title: Elastic Common Schema (ECS) implementation for Zeek using filebeat modules enabled based on version 7.6.1 order: 20 backends: - es-qs - es-dsl - es-rule - elasticsearch-rule - kibana - kibana-ndjson - xpack-watcher - elastalert - elastalert-dsl - ee-outliers logsources: zeek: product: zeek index: 'filebeat*' zeek-category-accounting: category: accounting rewrite: product: zeek service: syslog zeek-category-firewall: category: firewall rewrite: product: zeek service: conn zeek-category-dns: category: dns rewrite: product: zeek service: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-category-webserver: category: webserver rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: event.dataset: zeek.conn zeek-conn_long: product: zeek service: conn_long conditions: event.dataset: zeek.conn_long zeek-dce_rpc: product: zeek service: dce_rpc conditions: event.dataset: zeek.dce_rpc zeek-dns: product: zeek service: dns conditions: event.dataset: zeek.dns zeek-dnp3: product: zeek service: dnp3 conditions: event.dataset: zeek.dnp3 zeek-dpd: product: zeek service: dpd conditions: event.dataset: zeek.dpd zeek-files: product: zeek service: files conditions: event.dataset: zeek.files zeek-ftp: product: zeek service: ftp conditions: event.dataset: zeek.ftp zeek-gquic: product: zeek service: gquic conditions: event.dataset: zeek.gquic zeek-http: product: zeek service: http conditions: event.dataset: zeek.http zeek-http2: product: zeek service: http2 conditions: event.dataset: zeek.http2 zeek-intel: product: zeek service: intel conditions: event.dataset: zeek.intel zeek-irc: product: zeek service: irc conditions: event.dataset: zeek.irc zeek-kerberos: product: zeek service: kerberos conditions: event.dataset: zeek.kerberos zeek-known_certs: product: zeek service: known_certs conditions: event.dataset: zeek.known_certs zeek-known_hosts: product: zeek service: known_hosts conditions: event.dataset: zeek.known_hosts zeek-known_modbus: product: zeek service: known_modbus conditions: event.dataset: zeek.known_modbus zeek-known_services: product: zeek service: known_services conditions: event.dataset: zeek.known_services zeek-modbus: product: zeek service: modbus conditions: event.dataset: zeek.modbus zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: event.dataset: zeek.modbus_register_change zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: event.dataset: zeek.mqtt_connect zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: event.dataset: zeek.mqtt_publish zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: event.dataset: zeek.mqtt_subscribe zeek-mysql: product: zeek service: mysql conditions: event.dataset: zeek.mysql zeek-notice: product: zeek service: notice conditions: event.dataset: zeek.notice zeek-ntlm: product: zeek service: ntlm conditions: event.dataset: zeek.ntlm zeek-ntp: product: zeek service: ntp conditions: event.dataset: zeek.ntp zeek-ocsp: product: zeek service: ntp conditions: event.dataset: zeek.ocsp zeek-pe: product: zeek service: pe conditions: event.dataset: zeek.pe zeek-pop3: product: zeek service: pop3 conditions: event.dataset: zeek.pop3 zeek-radius: product: zeek service: radius conditions: event.dataset: zeek.radius zeek-rdp: product: zeek service: rdp conditions: event.dataset: zeek.rdp zeek-rfb: product: zeek service: rfb conditions: event.dataset: zeek.rfb zeek-sip: product: zeek service: sip conditions: event.dataset: zeek.sip zeek-smb_files: product: zeek service: smb_files conditions: event.dataset: zeek.smb_files zeek-smb_mapping: product: zeek service: smb_mapping conditions: event.dataset: zeek.smb_mapping zeek-smtp: product: zeek service: smtp conditions: event.dataset: zeek.smtp zeek-smtp_links: product: zeek service: smtp_links conditions: event.dataset: zeek.smtp_links zeek-snmp: product: zeek service: snmp conditions: event.dataset: zeek.snmp zeek-socks: product: zeek service: socks conditions: event.dataset: zeek.socks zeek-software: product: zeek service: software conditions: event.dataset: zeek.software zeek-ssh: product: zeek service: ssh conditions: event.dataset: zeek.ssh zeek-ssl: product: zeek service: ssl conditions: event.dataset: zeek.tls zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that product: zeek service: tls conditions: event.dataset: zeek.tls zeek-syslog: product: zeek service: syslog conditions: event.dataset: zeek.syslog zeek-tunnel: product: zeek service: tunnel conditions: event.dataset: zeek.tunnel zeek-traceroute: product: zeek service: traceroute conditions: event.dataset: zeek.traceroute zeek-weird: product: zeek service: weird conditions: event.dataset: zeek.weird zeek-x509: product: zeek service: x509 conditions: event.dataset: zeek.x509 zeek-ip_search: product: zeek service: network conditions: event.dataset: - connection #- conn_long - dce_rpc - dhcp - dnp3 - dns - ftp - gquic - http - irc - kerberos - modbus - mqtt_connect - mqtt_publish - mqtt_subscribe - mysql - ntlm - ntp - radius - rfb - sip - smb_files - smb_mapping - smtp - smtp_links - snmp - socks - ssh - tls #SSL - tunnel - weird defaultindex: 'filebeat*' fieldmappings: # All Logs Applied Mapping & Taxonomy dst: - destination.address - destination.ip dst_ip: - destination.address - destination.ip dst_port: destination.port #host: host.ip # Not implemented by Elastic (Beats) yet #inner_vlan: network.vlan.inner.id # Not implemented by Elastic (Beats) yet #mac: source.mac #mime_type: file.mime_type # Not implemented by Elastic (Beats) yet network_application: network.protocol network_community_id: network.community_id network_protocol: network.transport #password: source.user.password #port_num: labels.known.port proto: network.transport #result: event.outcome # Not implemented by Elastic (Beats) yet #rtt: event.duration # Not implemented by Elastic (Beats) yet #server_name: destination.domain src: - source.address - source.ip src_ip: source.ip src_port: source.port #success: event.outcome # Not implemented by Elastic (Beats) yet #uri: url.original #user: source.user.name #username: source.user.name # Not complete by Elastic (Beats) yet #user_agent: user_agent.original #vlan: network.vlan.id # Not implemented by Elastic (Beats) yet # Overlapping fields/mappings (aka: shared fields) action: 'zeek.smb_files.action' mqtt_action: smb.action smb_action: smb.action tunnel_action: tunnel.action addl: 'zeek.weird.additional_info' dns_addl: zeek.dns.addl weird_addl: zeek.weird.additional_info arg: 'zeek.*.arg' ftp_arg: zeek.ftp.arg mysql_arg: zeek.mysql.arg pop3_arg: zeek.pop3.arg auth: 'zeek.*.auth*' cipher: 'zeek.*.cipher' kerberos_cipher: zeek.kerberos.cipher ssl_cipher: zeek.ssl.cipher tls_cipher: zeek.ssl.cipher client: 'zeek.*.client*' command: 'zeek.*.command' ftp_command: zeek.irc.command irc_command: zeek.ftp.command pop3_command: zeek.pop3.command date: 'zeek.*.date' duration: event.duration from: 'zeek.*.from' kerberos_from: zeek.smtp.from smtp_from: zeek.kerberos.valid.from is_orig: 'zeek.*.is_orig' local_orig: 'zeek.*.local_orig' method: http.request.method http_method: http.request.method sip_method: zeek.sip.sequence.method name: 'zeek.smb_files.name' smb_files_name: zeek.smb_files.name software_name: zeek.software.name weird_name: zeek.weird.name path: 'zeek.*.path' smb_mapping_path: zeek.smb_mapping.path smb_files_path: zeek.smb_files.path smtp_files_path: zeek.smtp.path password: 'zeek.*.password' reply_msg: 'zeek.*.reply*msg' reply_to: 'zeek.*.reply_to' response_body_len: http.response.body.bytes request_body_len: http.request.body.bytes rtt: event.duration status_code: 'http.response.status_code' status_msg: 'zeek.*status*msg' #_service: service: 'zeek.*.service' kerberos_service: zeek.kerberos.service smb_mapping_kerberos: zeek.smb_mapping.service #_subject: subject: - 'zeek.*.subject' known_certs_subject: zeek.known_certs.subject sip_subject: zeek.sip.subject smtp_subject: zeek.smtp.subject ssl_subject: zeek.ssl.subject trans_depth: 'zeek.*.trans*depth' username: 'zeek.*.username' uri: 'url.original' user: 'zeek.*user*' #_user_agent user_agent: - 'zeek.*user_agent*' http_user_agent: user_agent.original gquic_user_agent: zeek.gquic.user_agent sip_user_agent: zeek.sip.user_agent smtp_user_agent: zeek.smtp.user_agent #_version version: 'zeek.*.version' gquic_version: zeek.gquic.version http_version: http.version ntp_version: zeek.ntp.version socks_version: zeek.socks.version snmp_version: zeek.snmp.version ssh_version: zeek.ssh.version tls_version: zeek.ssl.version # DNS matching Taxonomy & DNS Category answer: dns.answers.name question_length: labels.dns.query_length record_type: dns.question.type parent_domain: dns.question.registered_domain # HTTP matching Taxonomy & Web/Proxy Category cs-bytes: http.request.body.bytes cs-cookie: http.cookie_vars r-dns: - url.domain - destination.domain sc-bytes: http.response.body.bytes sc-status: http.response.status_code c-uri: url.original c-uri-extension: url.extension c-uri-query: url.query c-uri-stem: url.original c-useragent: user_agent.original cs-host: - url.domain - destination.domain cs-method: http.request.method cs-referrer: http.request.referrer cs-version: http.version uid: zeek.session_id # Conn cache_add_rx_ev: zeek.connection.cache_add_rx_ev cache_add_rx_mpg: zeek.connection.cache_add_rx_mpg cache_add_rx_new: zeek.connection.cache_add_rx_new cache_add_tx_ev: zeek.connection.cache_add_tx_ev cache_add_tx_mpg: zeek.connection.cache_add_tx_mpg cache_del_mpg: zeek.connection.cache_del_mpg cache_entries: zeek.connection.cache_entries conn_state: zeek.connection.conn_state conn_uids: zeek.files.session_ids corelight_shunted: zeek.connection.corelight_shunted history: zeek.connection.history id.orig_h.name_src: zeek.connection.id.orig_h_name.src id.orig_h.names_vals: zeek.connection.id.orig_h_names.vals id.resp_h.name_src: zeek.connection.id.resp_h_name.src id.resp_h.name_vals: zeek.connection.id.resp_h_name.vals #local_orig: zeek.connection.local_orig local_resp: zeek.connection.local_resp missed_bytes: zeek.connection.missed_bytes orig_bytes: source.bytes orig_cc: source.geo.country_iso_code orig_ip_bytes: zeek.connection.orig_ip_bytes orig_l2_addr: source.mac orig_pkts: source.packets resp_bytes: destination.bytes resp_cc: destination.geo.country_iso_code resp_ip_bytes: zeek.connection.resp.ip_bytes resp_l2_addr: destination.mac resp_pkts: destination.packets # DCE-RPC Specific endpoint: zeek.dce_rpc.endpoint named_pipe: zeek.dce_rpc.named_pipe operation: zeek.dce_rpc.operation #rtt: zeek.dce_rpc.rtt # DHCP domain: zeek.dhcp.domain host_name: zeek.dhcp.hostname lease_time: zeek.dhcp.lease_time agent_remote_id: zeek.dhcp.agent_remote_id assigned_addr: zeek.dhcp.assigned_addr circuit_id: zeek.dhcp.circuit_id client_message: zeek.dhcp.client_message client_software: zeek.dhcp.client_software client_fqdn: zeek.dhcp.client_fqdn #mac: source.mac msg_orig: zeek.dhcp.msg_orig msg_types: zeek.dhcp.msg_types requested_addr: zeek.dhcp.requested_addr server_addr: destination.ip server_message: zeek.dhcp.server_message server_software: zeek.dhcp.server_software subscriber_id: zeek.dhcp.subscriber_id #zeek.zeek.dhcp.client_port: Elastic has this, but is not actually a zeek log field for dhcp #zeek.zeek.dhcp.server_port: Elastic has this, but is not actually a zeek log field for dhcp # DNS AA: zeek.dns.AA #addl: zeek.dns.addl #auth: zeek.dns.auth answers: dns.answers.name TTLs: dns.answers.ttl RA: zeek.dns.RA RD: zeek.dns.RD rejected: zeek.dns.rejected TC: zeek.dns.TC Z: zeek.dns.Z qclass: zeek.dns.qclass qclass_name: dns.question.class qtype: zeek.dns.qtype qtype_name: dns.question.type query: dns.question.name rcode_name: dns.response_code rcode: zeek.dns.rcode #rtt: zeek.dns.rtt trans_id: dns.id # DNP3 fc_reply: dnp3.function.reply fc_request: dnp3.function.request iin: dnp3.inn # DPD #analyzer: dpd.analyzer failure_reason: dpd.failure_reason packet_segment: dpd.packet_segment # Files rx_hosts: zeek.files.rx_host tx_hosts: zeek.files.tx_host #analyzer: zeek.files.analyzer depth: zeek.files.depth #duration: zeek.files.duration extracted: zeek.files.extracted extracted_cutoff: zeek.files.extracted_cutoff extracted_size: zeek.files.extracted_size entropy: zeek.files.entropy md5: zeek.files.md5 sha1: zeek.files.sha1 sha256: zeek.files.sha256 #is_orig: zeek.files.is_orig #local_orig: zeek.files.local_orig missing_bytes: zeek.files.missing_bytes filename: zeek.files.filename overflow_bytes: zeek.files.overflow_bytes seen_bytes: zeek.files.seen_bytes total_bytes: zeek.files.total_bytes timedout: zeek.files.timedout # GQUIC/QUIC cyu: gquic.cyu cyutags: gquic.cyutags #server_name: destination.domain tag_count: gquic.tag_count #user_agent: user_agent.original #version: gquic.version # FTP #arg: zeek.ftp.arg #command: zeek.ftp.command cwd: zeek.ftp.cwd data_channel.passive: zeek.ftp.data_channel.passive data_channel.orig_h: zeek.ftp.data_channel.originating_host data_channel.resp_h: zeek.ftp.data_channel.response_host data_channel.resp_p: zeek.ftp.data_channel.response_port file_size: zeek.ftp.file.size passive: zeek.ftp.passive #password: zeek.ftp.password reply_code: zeek.ftp.reply.code #reply_msg: zeek.ftp.reply.msg #user: zeek.ftp.user.name # HTTP client_header_names: zeek.http.client_header_names cookie_vars: zeek.http.cookie_vars flash_version: zeek.http.flash_version info_code: zeek.http.info_code info_msg: zeek.http.info_msg #method: http.request.method omniture: zeek.http.omniture orig_filenames: zeek.http.orig_filenames orig_mime_types: zeek.http.orig_mime_types origin: zeek.http.origin #password: zeek.http.password #response_body_len: http.response.body.bytes #request_body_len: http.request.body.bytes referrer: http.request.referrer post_body: zeek.http.post_body proxied: zeek.http.proxied resp_filenames: zeek.http.resp_filenames resp_mime_types: zeek.http.resp_mime_types server_header_names: zeek.http.server_header_names #status_msg: zeek.http.status_msg #trans_depth: zeek.http.trans_depth #uri: url.original uri_vars: zeek.http.uri_vars #user_agent: user_agent.original #username: source.user.name #version: http.version # Intel file_mime_type: zeek.intel.mime_type file_desc: zeek.intel.file_desc host: zeek.intel.seen.host matched: zeek.intel.matched indicator: zeek.intel.seen.indicator indicator_type: zeek.intel.seen.indicator_type node: zeek.intel.seen.node where: zeek.intel.seen.where sources: zeek.intel.seen.sources # IRC dcc_file_name: zeek.irc.dcc.file.name dcc_file_size: zeek.irc.dcc.file.size dcc_mime_type: zeek.irc.dcc.mime_type #command: zeek.irc.command nick: zeek.irc.nick #user: zeek.irc.username value: zeek.irc.command # Kerberos auth_ticket: zeek.kerberos.ticket.auth #cipher: zeek.kerberos.cipher #client: zeek.kerberos.cert.client.value client_cert_subject: zeek.kerberos.cert.client.subject error_code: zeek.kerberos.error.code error_msg: zeek.kerberos.error.msg forwardable: zeek.kerberos.forwardable #from: zeek.kerberos.valid.from new_ticket: zeek.kerberos.ticket.new renewable: zeek.kerberos.renewable request_type: zeek.kerberos.request_type #service: zeek.kerberos.service success: zeek.kerberos.success server_cert_subject: zeek.kerberos.cert.server.subject till: zeek.kerberos.valid.until # Known_Certs #host: host.ip # known_services not in Elastic Beats at all #issuer_subject: known_certs.issuer_subject # known_services not in Elastic Beats at all #port_num: labels.known.port # known_services not in Elastic Beats at all #serial: known_certs.serial # known_services not in Elastic Beats at all #subject: known_certs.subject # known_services not in Elastic Beats at all # Known_Modbus #host: host.ip # known_services not in Elastic Beats at all #device_type: known_modbus.device_type # known_services not in Elastic Beats at all # Known_Services #port_proto: network.transport # known_services not in Elastic Beats at all #port_num: labels.known.port # known_services not in Elastic Beats at all # Modbus delta: zeek.modbus.delta new_val: zeek.modbus.new_val old_val: zeek.modbus.old_val register: zeek.modbus.register func: zeek.modbus.function exception: zeek.modbus.exception track_address: zeek.modbus.track_address # ModBus_Register_Change #delta: modbus.delta # modbus_register_change not in Elastic Beats at all #new_val: modbus.new_val # modbus_register_change not in Elastic Beats at all #old_val: modbus.old_val # modbus_register_change not in Elastic Beats at all #register: modbus.register # modbus_register_change not in Elastic Beats at all # MQTT_Connect , MQTT_Publish, MQTT_Subscribe #ack: mqtt.ack # mqtt logs not in Elastic Beats at all #action: mqtt.action # mqtt logs not in Elastic Beats at all #client_id: mqtt.client_id # mqtt logs not in Elastic Beats at all #connect_status: mqtt.connect_status # mqtt logs not in Elastic Beats at all #from_client: mqtt.from_client # mqtt logs not in Elastic Beats at all #granted_qos_level: mqtt.granted_qos_level # mqtt logs not in Elastic Beats at all #payload: mqtt.payload # mqtt logs not in Elastic Beats at all #payload_len: mqtt.payload_len # mqtt logs not in Elastic Beats at all #proto_name: mqtt.proto_name # mqtt logs not in Elastic Beats at all #proto_version: mqtt.proto_version # mqtt logs not in Elastic Beats at all #qos: mqtt.qos # mqtt logs not in Elastic Beats at all #qos_levels: mqtt.qos_levels # mqtt logs not in Elastic Beats at all #retain: mqtt.retain # mqtt logs not in Elastic Beats at all ##status: mqtt.status # mqtt logs not in Elastic Beats at all #topic: mqtt.topic # mqtt logs not in Elastic Beats at all #topics: mqtt.topics # mqtt logs not in Elastic Beats at all #will_payload: mqtt.will_payload # mqtt logs not in Elastic Beats at all #will_topic: mqtt.will_topic # mqtt logs not in Elastic Beats at all # MYSQL #arg: mysql.arg cmd: zeek.mysql.cmd response: zeek.mysql.response rows: zeek.mysql.rows #success: event.outcome # Notice actions: zeek.notice.actions #conn: # Not an actual field logged, but Beats has it #iconn: # Not an actual field logged, but Beats has it dropped: zeek.notice.dropped #dst: destination.ip email_body_sections: zeek.notice.email_body_sections email_delay_tokens: zeek.notice.email_delay_tokens identifier: zeek.notice.identifier msg: zeek.notice.msg n: zeek.notice.n note: zeek.notice.note p: destination.port peer_descr: zeek.notice.peer_descr peer_name: zeek.notice.peer_name #proto: network.transport #src: source.ip sub: zeek.notice.sub subpress_for: zeek.notice.subpress_for # NTLM domainname: zeek.ntlm.domain hostname: zeek.ntlm.hostname #username: notice.username server_nb_computer_name: zeek.ntlm.server.name.netbios server_tree_name: zeek.ntlm.server.name.tree #success: event.outcome server_dns_computer_name: zeek.ntlm.server.name.dns # NTP #mode: ntp.mode # ntp not in Elastic Beats at all #num_exts: ntp.num_exts # ntp not in Elastic Beats at all #org_time: ntp.org_time # ntp not in Elastic Beats at all #poll: ntp.poll # ntp not in Elastic Beats at all #precision: ntp.precision # ntp not in Elastic Beats at all #rec_time: ntp.rec_time # ntp not in Elastic Beats at all #ref_id: ntp.ref_id # ntp not in Elastic Beats at all #ref_time: ntp.ref_time # ntp not in Elastic Beats at all #root_delay: ntp.root_delay # ntp not in Elastic Beats at all #root_disp: ntp.root_disp # ntp not in Elastic Beats at all #stratum: ntp.stratum # ntp not in Elastic Beats at all ##version: ntp.version # ntp not in Elastic Beats at all #xmt_time: ntp.xmt_time # ntp not in Elastic Beats at all # OCSP certStatus: zeek.ocsp.status hashAlgorithm: zeek.ocsp.hash.algorithm issuerKeyHash: zeek.ocsp.hash.issuer.key issuerNameHash: zeek.ocsp.hash.issuer.name nextUpdate: zeek.ocsp.update.next revokereason: zeek.ocsp.revoke.reason revoketime: zeek.ocsp.revoke.date serialNumber: zeek.ocsp.serial_number thisUpdate: zeek.ocsp.update.this # PE compile_ts: zeek.pe.compile_time has_cert_table: zeek.pe.has_cert_table has_debug_data: zeek.pe.has_debug_data has_import_table: zeek.pe.has_import_table has_export_table: zeek.pe.has_export_table is_64bit: zeek.pe.is_64bit is_exe: zeek.pe.is_exe machine: zeek.pe.machine os: zeek.pe.os section_names: zeek.pe.section_names subsystem: zeek.pe.subsystem uses_aslr: zeek.pe.uses_aslr uses_code_integrity: zeek.pe.uses_code_integrity uses_dep: zeek.pe.uses_dep uses_seh: zeek.pe.uses_seh # POP3 #arg: pop3.arg # pop3 not in Elastic Beats at all #command: pop3.command # pop3 not in Elastic Beats at all #current_request: pop3.current_request # pop3 not in Elastic Beats at all #current_response: pop3.current_response # pop3 not in Elastic Beats at all #data: pop3.data # pop3 not in Elastic Beats at all #failed_commands: pop3.failed_commands # pop3 not in Elastic Beats at all #has_client_activity: pop3.has_client_activity # pop3 not in Elastic Beats at all #is_orig: pop3.is_orig # pop3 not in Elastic Beats at all #msg: pop3.msg # pop3 not in Elastic Beats at all #password: source.user.password # pop3 not in Elastic Beats at all #pending: pop3.pending # pop3 not in Elastic Beats at all #status: pop3.status # pop3 not in Elastic Beats at all #successful_commands: pop3.successful_commands # pop3 not in Elastic Beats at all #username: pop3.username # pop3 not in Elastic Beats at all # Radius connect_info: zeek.radius.connect_info framed_addr: zeek.radius.framed_addr mac: zeek.radius.mac #reply_msg: zeek.radius.reply_msg result: zeek.radius.result ttl: zeek.radius.ttl tunnel_client: zeek.radius.tunnel_client #username: zeek.radius.username # RDP #result: event.outcome cert_count: zeek.rdp.cert.count cert_permanent: zeek.rdp.cert.permanent cert_type: zeek.rdp.cert.type client_build: zeek.rdp.client.build client_dig_product_id: zeek.rdp.client.product_id client_name: zeek.rdp.client.name cookie: zeek.rdp.cookie desktop_height: zeek.rdp.desktop.height desktop_width: zeek.rdp.desktop.width encryption_level: zeek.rdp.encryption.level encryption_method: zeek.rdp.encryption.method keyboard_layout: zeek.rdp.keyboard_layout requested_color_depth: zeek.rdp.desktop.color_depth security_protocol: zeek.rdp.security_protocol ssl: zeek.rdp.ssl # RFB #auth: zeek.rfb.auth.success authentication_method: zeek.rfb.auth.method client_major_version: zeek.rfb.version.client.major client_minor_version: zeek.rfb.version.client.minor desktop_name: zeek.rfb.desktop_name height: zeek.rfb.height server_major_version: zeek.rfb.version.server.major server_minor_version: zeek.rfb.version.server.minor share_flag: zeek.rfb.share_flag width: zeek.rfb.width # SIP call_id: zeek.sip.call_id content_type: zeek.sip.content_type #date: zeek.sip.date #method: zeek.sip.sequence.method #reply_to: zeek.sip.reply_to #request_body_len: zeek.sip.response.body_length request_from: zeek.sip.request.from request_path: zeek.sip.request.path request_to: zeek.sip.request.to #response_body_len: zeek.sip.request.body_length response_from: zeek.sip.response.from response_path: zeek.sip.response.path response_to: zeek.sip.response.to seq: zeek.sip.seq #status_code: zeek.sip.status.code #status_msg: zeek.sip.status.msg #subject: zeek.sip.subject #trans_depth: zeek.sip.transaction_depth #uri: zeek.sip.uri warning: zeek.sip.warning #user_agent: zeek.sip.user_agent # SMB_Files #action: zeek.smb_files.action #name: zeek.smb_files.name #path: zeek.smb_files.path prev_name: zeek.smb_files.prev_name size: zeek.smb_files.size times_accessed: zeek.smb_files.accessed times_changed: zeek.smb_files.ctime times_created: zeek.smb_files.created times_modified: zeek.smb_files.mtime # SMB_Mapping native_file_system: zeek.smb_mapping.native_file_system #path: zeek.smb_mapping.path share_type: zeek.smb_mapping.share_type #service: zeek.smb_mapping.service # SMTP cc: zeek.smtp.cc #date: zeek.smtp.date first_received: zeek.smtp.first_received #from: zeek.smtp.from helo: zeek.smtp.helo in_reply_to: zeek.smtp.in_reply_to is_webmail: zeek.smtp.is_webmail last_reply: zeek.smtp.last_reply mailfrom: zeek.smtp.mail_from msg_id: zeek.smtp.msg_id #path: zeek.smtp.path rcptto: zeek.smtp.rcpt_to #reply_to: zeek.smtp.reply_to second_received: zeek.smtp.second_received #subject: zeek.smtp.subject tls: zeek.smtp.tls to: zeek.smtp.to #trans_depth: zeek.smtp.transaction_depth x_originating_ip: zeek.smtp.x_originating_ip #user_agent: zeek.smtp.user_agent # SMTP_Links #cs-host: url.domain # smtp_links not in Elastic Beats at all #c-uri: url.original # smtp_links not in Elastic Beats at all # SNMP #duration: zeek.snmp.duration community: zeek.snmp.community display_string: zeek.snmp.display_string get_bulk_requests: zeek.snmp.get.bulk_requests #get_responses: # this is in Elastic Beats, but not an actual zeek field for snmp get_requests: zeek.snmp.get.requests set_requests: zeek.snmp.set.requests up_since: zeek.snmp.up_since #version: zeek.snmp.version # Socks #password: zeek.socks.password bound_host: zeek.socks.bound_host bound_name: zeek.socks.bound_name bound_p: zeek.socks.bound.port request_host: zeek.socks.request_host request_name: zeek.socks.request.host request_p: zeek.socks.request.port status: zeek.socks.status #version: zeek.socks.version # Software ##host: host.ip # software not in Elastic Beats at all #host_p: software.host_port # software not in Elastic Beats at all #version.major: software.version.major # software not in Elastic Beats at all #version.minor: software.version.minor # software not in Elastic Beats at all #version.minor2: software.version.minor2 # software not in Elastic Beats at all #version.minor3: software.version.minor3 # software not in Elastic Beats at all ##name: software.name # software not in Elastic Beats at all #unparsed_version: software.unparsed_version # software not in Elastic Beats at all #software_type: software.software_type # software not in Elastic Beats at all ##url: url.original # software not in Elastic Beats at all # SSH auth_attempts: zeek.ssh.auth.attempts auth_success: zeek.ssh.auth.success cipher_alg: zeek.ssh.algorithm.cipher #client: zeek.ssh.client compression_alg: zeek.ssh.algorithm.compression cshka: zeek.ssh.cshka direction: zeek.ssh.direction hassh: zeek.ssh.hassh hasshAlgorithms: zeek.ssh.hasshAlgorithms hasshServer: zeek.ssh.hasshServer hasshServerAlgorithms: zeek.ssh.hasshServerAlgorithms hasshVersion: zeek.ssh.hasshVersion host_key: zeek.ssh.host_key host_key_alg: zeek.ssh.algorithm.host_key kex_alg: zeek.ssh.algorithm.key_exchange mac_alg: zeek.ssh.algorithm.mac server: zeek.ssh.server #version: zeek.ssh.version # SSL / TLS #cert_chain # Does not exist in ssl log but Elastic Beats has it #cipher: tls.cipher # Not implemented in Elastic Beats #cipher: zeek.ssl.cipher #client_issuer: tls.client.issuer # Not implemented in Elastic Beats client_issuer: zeek.ssl.client_issuer #client_subject: tls.client.subject # Not implemented in Elastic Beats client_subject: zeek.ssl.client_subject #curve: tls.curve # Not implemented in Elastic Beats curve: zeek.ssl.curve #established: tls.established # Not implemented in Elastic Beats established: zeek.ssl.established #issuer: tls.server.issuer # Not implemented in Elastic Beats issuer: zeek.ssl.issuer #ja3: tls.client.ja3 # Not implemented in Elastic Beats ja3: zeek.ssl.ja3 #ja3s: tls.client.ja3s # Not implemented in Elastic Beats ja3s: zeek.ssl.ja3s last_alert: zeek.ssl.last_alert #next_protocol: tls.next_protocol # Not implemented in Elastic Beats next_protocol: zeek.ssl.next_protocol notary: zeek.ssl.notary ocsp_status: zeek.ssl.oscp_status #orig_certificate_sha1: tls.client.hash.sha1 # Not implemented in Elastic Beats orig_certificate_sha1: zeek.ssl.orig_certificate_sha1 #resp_certificate_sha1: tls.server.hash.sha1 # Not implemented in Elastic Beats resp_certificate_sha1: zeek.ssl.resp_certificate_sha1 #resumed: tls.resumed # Not implemented in Elastic Beats resumed: zeek.ssl.resumed #server_name: tls.client.server_name # Not implemented in Elastic Beats server_name: zeek.ssl.server.name #subject: tls.server.subject # Not implemented in Elastic Beats #subject: zeek.ssl.subject valid_ct_logs: zeek.ssl.valid_ct_logs valid_ct_operators: zeek.ssl.validct_operators valid_ct_operators_list: zeek.ssl.valid_ct_operators_list #validation_code # Does not exist in ssl log but Elastic Beats has it validation_status: zeek.ssl.validation_status #version: tls.version # Not implemented in Elastic Beats #version: zeek.ssl.version version_num: zeek.ssl.version_num # Syslog #facility: log.syslog.facility.name # Not implemented in Elastic Beats facility: zeek.syslog.facility #severity: log.syslog.severity.name # Not implemented in Elastic Beats severity: zeek.syslog.severity #message: syslog.message # Not implemented in Elastic Beats message: zeek.syslog.msg # why did Elastic beats do this # Traceroute #proto: network.transport #dst: destination.ip #src: source.ip # Tunnel #action: zeek.tunnel.action tunnel_type: zeek.tunnel.type # Weird #addl: zeek.weird.additional_info #name: zeek.weird.name notice: zeek.weird.notice peer: zeek.weird.peer # X509 basic_constraints.ca: zeek.x509.certificate.basic_constraints.certificate_authority basic_constraints.path_len: zeek.x509.certificate.basic_constraints.path_length certificate.cn: zeek.x509.certificate.common_name certificate.curve: zeek.x509.certificate.curve certificate.exponent: zeek.x509.certificate.exponent certificate.issuer: zeek.x509.certificate.iss # why did Elastic beats do this certificate.key_alg: zeek.x509.certificate.key.algorithm certificate.key_length: zeek.x509.certificate.key.length certificate.key_type: zeek.x509.certificate.key.type certificate.not_valid_after: zeek.x509.certificate.valid.until certificate.not_valid_before: zeek.x509.certificate.valid.from certificate.serial: zeek.x509.certificate.serial certificate.sig_alg: zeek.x509.certificate.signature_algorithm certificate.subject: zeek.x509.certificate.sub # why did Elastic beats do this certificate.version: zeek.x509.certificate.version logcert: zeek.x509.logcert san.dns: zeek.x509.san.dns san.email: zeek.x509.san.email san.ip: zeek.x509.san.ip san.uri: zeek.x509.san.url # Temporary one off rule name's people have written agent.version: version c-cookie: http.cookie_vars c-ip: source.ip cs-uri: url.original clientip: source.ip clientIP: source.io dest_domain: - query - host - server_name dest_ip: destination.ip dest_port: destination.port