.dataset: known_certs zeek-known_hosts: product: zeek service: known_hosts conditions: event.dataset: known_hosts zeek-known_modbus: product: zeek service: known_modbus conditions: event.dataset: known_modbus zeek-known_services: product: zeek service: known_services conditions: event.dataset: known_services zeek-modbus: product: zeek service: modbus conditions: event.dataset: modbus zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: event.dataset: modbus_register_change zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: event.dataset: mqtt_connect zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: event.dataset: mqtt_publish zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: event.dataset: mqtt_subscribe zeek-mysql: product: zeek service: mysql conditions: event.dataset: mysql zeek-notice: product: zeek service: notice conditions: event.dataset: notice zeek-ntlm: product: zeek service: ntlm conditions: event.dataset: ntlm zeek-ntp: product: zeek service: ntp conditions: event.dataset: ntp zeek-ocsp: product: zeek service: ntp conditions: event.dataset: ocsp zeek-pe: product: zeek service: pe conditions: event.dataset: pe zeek-pop3: product: zeek service: pop3 conditions: event.dataset: pop3 zeek-radius: product: zeek service: radius conditions: event.dataset: radius zeek-rdp: product: zeek service: rdp conditions: event.dataset: rdp zeek-rfb: product: zeek service: rfb conditions: event.dataset: rfb zeek-sip: product: zeek service: sip conditions: event.dataset: sip zeek-smb_files: product: zeek service: smb_files conditions: event.dataset: smb_files zeek-smb_mapping: product: zeek service: smb_mapping conditions: event.dataset: smb_mapping zeek-smtp: product: zeek service: smtp conditions: event.dataset: smtp zeek-smtp_links: product: zeek service: smtp_links conditions: event.dataset: smtp_links zeek-snmp: product: zeek service: snmp conditions: event.dataset: snmp zeek-socks: product: zeek service: socks conditions: event.dataset: socks zeek-software: product: zeek service: software conditions: event.dataset: software zeek-ssh: product: zeek service: ssh conditions: event.dataset: ssh zeek-ssl: product: zeek service: ssl conditions: event.dataset: tls zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that product: zeek service: tls conditions: event.dataset: tls zeek-syslog: product: zeek service: syslog conditions: event.dataset: syslog zeek-tunnel: product: zeek service: tunnel conditions: event.dataset: tunnel zeek-traceroute: product: zeek service: traceroute conditions: event.dataset: traceroute zeek-weird: product: zeek service: weird conditions: event.dataset: weird zeek-x509: product: zeek service: x509 conditions: event.dataset: x509 zeek-ip_search: product: zeek service: network conditions: event.dataset: - conn - conn_long - dce_rpc - dhcp - dnp3 - dns - ftp - gquic - http - irc - kerberos - modbus - mqtt_connect - mqtt_publish - mqtt_subscribe - mysql - ntlm - ntp - radius - rfb - sip - smb_files - smb_mapping - smtp - smtp_links - snmp - socks - ssh - tls #SSL - tunnel - weird defaultindex: '*ecs-*' fieldmappings: # All Logs Applied Mapping & Taxonomy dst: destination.ip dst_ip: destination.ip dst_port: destination.port host: host.ip inner_vlan: network.vlan.inner.id mac: source.mac mime_type: file.mime_type network_application: network.protocol network_community_id: network.community_id network_protocol: network.transport password: source.user.password port_num: labels.known.port proto: network.transport result: event.outcome rtt: event.duration server_name: destination.domain src: source.ip src_ip: source.ip src_port: source.port success: event.outcome uri: url.original user: source.user.name username: source.user.name user_agent: user_agent.original vlan: network.vlan.id # DNS matching Taxonomy & DNS Category answer: dns.answers.name question_length: labels.dns.query_length record_type: dns.question.type parent_domain: dns.question.registered_domain # HTTP matching Taxonomy & Web/Proxy Category cs-bytes: http.request.body.bytes cs-cookie: http.cookie_vars r-dns: - url.domain - destination.domain sc-bytes: http.response.body.bytes sc-status: http.response.status_code c-uri: url.original c-uri-extension: url.extension c-uri-query: url.query c-uri-stem: url.original c-useragent: user_agent.original cs-host: - url.domain - destination.domain cs-method: http.request.method cs-referrer: http.request.referrer cs-version: http.version # All log UIDs cert_chain_fuids: log.id.cert_chain_fuids client_cert_chain_fuids: log.id.client_cert_chain_fuids client_cert_fuid: log.id.client_cert_fuid conn_uids: log.id.conn_uids fid: log.id.fid fuid: log.id.fuid fuids: log.id.fuids id: log.id.id orig_fuids: log.id.orig_fuids parent_fuid: log.id.parent_fuid related_fuids: log.id.related_fuids resp_fuids: log.id.resp_fuids server_cert_fuid: log.id.server_cert_fuid tunnel_parents: log.id.tunnel_parents uid: log.id.uid uids: log.id.uids uuid: log.id.uuid # Deep mappings / Overlapping fields/mappings (aka: shared fields) #_action action: #- '*.action' service=mqtt: mqtt.action service=smb_files: smb.action service=tunnel: tunnel.action mqtt_action: smb.action smb_action: smb.action tunnel_action: tunnel.action #_addl addl: #- '*.addl' service=dns: dns.addl service=weird: weird.addl dns_addl: dns.addl weird_addl: weird.addl #_analyzer analyzer: #- '*.analyzer' service=dpd: dpd.analyzer service=files: files.analyzer dpd_analyzer: dpd.analyzer files_analyzer: file.analyzer #_arg arg: #- '*.arg' service=ftp: ftp.arg service=msqyl: mysql.arg service=pop3: pop3.arg ftp_arg: ftp.arg mysql_arg: mysql.arg pop3_arg: pop3.arg #_auth auth: #- dns.auth service=dns: dns.auth service=rfb: rfb.auth dns_auth: dns.auth rfb_auth: rfb.auth #_cipher cipher: #- '*.client' service=kerberos: kerberos.cipher service=ssl: tls.cipher kerberos_cipher: kerberos.cipher ssl_cipher: tls.cipher tls_cipher: tls.cipher #_client client: #- '*.client' service=kerberos: kerberos.client service=ssh: ssh.client kerberos_client: kerberos.client ssh_client: ssh.client #_command command: #- '*.command' service=irc: irc.command service=ftp: ftp.command service=pop3: pop3.command ftp_command: ftp.command irc_command: irc.command pop3_command: pop3.command #_date date: #- '*.date' service=sip: sip.date service=smtp: smtp.date sip_date: sip.date smtp_date: smtp.date #_duration duration: #- event.duration service=conn: event.duration service=files: files.duration service=snmp: event.duration conn_duration: event.duration files_duration: files.duration snmp_duration: event.duration #_from from: #- '*.from' service=kerberos: kerberos.from service=smtp: smtp.from kerberos_from: kerberos.from smtp_from: smtp.from #_is_orig is_orig: #- '*.is_orig' service=file: file.is_orig service=pop3: pop3.is_orig files_is_orig: file.is_orig pop3_is_orig: pop3.is_orig #_local_orig local_orig: #- '*.local_orig' service=conn: conn.local_orig service=files: file.local_orig conn_local_orig: conn.local_orig files_local_orig: file.local_orig #_method method: #- http.request.method service=http: http.request.method service=sip: sip.method http_method: http.request.method sip_method: sip.method #_msg msg: #- notice.msg service=notice: notice.msg service=pop3: pop3.msg notice_msg: notice.msg pop3_msg: pop3.msg #_name name: #- file.name service=smb_files: file.name service=software: software.name service=weird: weird.name smb_files_name: file.name software_name: software.name weird_name: weird.name #_path path: #- file.path service=smb_files: file.path service=smb_mapping: file.path service=smtp: smtp.path smb_files_path: file.path smb_mapping_path: file.path smtp_path: smtp.path #_reply_msg reply_msg: #- '*.reply_msg' service=ftp: ftp.reply_msg service=radius: radius.reply_msg ftp_reply_msg: ftp.reply_msg radius_reply_msg: radius.reply_msg #_reply_to reply_to: #- '*.reply_to' service=sip: sip.reply_to service=smtp: smtp.reply_to sip_reply_to: sip.reply_to smtp_reply_to: smtp.reply_to #_response_body_len response_body_len: #- http.response.body.bytes service=http: http.response.body.bytes service=sip: sip.response_body_len http_response_body_len: http.response.body.bytes sip_response_body_len: sip.response_body_len #_request_body_len request_body_len: #- http.request.body.bytes service=http: http.response.body.bytes service=sip: sip.request_body_len http_request_body_len: http.response.body.bytes sip_request_body_len: sip.response_body_len #_rtt #rtt: #- event.duration #- 'zeek.*.rtt' #service=dns: event.duration #service=dce_rpc: event.duration dns_rtt: event.duration dce_rpc_rtt: event.duration #_service service: #- '*.service' service=kerberos: kerberos.service service=smb_mapping: smb.service kerberos_service: kerberos.service smb_mapping_kerberos: smb.service #_status status: #- '*.status' service=mqtt: mqtt.status service=pop3: pop3.status service=socks: socks.status mqtt_status: mqtt.status pop3_status: pop3.status socks_status: socks.status #_status_code status_code: #- 'http.response.status_code' service=http: http.response.status_code service=sip: sip.status_code http_status_code: http.response.status_code sip_status_code: sip.status_code #_status_msg status_msg: #- '*.status_msg' service=http: http.status_msg service=sip: sip.status_msg http_status_msg: http.status_msg sip_status_msg: sip.status_msg #_subject subject: #- '*.subject' service=known_certs: known_certs.subject service=sip: sip.subject service=smtp: smtp.subject service=ssl: tls.subject known_certs_subject: known_certs.subject sip_subject: sip.subject smtp_subject: smtp.subject ssl_subject: tls.subject #_service #_trans_depth trans_depth: #- '*.trans_depth' service=http: http.trans_depth service=sip: sip.trans_depth service=smtp: smtp.trans_depth http_trans_depth: http.trans_depth sip_trans_depth: sip.trans_depth smtp_trans_depth: smtp.trans_depth #_user_agent #user_agent: #already normalized http_user_agent: user_agent.original gquic_user_agent: user_agent.original sip_user_agent: user_agent.original smtp_user_agent: user_agent.original #_version version: #- '*.version' service=gquic: gquic.version service=http: http.version service=ntp: ntp.version service=socks: socks.version service=snmp: snmp.version service=ssh: ssh.version service=tls: tls.version gquic_version: gquic.version http_version: http.version ntp_version: ntp.version socks_version: socks.version snmp_version: snmp.version ssh_version: ssh.version ssl_version: tls.version tls_version: tls.version # Conn and Conn Long cache_add_rx_ev: conn.cache_add_rx_ev cache_add_rx_mpg: conn.cache_add_rx_mpg cache_add_rx_new: conn.cache_add_rx_new cache_add_tx_ev: conn.cache_add_tx_ev cache_add_tx_mpg: conn.cache_add_tx_mpg cache_del_mpg: conn.cache_del_mpg cache_entries: conn.cache_entries conn_state: conn.conn_state corelight_shunted: conn.corelight_shunted history: conn.history id.orig_h.name_src: conn.id.orig_h_name.src id.orig_h.names_vals: conn.id.orig_h_names.vals id.resp_h.name_src: conn.id.resp_h_name.src id.resp_h.name_vals: conn.id.resp_h_name.vals #local_orig: conn.local_orig local_resp: conn.local_resp missed_bytes: conn.missed_bytes orig_bytes: source.bytes orig_cc: source.geo.country_iso_code orig_ip_bytes: conn.orig_ip_bytes orig_l2_addr: source.mac orig_pkts: source.packets resp_bytes: destination.bytes resp_cc: destination.geo.country_iso_code resp_ip_bytes: conn.resp.ip_bytes resp_l2_addr: destination.mac resp_pkts: destination.packets # DCE-RPC Specific endpoint: dce_rpc.endpoint named_pipe: dce_rpc.named_pipe operation: dce_rpc.operation #rtt: dce_rpc.rtt # DHCP domain: source.domain host_name: source.hostname lease_time: dhcp.lease_time agent_remote_id: dhcp.agent_remote_id assigned_addr: dhcp.assigned_addr circuit_id: dhcp.circuit_id client_message: dhcp.client_message client_software: dhcp.client_software client_fqdn: source.fqdn #mac: source.mac msg_orig: dhcp.msg_orig msg_types: dhcp.msg_types requested_addr: dhcp.requested_addr server_addr: destination.ip server_message: dhcp.server_message server_software: dhcp.server_software subscriber_id: dhcp.subscriber_id # DNS AA: dns.AA #addl: dns.addl answers: dns.answers.name TTLs: dns.answers.ttl RA: dns.RA RD: dns.RD rejected: dns.rejected TC: dns.TC Z: dns.Z qclass: dns.qclass qclass_name: dns.question.class qtype: dns.qtype qtype_name: dns.question.type query: dns.question.name rcode_name: dns.response_code rcode: dns.rcode #rtt: dns.rtt trans_id: dns.id # DNP3 fc_reply: dnp3.fc_reply fc_request: dnp3.fc_request iin: dnp3.inn # DPD #analyzer: dpd.analyzer failure_reason: dpd.failure_reason packet_segment: dpd.packet_segment # Files rx_hosts: source.ip tx_hosts: destination.ip #analyzer: files.analyzer depth: files.depth #duration: files.duration extracted: files.extracted extracted_cutoff: files.extracted_cutoff extracted_size: files.extracted_size entropy: files.entropy md5: file.hash.md5 sha1: file.hash.sha1 sha256: file.hash.sha256 #is_orig: file.is_orig #local_orig: files.local_orig missing_bytes: files.missing_bytes filename: file.name overflow_bytes: files.overflow_bytes seen_bytes: files.seen_bytes source: network.protocol total_bytes: file.size timedout: files.timedout # GQUIC/QUIC cyu: gquic.cyu cyutags: gquic.cyutags #server_name: destination.domain tag_count: gquic.tag_count #user_agent: user_agent.original #version: gquic.version # FTP #arg: ftp.arg #command: ftp.command cwd: ftp.cwd data_channel.orig_h: ftp.data_channel.orig_h data_channel.passive: ftp.data_channel.passive data_channel.resp_h: ftp.data_channel.resp_h data_channel.resp_p: ftp.data_channel.resp_p passive: ftp.passive file_size: file.size #mime_type: file.mime_type #password: ftp.password reply_code: ftp.reply_code #reply_msg: ftp.reply_msg #user: source.user.name # HTTP client_header_names: http.client_header_names cookie_vars: http.cookie_vars flash_version: http.flash_version info_code: http.info_code info_msg: http.info_msg #method: http.request.method omniture: http.omniture orig_filenames: http.orig_filenames orig_mime_types: http.orig_mime_types origin: http.origin #password: source.user.password #response_body_len: http.response.body.bytes #request_body_len: http.request.body.bytes referrer: http.request.referrer post_body: http.post_body proxied: http.proxied resp_filenames: http.resp_filenames resp_mime_types: http.resp_mime_types server_header_names: http.server_header_names #status_code: http.response.status_code #status_msg: http.status_msg #trans_depth: http.trans_depth uri_vars: http.uri_vars #user_agent: user_agent.original #username: source.user.name #version: http.version # Intel file_mime_type: file.mime_type file_desc: intel.file_desc #host: host.ip matched: intel.matched indicator: intel.seen.indicator indicator_type: intel.seen.indicator_type node: intel.seen.node where: intel.seen.where sources: intel.seen.sources # IRC dcc_file_name: file.name dcc_file_size: file.size dcc_mime_type: file.mime_type #command: irc.command nick: irc.nick #user: source.user.name value: irc.command # Kerberos auth_ticket: kerberos.auth_ticket #cipher: kerberos.cipher #client: kerberos.client client_cert_subject: kerberos.client_cert_subject error_code: kerberos.error_code error_msg: kerberos.error_msg #from: kerberos.from forwardable: kerberos.forwardable new_ticket: kerberos.new_ticket renewable: kerberos.renewable request_type: kerberos.request_type server_cert_subject: kerberos.server_cert_subject #service: kerberos.service #success: event.outcome till: kerberos.till # Known_Certs #host: host.ip issuer_subject: known_certs.issuer_subject #port_num: labels.known.port serial: known_certs.serial #subject: known_certs.subject # Known_Modbus #host: host.ip device_type: known_modbus.device_type # Known_Services port_proto: network.transport #port_num: labels.known.port # Modbus All delta: modbus.delta new_val: modbus.new_val old_val: modbus.old_val register: modbus.register # Modbus func: modbus.func exception: modbus.exception track_address: modbus.track_address # ModBus_Register_Change #delta: modbus.delta #new_val: modbus.new_val #old_val: modbus.old_val #register: modbus.register # MQTT_Connect , MQTT_Publish, MQTT_Subscribe ack: mqtt.ack #action: mqtt.action client_id: mqtt.client_id connect_status: mqtt.connect_status from_client: mqtt.from_client granted_qos_level: mqtt.granted_qos_level payload: mqtt.payload payload_len: mqtt.payload_len proto_name: mqtt.proto_name proto_version: mqtt.proto_version qos: mqtt.qos qos_levels: mqtt.qos_levels retain: mqtt.retain #status: mqtt.status topic: mqtt.topic topics: mqtt.topics will_payload: mqtt.will_payload will_topic: mqtt.will_topic # MYSQL #arg: mysql.arg cmd: mysql.command response: mysql.response rows: mysql.rows #success: event.outcome # Notice actions: notice.actions dropped: notice.dropped #dst: destination.ip email_body_sections: notice.email_body_sections email_delay_tokens: notice.email_delay_tokens identifier: notice.identifier #msg: notice.msg n: notice.n note: notice.note p: destination.port peer_descr: notice.peer_descr peer_name: notice.peer_name #proto: network.transport #src: source.ip sub: notice.sub subpress_for: notice.subpress_for # NTLM domainname: ntlm.domainname hostname: ntlm.hostname #username: source.user.name server_nb_computer_name: ntlm.server_nb_computer_name server_tree_name: ntlm.server_tree_name #success: event.outcome server_dns_computer_name: ntlm.server_dns_computer_name # NTP mode: ntp.mode num_exts: ntp.num_exts org_time: ntp.org_time poll: ntp.poll precision: ntp.precision rec_time: ntp.rec_time ref_id: ntp.ref_id ref_time: ntp.ref_time root_delay: ntp.root_delay root_disp: ntp.root_disp stratum: ntp.stratum #version: ntp.version xmt_time: ntp.xmt_time # OCSP certStatus: oscp.certStatus hashAlgorithm: oscp.hashAlgorithm issuerKeyHash: oscp.issuerKeyHash issuerNameHash: oscp.issuerNameHash nextUpdate: oscp.nextUpdate revokereason: oscp.revokereason revoketime: oscp.revoketime serialNumber: oscp.serialNumber thisUpdate: oscp.thisUpdate # PE compile_ts: pe.compile_ts has_cert_table: pe.has_cert_table has_debug_data: pe.has_debug_data has_import_table: pe.has_import_table has_export_table: pe.has_export_table is_64bit: pe.is_64bit is_exe: pe.is_exe machine: pe.machine os: pe.os section_names: pe.section_names subsystem: pe.subsystem uses_aslr: pe.uses_aslr uses_code_integrity: pe.uses_code_integrity uses_dep: pe.uses_dep uses_seh: pe.uses_seh # POP3 #arg: pop3.arg #command: pop3.command current_request: pop3.current_request current_response: pop3.current_response data: pop3.data failed_commands: pop3.failed_commands has_client_activity: pop3.has_client_activity #is_orig: pop3.is_orig #msg: pop3.msg #password: source.user.password pending: pop3.pending #status: pop3.status successful_commands: pop3.successful_commands #username: source.user.name # Radius connect_info: radius.connect_info framed_addr: radius.framed_addr #mac: source.mac #reply_msg: radius.reply_msg #result: event.outcome ttl: event.duration tunnel_client: radius.tunnel_client #username: source.user.name # RDP cert_count: rdp.cert_count cert_permanent: rdp.cert_permanent cert_type: rdp.cert_type client_build: rdp.client_build client_dig_product_id: rdp.client_dig_product_id client_name: source.hostname cookie: rdp.cookie desktop_height: rdp.desktop_height desktop_width: rdp.desktop_width encryption_level: rdp.encryption_level encryption_method: rdp.encryption_method keyboard_layout: rdp.keyboard_layout requested_color_depth: rdp.requested_color_depth #result: event.outcome security_protocol: rdp.security_protocol ssl: rdp.ssl # RFB #auth: event.outcome authentication_method: rfb.authentication_method client_major_version: rfb.client_major_version client_minor_version: rfb.client_minor_version desktop_name: destination.hostname height: rfb.height server_major_version: rfb.server_major_version server_minor_version: rfb.server_minor_version share_flag: rfb.share_flag width: rfb.width # SIP call_id: sip.call_id content_type: sip.content_type #date: sip.date #method: sip.method #reply_to: sip.reply_to #request_body_len: sip.request_body_len request_from: sip.request_from request_path: sip.request_path request_to: sip.request_to #response_body_len: sip.response_body_len response_from: sip.response_from response_path: sip.response_path response_to: sip.response_to seq: sip.seq #status_code: sip.status_code #status_msg: sip.status_msg #subject: sip.subject #trans_depth: sip.trans_depth #uri: url.original warning: sip.warning #user_agent: user_agent.original # SMB_Files #action: smb.action #name: file.name #path: file.path prev_name: smb.prev_name size: file.size times_accessed: file.accessed times_changed: file.ctime times_created: file.created times_modified: file.mtime # SMB_Mapping native_file_system: smb.native_file_system #path: file.path share_type: smb.share_type #service: smb.service # SMTP cc: smtp.cc #date: smtp.date first_received: smtp.first_received #from: smtp.from helo: smtp.helo in_reply_to: smtp.in_reply_to is_webmail: smtp.is_webmail last_reply: smtp.last_reply mailfrom: smtp.mailfrom msg_id: smtp.msg_id #path: smtp.path rcptto: smtp.rcptto #reply_to: smtp.reply_to second_received: smtp.second_received #subject: smtp.subject tls: smtp.tls to: smtp.to #trans_depth: smtp.trans_depth x_originating_ip: smtp.x_originating_ip #user_agent: user_agent.original # SMTP_Links #cs-host: url.domain #c-uri: url.original # SNMP #duration: event.duration community: snmp.community display_string: snmp.display_string get_bulk_requests: snmp.get_bulk_requests get_requests: snmp.get_requests set_requests: snmp.set_requests up_since: snmp.up_since #version: snmp.version # Socks #password: source.user.password bound_host: socks.bound_host bound_name: socks.bound_name bound_p: socks.bound_p request_host: socks.request_host request_name: socks.request_name request_p: socks.request_p #status: socks.status #version: socks.version # Software #host: host.ip host_p: software.host_port version.major: software.version.major version.minor: software.version.minor version.minor2: software.version.minor2 version.minor3: software.version.minor3 #name: software.name unparsed_version: software.unparsed_version software_type: software.software_type #url: url.original # SSH auth_attempts: ssh.auth_attempts auth_success: event.outcome cipher_alg: ssh.cipher_alg #client: ssh.client compression_alg: ssh.compression_alg cshka: ssh.cshka direction: network.direction hassh: ssh.hassh hasshAlgorithms: ssh.hasshAlgorithms hasshServer: ssh.hasshServer hasshServerAlgorithms: ssh.hasshServerAlgorithms hasshVersion: ssh.hasshVersion host_key: ssh.host_key host_key_alg: ssh.host_key_alg kex_alg: ssh.kex_alg mac_alg: ssh.mac_alg server: ssh.server #version: ssh.version # SSL / TLS #cipher: tls.cipher client_issuer: tls.client.issuer client_subject: tls.client.subject curve: tls.curve established: tls.established issuer: tls.server.issuer ja3: tls.client.ja3 ja3s: tls.client.ja3s last_alert: ssl.last_alert next_protocol: tls.next_protocol notary: ssl.notary ocsp_status: ssl.oscp_status orig_certificate_sha1: tls.client.hash.sha1 resp_certificate_sha1: tls.server.hash.sha1 resumed: tls.resumed #server_name: tls.client.server_name #subject: tls.server.subject valid_ct_logs: ssl.valid_ct_logs valid_ct_operators: ssl.validct_operators valid_ct_operators_list: ssl.valid_ct_operators_list validation_status: ssl.validation_status #version: tls.version version_num: ssl.version_num # Syslog facility: log.syslog.facility.name severity: log.syslog.severity.name message: syslog.message # Traceroute #proto: network.transport #dst: destination.ip #src: source.ip # Tunnel #action: tunnel.action tunnel_type: tunnel.tunnel_type # Weird #addl: weird.addl #name: weird.name notice: weird.notice peer: weird.peer # X509 basic_constraints.ca: x509.certificate.basic_constraints_ca basic_constraints.path_len: x509.certificate.basic_constraints_path_length certificate.cn: x509.certificate.cn certificate.curve: x509.certificate.curve certificate.exponent: x509.certificate.exponent certificate.issuer: x509.certificate.issuer certificate.key_alg: x509.certificate.key_alg certificate.key_length: x509.certificate.key_length certificate.key_type: x509.certificate.key_type certificate.not_valid_after: x509.certificate.not_valid_after certificate.not_valid_before: x509.certificate.not_valid_before certificate.serial: x509.certificate.serial certificate.sig_alg: x509.certificate.sig_alg certificate.subject: x509.certificate.subject certificate.version: x509.certificate.version logcert: x509.logcert san.dns: x509.san.dns san.email: x509.san.email san.ip: x509.san.ip san.uri: x509.san.url # Few other variations of names from zeek source itself id_orig_h: source.ip id_orig_p: source.port id_resp_h: destination.ip id_resp_p: destination.port # Temporary one off rule name fields cs-uri: url.original # destination.domain: # destination.ip: # destination.port: # http.response.status_code # http.request.body.content # source.domain: # source.ip: # source.port: agent.version: http.version c-ip: source.ip clientip: source.ip clientIP: source.ip dest_domain: - destination.domain - url.domain dest_ip: destination.ip dest_port: destination.port #TODO:WhatShouldThisBe?==dest: #TODO:WhatShouldThisBe?==destination: #TODO:WhatShouldThisBe?==Destination: destination.hostname: - destination.domain - url.domain DestinationAddress: destination.ip DestinationHostname: - destination.domain - url.domain DestinationIp: destination.ip DestinationIP: destination.ip DestinationPort: destination.port dst-ip: destination.ip dstip: destination.ip dstport: destination.port Host: - destination.domain - url.domain #host: # - destination.domain # - url.domain HostVersion: http.version http_host: - destination.domain - url.domain http_uri: url.original http_url: url.original #http_user_agent: user_agent.original http.request.url-query-params: url.original HttpMethod: http.request.method in_url: url.original #parent_domain: # - url.registered_domain # - destination.registered_domain post_url_parameter: url.original Request Url: url.original request_url: url.original request_URL: url.original RequestUrl: url.original #response: http.response.status_code resource.url: url.original resource.URL: url.original sc_status: http.response.status_code sender_domain: - destination.domain - url.domain service.response_code: http.response.status_code SourceAddr: - source.address - source.ip SourceAddress: source.ip SourceIP: source.ip SourceIp: source.ip SourceNetworkAddress: - source.address - source.ip SourcePort: source.port srcip: source.ip Status: http.response.status_code #status: http.response.status_code url: url.original URL: url.original url_query: url.original url.query: url.original uri_path: url.original #user_agent: user_agent.original user_agent.name: user_agent.original user-agent: user_agent.original User-Agent: user_agent.original useragent: user_agent.original UserAgent: user_agent.original User Agent: user_agent.original web_dest: - url.domain - destination.domain web.dest: - url.domain - destination.domain Web.dest: - url.domain - destination.domain web.host: - url.domain - destination.domain Web.host: - url.domain - destination.domain web_method: http.request.method Web_method: http.request.method web.method: http.request.method Web.method: http.request.method web_src: source.ip web_status: http.response.status_code Web_status: http.response.status_code web.status: http.response.status_code Web.status: http.response.status_code web_uri: url.original web_url: url.original