mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
1292 lines
33 KiB
YAML
1292 lines
33 KiB
YAML
title: Corelight Zeek and Corelight Opensource Zeek Elastic Common Schema (ECS) implementation
|
|
description: Uses the mappings as created by Corelight here https://github.com/corelight/ecs-mapping
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- corelight_es-qs
|
|
- es-dsl
|
|
- elasticsearch-rule
|
|
- corelight_elasticsearch-rule
|
|
- kibana
|
|
- kibana-ndjson
|
|
- corelight_kibana
|
|
- xpack-watcher
|
|
- corelight_xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
logsources:
|
|
zeek:
|
|
product: zeek
|
|
index: '*ecs-*'
|
|
#'*ecs-corelight*'
|
|
#'*ecs-zeek-*
|
|
zeek-category-accounting:
|
|
category: accounting
|
|
rewrite:
|
|
product: zeek
|
|
service: syslog
|
|
zeek-category-firewall:
|
|
category: firewall
|
|
rewrite:
|
|
product: zeek
|
|
service: conn
|
|
zeek-category-dns:
|
|
category: dns
|
|
rewrite:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
event.dataset: dns
|
|
zeek-category-proxy:
|
|
category: proxy
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-category-webserver:
|
|
category: webserver
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-conn:
|
|
product: zeek
|
|
service: conn
|
|
conditions:
|
|
event.dataset: conn
|
|
zeek-conn_long:
|
|
product: zeek
|
|
service: conn_long
|
|
conditions:
|
|
event.dataset: conn_long
|
|
zeek-dce_rpc:
|
|
product: zeek
|
|
service: dce_rpc
|
|
conditions:
|
|
event.dataset: dce_rpc
|
|
zeek-dns:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
event.dataset: dns
|
|
zeek-dnp3:
|
|
product: zeek
|
|
service: dnp3
|
|
conditions:
|
|
event.dataset: dnp3
|
|
zeek-dpd:
|
|
product: zeek
|
|
service: dpd
|
|
conditions:
|
|
event.dataset: dpd
|
|
zeek-files:
|
|
product: zeek
|
|
service: files
|
|
conditions:
|
|
event.dataset: files
|
|
zeek-ftp:
|
|
product: zeek
|
|
service: ftp
|
|
conditions:
|
|
event.dataset: ftp
|
|
zeek-gquic:
|
|
product: zeek
|
|
service: gquic
|
|
conditions:
|
|
event.dataset: gquic
|
|
zeek-http:
|
|
product: zeek
|
|
service: http
|
|
conditions:
|
|
event.dataset: http
|
|
zeek-http2:
|
|
product: zeek
|
|
service: http2
|
|
conditions:
|
|
event.dataset: http2
|
|
zeek-intel:
|
|
product: zeek
|
|
service: intel
|
|
conditions:
|
|
event.dataset: intel
|
|
zeek-irc:
|
|
product: zeek
|
|
service: irc
|
|
conditions:
|
|
event.dataset: irc
|
|
zeek-kerberos:
|
|
product: zeek
|
|
service: kerberos
|
|
conditions:
|
|
event.dataset: kerberos
|
|
zeek-known_certs:
|
|
product: zeek
|
|
service: known_certs
|
|
conditions:
|
|
event.dataset: known_certs
|
|
zeek-known_hosts:
|
|
product: zeek
|
|
service: known_hosts
|
|
conditions:
|
|
event.dataset: known_hosts
|
|
zeek-known_modbus:
|
|
product: zeek
|
|
service: known_modbus
|
|
conditions:
|
|
event.dataset: known_modbus
|
|
zeek-known_services:
|
|
product: zeek
|
|
service: known_services
|
|
conditions:
|
|
event.dataset: known_services
|
|
zeek-modbus:
|
|
product: zeek
|
|
service: modbus
|
|
conditions:
|
|
event.dataset: modbus
|
|
zeek-modbus_register_change:
|
|
product: zeek
|
|
service: modbus_register_change
|
|
conditions:
|
|
event.dataset: modbus_register_change
|
|
zeek-mqtt_connect:
|
|
product: zeek
|
|
service: mqtt_connect
|
|
conditions:
|
|
event.dataset: mqtt_connect
|
|
zeek-mqtt_publish:
|
|
product: zeek
|
|
service: mqtt_publish
|
|
conditions:
|
|
event.dataset: mqtt_publish
|
|
zeek-mqtt_subscribe:
|
|
product: zeek
|
|
service: mqtt_subscribe
|
|
conditions:
|
|
event.dataset: mqtt_subscribe
|
|
zeek-mysql:
|
|
product: zeek
|
|
service: mysql
|
|
conditions:
|
|
event.dataset: mysql
|
|
zeek-notice:
|
|
product: zeek
|
|
service: notice
|
|
conditions:
|
|
event.dataset: notice
|
|
zeek-ntlm:
|
|
product: zeek
|
|
service: ntlm
|
|
conditions:
|
|
event.dataset: ntlm
|
|
zeek-ntp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: ntp
|
|
zeek-ocsp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: ocsp
|
|
zeek-pe:
|
|
product: zeek
|
|
service: pe
|
|
conditions:
|
|
event.dataset: pe
|
|
zeek-pop3:
|
|
product: zeek
|
|
service: pop3
|
|
conditions:
|
|
event.dataset: pop3
|
|
zeek-radius:
|
|
product: zeek
|
|
service: radius
|
|
conditions:
|
|
event.dataset: radius
|
|
zeek-rdp:
|
|
product: zeek
|
|
service: rdp
|
|
conditions:
|
|
event.dataset: rdp
|
|
zeek-rfb:
|
|
product: zeek
|
|
service: rfb
|
|
conditions:
|
|
event.dataset: rfb
|
|
zeek-sip:
|
|
product: zeek
|
|
service: sip
|
|
conditions:
|
|
event.dataset: sip
|
|
zeek-smb_files:
|
|
product: zeek
|
|
service: smb_files
|
|
conditions:
|
|
event.dataset: smb_files
|
|
zeek-smb_mapping:
|
|
product: zeek
|
|
service: smb_mapping
|
|
conditions:
|
|
event.dataset: smb_mapping
|
|
zeek-smtp:
|
|
product: zeek
|
|
service: smtp
|
|
conditions:
|
|
event.dataset: smtp
|
|
zeek-smtp_links:
|
|
product: zeek
|
|
service: smtp_links
|
|
conditions:
|
|
event.dataset: smtp_links
|
|
zeek-snmp:
|
|
product: zeek
|
|
service: snmp
|
|
conditions:
|
|
event.dataset: snmp
|
|
zeek-socks:
|
|
product: zeek
|
|
service: socks
|
|
conditions:
|
|
event.dataset: socks
|
|
zeek-software:
|
|
product: zeek
|
|
service: software
|
|
conditions:
|
|
event.dataset: software
|
|
zeek-ssh:
|
|
product: zeek
|
|
service: ssh
|
|
conditions:
|
|
event.dataset: ssh
|
|
zeek-ssl:
|
|
product: zeek
|
|
service: ssl
|
|
conditions:
|
|
event.dataset: tls
|
|
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
|
|
product: zeek
|
|
service: tls
|
|
conditions:
|
|
event.dataset: tls
|
|
zeek-syslog:
|
|
product: zeek
|
|
service: syslog
|
|
conditions:
|
|
event.dataset: syslog
|
|
zeek-tunnel:
|
|
product: zeek
|
|
service: tunnel
|
|
conditions:
|
|
event.dataset: tunnel
|
|
zeek-traceroute:
|
|
product: zeek
|
|
service: traceroute
|
|
conditions:
|
|
event.dataset: traceroute
|
|
zeek-weird:
|
|
product: zeek
|
|
service: weird
|
|
conditions:
|
|
event.dataset: weird
|
|
zeek-x509:
|
|
product: zeek
|
|
service: x509
|
|
conditions:
|
|
event.dataset: x509
|
|
zeek-ip_search:
|
|
product: zeek
|
|
service: network
|
|
conditions:
|
|
event.dataset:
|
|
- conn
|
|
- conn_long
|
|
- dce_rpc
|
|
- dhcp
|
|
- dnp3
|
|
- dns
|
|
- ftp
|
|
- gquic
|
|
- http
|
|
- irc
|
|
- kerberos
|
|
- modbus
|
|
- mqtt_connect
|
|
- mqtt_publish
|
|
- mqtt_subscribe
|
|
- mysql
|
|
- ntlm
|
|
- ntp
|
|
- radius
|
|
- rfb
|
|
- sip
|
|
- smb_files
|
|
- smb_mapping
|
|
- smtp
|
|
- smtp_links
|
|
- snmp
|
|
- socks
|
|
- ssh
|
|
- tls #SSL
|
|
- tunnel
|
|
- weird
|
|
defaultindex: '*ecs-*'
|
|
fieldmappings:
|
|
# All Logs Applied Mapping & Taxonomy
|
|
dst: destination.ip
|
|
dst_ip: destination.ip
|
|
dst_port: destination.port
|
|
host: host.ip
|
|
inner_vlan: network.vlan.inner.id
|
|
mac: source.mac
|
|
mime_type: file.mime_type
|
|
network_application: network.protocol
|
|
network_community_id: network.community_id
|
|
network_protocol: network.transport
|
|
password: source.user.password
|
|
port_num: labels.known.port
|
|
proto: network.transport
|
|
result: event.outcome
|
|
rtt: event.duration
|
|
server_name: destination.domain
|
|
src: source.ip
|
|
src_ip: source.ip
|
|
src_port: source.port
|
|
success: event.outcome
|
|
uri: url.original
|
|
user: source.user.name
|
|
username: source.user.name
|
|
user_agent: user_agent.original
|
|
vlan: network.vlan.id
|
|
# DNS matching Taxonomy & DNS Category
|
|
answer: dns.answers.name
|
|
question_length: labels.dns.query_length
|
|
record_type: dns.question.type
|
|
parent_domain: dns.question.registered_domain
|
|
# HTTP matching Taxonomy & Web/Proxy Category
|
|
cs-bytes: http.request.body.bytes
|
|
cs-cookie: http.cookie_vars
|
|
r-dns:
|
|
- url.domain
|
|
- destination.domain
|
|
sc-bytes: http.response.body.bytes
|
|
sc-status: http.response.status_code
|
|
c-uri: url.original
|
|
c-uri-extension: url.extension
|
|
c-uri-query: url.query
|
|
c-uri-stem: url.original
|
|
c-useragent: user_agent.original
|
|
cs-host:
|
|
- url.domain
|
|
- destination.domain
|
|
cs-method: http.request.method
|
|
cs-referrer: http.request.referrer
|
|
cs-version: http.version
|
|
# All log UIDs
|
|
cert_chain_fuids: log.id.cert_chain_fuids
|
|
client_cert_chain_fuids: log.id.client_cert_chain_fuids
|
|
client_cert_fuid: log.id.client_cert_fuid
|
|
conn_uids: log.id.conn_uids
|
|
fid: log.id.fid
|
|
fuid: log.id.fuid
|
|
fuids: log.id.fuids
|
|
id: log.id.id
|
|
orig_fuids: log.id.orig_fuids
|
|
parent_fuid: log.id.parent_fuid
|
|
related_fuids: log.id.related_fuids
|
|
resp_fuids: log.id.resp_fuids
|
|
server_cert_fuid: log.id.server_cert_fuid
|
|
tunnel_parents: log.id.tunnel_parents
|
|
uid: log.id.uid
|
|
uids: log.id.uids
|
|
uuid: log.id.uuid
|
|
# Deep mappings / Overlapping fields/mappings (aka: shared fields)
|
|
#_action
|
|
action:
|
|
#- '*.action'
|
|
service=mqtt: mqtt.action
|
|
service=smb_files: smb.action
|
|
service=tunnel: tunnel.action
|
|
mqtt_action: smb.action
|
|
smb_action: smb.action
|
|
tunnel_action: tunnel.action
|
|
#_addl
|
|
addl:
|
|
#- '*.addl'
|
|
service=dns: dns.addl
|
|
service=weird: weird.addl
|
|
dns_addl: dns.addl
|
|
weird_addl: weird.addl
|
|
#_analyzer
|
|
analyzer:
|
|
#- '*.analyzer'
|
|
service=dpd: dpd.analyzer
|
|
service=files: files.analyzer
|
|
dpd_analyzer: dpd.analyzer
|
|
files_analyzer: file.analyzer
|
|
#_arg
|
|
arg:
|
|
#- '*.arg'
|
|
service=ftp: ftp.arg
|
|
service=msqyl: mysql.arg
|
|
service=pop3: pop3.arg
|
|
ftp_arg: ftp.arg
|
|
mysql_arg: mysql.arg
|
|
pop3_arg: pop3.arg
|
|
#_auth
|
|
auth:
|
|
#- dns.auth
|
|
service=dns: dns.auth
|
|
service=rfb: rfb.auth
|
|
dns_auth: dns.auth
|
|
rfb_auth: rfb.auth
|
|
#_cipher
|
|
cipher:
|
|
#- '*.client'
|
|
service=kerberos: kerberos.cipher
|
|
service=ssl: tls.cipher
|
|
kerberos_cipher: kerberos.cipher
|
|
ssl_cipher: tls.cipher
|
|
tls_cipher: tls.cipher
|
|
#_client
|
|
client:
|
|
#- '*.client'
|
|
service=kerberos: kerberos.client
|
|
service=ssh: ssh.client
|
|
kerberos_client: kerberos.client
|
|
ssh_client: ssh.client
|
|
#_command
|
|
command:
|
|
#- '*.command'
|
|
service=irc: irc.command
|
|
service=ftp: ftp.command
|
|
service=pop3: pop3.command
|
|
ftp_command: ftp.command
|
|
irc_command: irc.command
|
|
pop3_command: pop3.command
|
|
#_date
|
|
date:
|
|
#- '*.date'
|
|
service=sip: sip.date
|
|
service=smtp: smtp.date
|
|
sip_date: sip.date
|
|
smtp_date: smtp.date
|
|
#_duration
|
|
duration:
|
|
#- event.duration
|
|
service=conn: event.duration
|
|
service=files: files.duration
|
|
service=snmp: event.duration
|
|
conn_duration: event.duration
|
|
files_duration: files.duration
|
|
snmp_duration: event.duration
|
|
#_from
|
|
from:
|
|
#- '*.from'
|
|
service=kerberos: kerberos.from
|
|
service=smtp: smtp.from
|
|
kerberos_from: kerberos.from
|
|
smtp_from: smtp.from
|
|
#_is_orig
|
|
is_orig:
|
|
#- '*.is_orig'
|
|
service=file: file.is_orig
|
|
service=pop3: pop3.is_orig
|
|
files_is_orig: file.is_orig
|
|
pop3_is_orig: pop3.is_orig
|
|
#_local_orig
|
|
local_orig:
|
|
#- '*.local_orig'
|
|
service=conn: conn.local_orig
|
|
service=files: file.local_orig
|
|
conn_local_orig: conn.local_orig
|
|
files_local_orig: file.local_orig
|
|
#_method
|
|
method:
|
|
#- http.request.method
|
|
service=http: http.request.method
|
|
service=sip: sip.method
|
|
http_method: http.request.method
|
|
sip_method: sip.method
|
|
#_msg
|
|
msg:
|
|
#- notice.msg
|
|
service=notice: notice.msg
|
|
service=pop3: pop3.msg
|
|
notice_msg: notice.msg
|
|
pop3_msg: pop3.msg
|
|
#_name
|
|
name:
|
|
#- file.name
|
|
service=smb_files: file.name
|
|
service=software: software.name
|
|
service=weird: weird.name
|
|
smb_files_name: file.name
|
|
software_name: software.name
|
|
weird_name: weird.name
|
|
#_path
|
|
path:
|
|
#- file.path
|
|
service=smb_files: file.path
|
|
service=smb_mapping: file.path
|
|
service=smtp: smtp.path
|
|
smb_files_path: file.path
|
|
smb_mapping_path: file.path
|
|
smtp_path: smtp.path
|
|
#_reply_msg
|
|
reply_msg:
|
|
#- '*.reply_msg'
|
|
service=ftp: ftp.reply_msg
|
|
service=radius: radius.reply_msg
|
|
ftp_reply_msg: ftp.reply_msg
|
|
radius_reply_msg: radius.reply_msg
|
|
#_reply_to
|
|
reply_to:
|
|
#- '*.reply_to'
|
|
service=sip: sip.reply_to
|
|
service=smtp: smtp.reply_to
|
|
sip_reply_to: sip.reply_to
|
|
smtp_reply_to: smtp.reply_to
|
|
#_response_body_len
|
|
response_body_len:
|
|
#- http.response.body.bytes
|
|
service=http: http.response.body.bytes
|
|
service=sip: sip.response_body_len
|
|
http_response_body_len: http.response.body.bytes
|
|
sip_response_body_len: sip.response_body_len
|
|
#_request_body_len
|
|
request_body_len:
|
|
#- http.request.body.bytes
|
|
service=http: http.response.body.bytes
|
|
service=sip: sip.request_body_len
|
|
http_request_body_len: http.response.body.bytes
|
|
sip_request_body_len: sip.response_body_len
|
|
#_rtt
|
|
#rtt:
|
|
#- event.duration
|
|
#- 'zeek.*.rtt'
|
|
#service=dns: event.duration
|
|
#service=dce_rpc: event.duration
|
|
dns_rtt: event.duration
|
|
dce_rpc_rtt: event.duration
|
|
#_service
|
|
service:
|
|
#- '*.service'
|
|
service=kerberos: kerberos.service
|
|
service=smb_mapping: smb.service
|
|
kerberos_service: kerberos.service
|
|
smb_mapping_kerberos: smb.service
|
|
#_status
|
|
status:
|
|
#- '*.status'
|
|
service=mqtt: mqtt.status
|
|
service=pop3: pop3.status
|
|
service=socks: socks.status
|
|
mqtt_status: mqtt.status
|
|
pop3_status: pop3.status
|
|
socks_status: socks.status
|
|
#_status_code
|
|
status_code:
|
|
#- 'http.response.status_code'
|
|
service=http: http.response.status_code
|
|
service=sip: sip.status_code
|
|
http_status_code: http.response.status_code
|
|
sip_status_code: sip.status_code
|
|
#_status_msg
|
|
status_msg:
|
|
#- '*.status_msg'
|
|
service=http: http.status_msg
|
|
service=sip: sip.status_msg
|
|
http_status_msg: http.status_msg
|
|
sip_status_msg: sip.status_msg
|
|
#_subject
|
|
subject:
|
|
#- '*.subject'
|
|
service=known_certs: known_certs.subject
|
|
service=sip: sip.subject
|
|
service=smtp: smtp.subject
|
|
service=ssl: tls.subject
|
|
known_certs_subject: known_certs.subject
|
|
sip_subject: sip.subject
|
|
smtp_subject: smtp.subject
|
|
ssl_subject: tls.subject
|
|
#_service
|
|
|
|
#_trans_depth
|
|
trans_depth:
|
|
#- '*.trans_depth'
|
|
service=http: http.trans_depth
|
|
service=sip: sip.trans_depth
|
|
service=smtp: smtp.trans_depth
|
|
http_trans_depth: http.trans_depth
|
|
sip_trans_depth: sip.trans_depth
|
|
smtp_trans_depth: smtp.trans_depth
|
|
#_user_agent
|
|
#user_agent: #already normalized
|
|
http_user_agent: user_agent.original
|
|
gquic_user_agent: user_agent.original
|
|
sip_user_agent: user_agent.original
|
|
smtp_user_agent: user_agent.original
|
|
#_version
|
|
version:
|
|
#- '*.version'
|
|
service=gquic: gquic.version
|
|
service=http: http.version
|
|
service=ntp: ntp.version
|
|
service=socks: socks.version
|
|
service=snmp: snmp.version
|
|
service=ssh: ssh.version
|
|
service=tls: tls.version
|
|
gquic_version: gquic.version
|
|
http_version: http.version
|
|
ntp_version: ntp.version
|
|
socks_version: socks.version
|
|
snmp_version: snmp.version
|
|
ssh_version: ssh.version
|
|
ssl_version: tls.version
|
|
tls_version: tls.version
|
|
# Conn and Conn Long
|
|
cache_add_rx_ev: conn.cache_add_rx_ev
|
|
cache_add_rx_mpg: conn.cache_add_rx_mpg
|
|
cache_add_rx_new: conn.cache_add_rx_new
|
|
cache_add_tx_ev: conn.cache_add_tx_ev
|
|
cache_add_tx_mpg: conn.cache_add_tx_mpg
|
|
cache_del_mpg: conn.cache_del_mpg
|
|
cache_entries: conn.cache_entries
|
|
conn_state: conn.conn_state
|
|
corelight_shunted: conn.corelight_shunted
|
|
history: conn.history
|
|
id.orig_h.name_src: conn.id.orig_h_name.src
|
|
id.orig_h.names_vals: conn.id.orig_h_names.vals
|
|
id.resp_h.name_src: conn.id.resp_h_name.src
|
|
id.resp_h.name_vals: conn.id.resp_h_name.vals
|
|
#local_orig: conn.local_orig
|
|
local_resp: conn.local_resp
|
|
missed_bytes: conn.missed_bytes
|
|
orig_bytes: source.bytes
|
|
orig_cc: source.geo.country_iso_code
|
|
orig_ip_bytes: conn.orig_ip_bytes
|
|
orig_l2_addr: source.mac
|
|
orig_pkts: source.packets
|
|
resp_bytes: destination.bytes
|
|
resp_cc: destination.geo.country_iso_code
|
|
resp_ip_bytes: conn.resp.ip_bytes
|
|
resp_l2_addr: destination.mac
|
|
resp_pkts: destination.packets
|
|
# DCE-RPC Specific
|
|
endpoint: dce_rpc.endpoint
|
|
named_pipe: dce_rpc.named_pipe
|
|
operation: dce_rpc.operation
|
|
#rtt: dce_rpc.rtt
|
|
# DHCP
|
|
domain: source.domain
|
|
host_name: source.hostname
|
|
lease_time: dhcp.lease_time
|
|
agent_remote_id: dhcp.agent_remote_id
|
|
assigned_addr: dhcp.assigned_addr
|
|
circuit_id: dhcp.circuit_id
|
|
client_message: dhcp.client_message
|
|
client_software: dhcp.client_software
|
|
client_fqdn: source.fqdn
|
|
#mac: source.mac
|
|
msg_orig: dhcp.msg_orig
|
|
msg_types: dhcp.msg_types
|
|
requested_addr: dhcp.requested_addr
|
|
server_addr: destination.ip
|
|
server_message: dhcp.server_message
|
|
server_software: dhcp.server_software
|
|
subscriber_id: dhcp.subscriber_id
|
|
# DNS
|
|
AA: dns.AA
|
|
#addl: dns.addl
|
|
answers: dns.answers.name
|
|
TTLs: dns.answers.ttl
|
|
RA: dns.RA
|
|
RD: dns.RD
|
|
rejected: dns.rejected
|
|
TC: dns.TC
|
|
Z: dns.Z
|
|
qclass: dns.qclass
|
|
qclass_name: dns.question.class
|
|
qtype: dns.qtype
|
|
qtype_name: dns.question.type
|
|
query: dns.question.name
|
|
rcode_name: dns.response_code
|
|
rcode: dns.rcode
|
|
#rtt: dns.rtt
|
|
trans_id: dns.id
|
|
# DNP3
|
|
fc_reply: dnp3.fc_reply
|
|
fc_request: dnp3.fc_request
|
|
iin: dnp3.inn
|
|
# DPD
|
|
#analyzer: dpd.analyzer
|
|
failure_reason: dpd.failure_reason
|
|
packet_segment: dpd.packet_segment
|
|
# Files
|
|
rx_hosts: source.ip
|
|
tx_hosts: destination.ip
|
|
#analyzer: files.analyzer
|
|
depth: files.depth
|
|
#duration: files.duration
|
|
extracted: files.extracted
|
|
extracted_cutoff: files.extracted_cutoff
|
|
extracted_size: files.extracted_size
|
|
entropy: files.entropy
|
|
md5: file.hash.md5
|
|
sha1: file.hash.sha1
|
|
sha256: file.hash.sha256
|
|
#is_orig: file.is_orig
|
|
#local_orig: files.local_orig
|
|
missing_bytes: files.missing_bytes
|
|
filename: file.name
|
|
overflow_bytes: files.overflow_bytes
|
|
seen_bytes: files.seen_bytes
|
|
source: network.protocol
|
|
total_bytes: file.size
|
|
timedout: files.timedout
|
|
# GQUIC/QUIC
|
|
cyu: gquic.cyu
|
|
cyutags: gquic.cyutags
|
|
#server_name: destination.domain
|
|
tag_count: gquic.tag_count
|
|
#user_agent: user_agent.original
|
|
#version: gquic.version
|
|
# FTP
|
|
#arg: ftp.arg
|
|
#command: ftp.command
|
|
cwd: ftp.cwd
|
|
data_channel.orig_h: ftp.data_channel.orig_h
|
|
data_channel.passive: ftp.data_channel.passive
|
|
data_channel.resp_h: ftp.data_channel.resp_h
|
|
data_channel.resp_p: ftp.data_channel.resp_p
|
|
passive: ftp.passive
|
|
file_size: file.size
|
|
#mime_type: file.mime_type
|
|
#password: ftp.password
|
|
reply_code: ftp.reply_code
|
|
#reply_msg: ftp.reply_msg
|
|
#user: source.user.name
|
|
# HTTP
|
|
client_header_names: http.client_header_names
|
|
cookie_vars: http.cookie_vars
|
|
flash_version: http.flash_version
|
|
info_code: http.info_code
|
|
info_msg: http.info_msg
|
|
#method: http.request.method
|
|
omniture: http.omniture
|
|
orig_filenames: http.orig_filenames
|
|
orig_mime_types: http.orig_mime_types
|
|
origin: http.origin
|
|
#password: source.user.password
|
|
#response_body_len: http.response.body.bytes
|
|
#request_body_len: http.request.body.bytes
|
|
referrer: http.request.referrer
|
|
post_body: http.post_body
|
|
proxied: http.proxied
|
|
resp_filenames: http.resp_filenames
|
|
resp_mime_types: http.resp_mime_types
|
|
server_header_names: http.server_header_names
|
|
#status_code: http.response.status_code
|
|
#status_msg: http.status_msg
|
|
#trans_depth: http.trans_depth
|
|
uri_vars: http.uri_vars
|
|
#user_agent: user_agent.original
|
|
#username: source.user.name
|
|
#version: http.version
|
|
# Intel
|
|
file_mime_type: file.mime_type
|
|
file_desc: intel.file_desc
|
|
#host: host.ip
|
|
matched: intel.matched
|
|
indicator: intel.seen.indicator
|
|
indicator_type: intel.seen.indicator_type
|
|
node: intel.seen.node
|
|
where: intel.seen.where
|
|
sources: intel.seen.sources
|
|
# IRC
|
|
dcc_file_name: file.name
|
|
dcc_file_size: file.size
|
|
dcc_mime_type: file.mime_type
|
|
#command: irc.command
|
|
nick: irc.nick
|
|
#user: source.user.name
|
|
value: irc.command
|
|
# Kerberos
|
|
auth_ticket: kerberos.auth_ticket
|
|
#cipher: kerberos.cipher
|
|
#client: kerberos.client
|
|
client_cert_subject: kerberos.client_cert_subject
|
|
error_code: kerberos.error_code
|
|
error_msg: kerberos.error_msg
|
|
#from: kerberos.from
|
|
forwardable: kerberos.forwardable
|
|
new_ticket: kerberos.new_ticket
|
|
renewable: kerberos.renewable
|
|
request_type: kerberos.request_type
|
|
server_cert_subject: kerberos.server_cert_subject
|
|
#service: kerberos.service
|
|
#success: event.outcome
|
|
till: kerberos.till
|
|
# Known_Certs
|
|
#host: host.ip
|
|
issuer_subject: known_certs.issuer_subject
|
|
#port_num: labels.known.port
|
|
serial: known_certs.serial
|
|
#subject: known_certs.subject
|
|
# Known_Modbus
|
|
#host: host.ip
|
|
device_type: known_modbus.device_type
|
|
# Known_Services
|
|
port_proto: network.transport
|
|
#port_num: labels.known.port
|
|
# Modbus All
|
|
delta: modbus.delta
|
|
new_val: modbus.new_val
|
|
old_val: modbus.old_val
|
|
register: modbus.register
|
|
# Modbus
|
|
func: modbus.func
|
|
exception: modbus.exception
|
|
track_address: modbus.track_address
|
|
# ModBus_Register_Change
|
|
#delta: modbus.delta
|
|
#new_val: modbus.new_val
|
|
#old_val: modbus.old_val
|
|
#register: modbus.register
|
|
# MQTT_Connect , MQTT_Publish, MQTT_Subscribe
|
|
ack: mqtt.ack
|
|
#action: mqtt.action
|
|
client_id: mqtt.client_id
|
|
connect_status: mqtt.connect_status
|
|
from_client: mqtt.from_client
|
|
granted_qos_level: mqtt.granted_qos_level
|
|
payload: mqtt.payload
|
|
payload_len: mqtt.payload_len
|
|
proto_name: mqtt.proto_name
|
|
proto_version: mqtt.proto_version
|
|
qos: mqtt.qos
|
|
qos_levels: mqtt.qos_levels
|
|
retain: mqtt.retain
|
|
#status: mqtt.status
|
|
topic: mqtt.topic
|
|
topics: mqtt.topics
|
|
will_payload: mqtt.will_payload
|
|
will_topic: mqtt.will_topic
|
|
# MYSQL
|
|
#arg: mysql.arg
|
|
cmd: mysql.command
|
|
response: mysql.response
|
|
rows: mysql.rows
|
|
#success: event.outcome
|
|
# Notice
|
|
actions: notice.actions
|
|
dropped: notice.dropped
|
|
#dst: destination.ip
|
|
email_body_sections: notice.email_body_sections
|
|
email_delay_tokens: notice.email_delay_tokens
|
|
identifier: notice.identifier
|
|
#msg: notice.msg
|
|
n: notice.n
|
|
note: notice.note
|
|
p: destination.port
|
|
peer_descr: notice.peer_descr
|
|
peer_name: notice.peer_name
|
|
#proto: network.transport
|
|
#src: source.ip
|
|
sub: notice.sub
|
|
subpress_for: notice.subpress_for
|
|
# NTLM
|
|
domainname: ntlm.domainname
|
|
hostname: ntlm.hostname
|
|
#username: source.user.name
|
|
server_nb_computer_name: ntlm.server_nb_computer_name
|
|
server_tree_name: ntlm.server_tree_name
|
|
#success: event.outcome
|
|
server_dns_computer_name: ntlm.server_dns_computer_name
|
|
# NTP
|
|
mode: ntp.mode
|
|
num_exts: ntp.num_exts
|
|
org_time: ntp.org_time
|
|
poll: ntp.poll
|
|
precision: ntp.precision
|
|
rec_time: ntp.rec_time
|
|
ref_id: ntp.ref_id
|
|
ref_time: ntp.ref_time
|
|
root_delay: ntp.root_delay
|
|
root_disp: ntp.root_disp
|
|
stratum: ntp.stratum
|
|
#version: ntp.version
|
|
xmt_time: ntp.xmt_time
|
|
# OCSP
|
|
certStatus: oscp.certStatus
|
|
hashAlgorithm: oscp.hashAlgorithm
|
|
issuerKeyHash: oscp.issuerKeyHash
|
|
issuerNameHash: oscp.issuerNameHash
|
|
nextUpdate: oscp.nextUpdate
|
|
revokereason: oscp.revokereason
|
|
revoketime: oscp.revoketime
|
|
serialNumber: oscp.serialNumber
|
|
thisUpdate: oscp.thisUpdate
|
|
# PE
|
|
compile_ts: pe.compile_ts
|
|
has_cert_table: pe.has_cert_table
|
|
has_debug_data: pe.has_debug_data
|
|
has_import_table: pe.has_import_table
|
|
has_export_table: pe.has_export_table
|
|
is_64bit: pe.is_64bit
|
|
is_exe: pe.is_exe
|
|
machine: pe.machine
|
|
os: pe.os
|
|
section_names: pe.section_names
|
|
subsystem: pe.subsystem
|
|
uses_aslr: pe.uses_aslr
|
|
uses_code_integrity: pe.uses_code_integrity
|
|
uses_dep: pe.uses_dep
|
|
uses_seh: pe.uses_seh
|
|
# POP3
|
|
#arg: pop3.arg
|
|
#command: pop3.command
|
|
current_request: pop3.current_request
|
|
current_response: pop3.current_response
|
|
data: pop3.data
|
|
failed_commands: pop3.failed_commands
|
|
has_client_activity: pop3.has_client_activity
|
|
#is_orig: pop3.is_orig
|
|
#msg: pop3.msg
|
|
#password: source.user.password
|
|
pending: pop3.pending
|
|
#status: pop3.status
|
|
successful_commands: pop3.successful_commands
|
|
#username: source.user.name
|
|
# Radius
|
|
connect_info: radius.connect_info
|
|
framed_addr: radius.framed_addr
|
|
#mac: source.mac
|
|
#reply_msg: radius.reply_msg
|
|
#result: event.outcome
|
|
ttl: event.duration
|
|
tunnel_client: radius.tunnel_client
|
|
#username: source.user.name
|
|
# RDP
|
|
cert_count: rdp.cert_count
|
|
cert_permanent: rdp.cert_permanent
|
|
cert_type: rdp.cert_type
|
|
client_build: rdp.client_build
|
|
client_dig_product_id: rdp.client_dig_product_id
|
|
client_name: source.hostname
|
|
cookie: rdp.cookie
|
|
desktop_height: rdp.desktop_height
|
|
desktop_width: rdp.desktop_width
|
|
encryption_level: rdp.encryption_level
|
|
encryption_method: rdp.encryption_method
|
|
keyboard_layout: rdp.keyboard_layout
|
|
requested_color_depth: rdp.requested_color_depth
|
|
#result: event.outcome
|
|
security_protocol: rdp.security_protocol
|
|
ssl: rdp.ssl
|
|
# RFB
|
|
#auth: event.outcome
|
|
authentication_method: rfb.authentication_method
|
|
client_major_version: rfb.client_major_version
|
|
client_minor_version: rfb.client_minor_version
|
|
desktop_name: destination.hostname
|
|
height: rfb.height
|
|
server_major_version: rfb.server_major_version
|
|
server_minor_version: rfb.server_minor_version
|
|
share_flag: rfb.share_flag
|
|
width: rfb.width
|
|
# SIP
|
|
call_id: sip.call_id
|
|
content_type: sip.content_type
|
|
#date: sip.date
|
|
#method: sip.method
|
|
#reply_to: sip.reply_to
|
|
#request_body_len: sip.request_body_len
|
|
request_from: sip.request_from
|
|
request_path: sip.request_path
|
|
request_to: sip.request_to
|
|
#response_body_len: sip.response_body_len
|
|
response_from: sip.response_from
|
|
response_path: sip.response_path
|
|
response_to: sip.response_to
|
|
seq: sip.seq
|
|
#status_code: sip.status_code
|
|
#status_msg: sip.status_msg
|
|
#subject: sip.subject
|
|
#trans_depth: sip.trans_depth
|
|
#uri: url.original
|
|
warning: sip.warning
|
|
#user_agent: user_agent.original
|
|
# SMB_Files
|
|
#action: smb.action
|
|
#name: file.name
|
|
#path: file.path
|
|
prev_name: smb.prev_name
|
|
size: file.size
|
|
times_accessed: file.accessed
|
|
times_changed: file.ctime
|
|
times_created: file.created
|
|
times_modified: file.mtime
|
|
# SMB_Mapping
|
|
native_file_system: smb.native_file_system
|
|
#path: file.path
|
|
share_type: smb.share_type
|
|
#service: smb.service
|
|
# SMTP
|
|
cc: smtp.cc
|
|
#date: smtp.date
|
|
first_received: smtp.first_received
|
|
#from: smtp.from
|
|
helo: smtp.helo
|
|
in_reply_to: smtp.in_reply_to
|
|
is_webmail: smtp.is_webmail
|
|
last_reply: smtp.last_reply
|
|
mailfrom: smtp.mailfrom
|
|
msg_id: smtp.msg_id
|
|
#path: smtp.path
|
|
rcptto: smtp.rcptto
|
|
#reply_to: smtp.reply_to
|
|
second_received: smtp.second_received
|
|
#subject: smtp.subject
|
|
tls: smtp.tls
|
|
to: smtp.to
|
|
#trans_depth: smtp.trans_depth
|
|
x_originating_ip: smtp.x_originating_ip
|
|
#user_agent: user_agent.original
|
|
# SMTP_Links
|
|
#cs-host: url.domain
|
|
#c-uri: url.original
|
|
# SNMP
|
|
#duration: event.duration
|
|
community: snmp.community
|
|
display_string: snmp.display_string
|
|
get_bulk_requests: snmp.get_bulk_requests
|
|
get_requests: snmp.get_requests
|
|
set_requests: snmp.set_requests
|
|
up_since: snmp.up_since
|
|
#version: snmp.version
|
|
# Socks
|
|
#password: source.user.password
|
|
bound_host: socks.bound_host
|
|
bound_name: socks.bound_name
|
|
bound_p: socks.bound_p
|
|
request_host: socks.request_host
|
|
request_name: socks.request_name
|
|
request_p: socks.request_p
|
|
#status: socks.status
|
|
#version: socks.version
|
|
# Software
|
|
#host: host.ip
|
|
host_p: software.host_port
|
|
version.major: software.version.major
|
|
version.minor: software.version.minor
|
|
version.minor2: software.version.minor2
|
|
version.minor3: software.version.minor3
|
|
#name: software.name
|
|
unparsed_version: software.unparsed_version
|
|
software_type: software.software_type
|
|
#url: url.original
|
|
# SSH
|
|
auth_attempts: ssh.auth_attempts
|
|
auth_success: event.outcome
|
|
cipher_alg: ssh.cipher_alg
|
|
#client: ssh.client
|
|
compression_alg: ssh.compression_alg
|
|
cshka: ssh.cshka
|
|
direction: network.direction
|
|
hassh: ssh.hassh
|
|
hasshAlgorithms: ssh.hasshAlgorithms
|
|
hasshServer: ssh.hasshServer
|
|
hasshServerAlgorithms: ssh.hasshServerAlgorithms
|
|
hasshVersion: ssh.hasshVersion
|
|
host_key: ssh.host_key
|
|
host_key_alg: ssh.host_key_alg
|
|
kex_alg: ssh.kex_alg
|
|
mac_alg: ssh.mac_alg
|
|
server: ssh.server
|
|
#version: ssh.version
|
|
# SSL / TLS
|
|
#cipher: tls.cipher
|
|
client_issuer: tls.client.issuer
|
|
client_subject: tls.client.subject
|
|
curve: tls.curve
|
|
established: tls.established
|
|
issuer: tls.server.issuer
|
|
ja3: tls.client.ja3
|
|
ja3s: tls.client.ja3s
|
|
last_alert: ssl.last_alert
|
|
next_protocol: tls.next_protocol
|
|
notary: ssl.notary
|
|
ocsp_status: ssl.oscp_status
|
|
orig_certificate_sha1: tls.client.hash.sha1
|
|
resp_certificate_sha1: tls.server.hash.sha1
|
|
resumed: tls.resumed
|
|
#server_name: tls.client.server_name
|
|
#subject: tls.server.subject
|
|
valid_ct_logs: ssl.valid_ct_logs
|
|
valid_ct_operators: ssl.validct_operators
|
|
valid_ct_operators_list: ssl.valid_ct_operators_list
|
|
validation_status: ssl.validation_status
|
|
#version: tls.version
|
|
version_num: ssl.version_num
|
|
# Syslog
|
|
facility: log.syslog.facility.name
|
|
severity: log.syslog.severity.name
|
|
message: syslog.message
|
|
# Traceroute
|
|
#proto: network.transport
|
|
#dst: destination.ip
|
|
#src: source.ip
|
|
# Tunnel
|
|
#action: tunnel.action
|
|
tunnel_type: tunnel.tunnel_type
|
|
# Weird
|
|
#addl: weird.addl
|
|
#name: weird.name
|
|
notice: weird.notice
|
|
peer: weird.peer
|
|
# X509
|
|
basic_constraints.ca: x509.certificate.basic_constraints_ca
|
|
basic_constraints.path_len: x509.certificate.basic_constraints_path_length
|
|
certificate.cn: x509.certificate.cn
|
|
certificate.curve: x509.certificate.curve
|
|
certificate.exponent: x509.certificate.exponent
|
|
certificate.issuer: x509.certificate.issuer
|
|
certificate.key_alg: x509.certificate.key_alg
|
|
certificate.key_length: x509.certificate.key_length
|
|
certificate.key_type: x509.certificate.key_type
|
|
certificate.not_valid_after: x509.certificate.not_valid_after
|
|
certificate.not_valid_before: x509.certificate.not_valid_before
|
|
certificate.serial: x509.certificate.serial
|
|
certificate.sig_alg: x509.certificate.sig_alg
|
|
certificate.subject: x509.certificate.subject
|
|
certificate.version: x509.certificate.version
|
|
logcert: x509.logcert
|
|
san.dns: x509.san.dns
|
|
san.email: x509.san.email
|
|
san.ip: x509.san.ip
|
|
san.uri: x509.san.url
|
|
# Few other variations of names from zeek source itself
|
|
id_orig_h: source.ip
|
|
id_orig_p: source.port
|
|
id_resp_h: destination.ip
|
|
id_resp_p: destination.port
|
|
# Temporary one off rule name fields
|
|
cs-uri: url.original
|
|
# destination.domain:
|
|
# destination.ip:
|
|
# destination.port:
|
|
# http.response.status_code
|
|
# http.request.body.content
|
|
# source.domain:
|
|
# source.ip:
|
|
# source.port:
|
|
agent.version: http.version
|
|
c-ip: source.ip
|
|
clientip: source.ip
|
|
clientIP: source.ip
|
|
dest_domain:
|
|
- destination.domain
|
|
- url.domain
|
|
dest_ip: destination.ip
|
|
dest_port: destination.port
|
|
#TODO:WhatShouldThisBe?==dest:
|
|
#TODO:WhatShouldThisBe?==destination:
|
|
#TODO:WhatShouldThisBe?==Destination:
|
|
destination.hostname:
|
|
- destination.domain
|
|
- url.domain
|
|
DestinationAddress: destination.ip
|
|
DestinationHostname:
|
|
- destination.domain
|
|
- url.domain
|
|
DestinationIp: destination.ip
|
|
DestinationIP: destination.ip
|
|
DestinationPort: destination.port
|
|
dst-ip: destination.ip
|
|
dstip: destination.ip
|
|
dstport: destination.port
|
|
Host:
|
|
- destination.domain
|
|
- url.domain
|
|
#host:
|
|
# - destination.domain
|
|
# - url.domain
|
|
HostVersion: http.version
|
|
http_host:
|
|
- destination.domain
|
|
- url.domain
|
|
http_uri: url.original
|
|
http_url: url.original
|
|
#http_user_agent: user_agent.original
|
|
http.request.url-query-params: url.original
|
|
HttpMethod: http.request.method
|
|
in_url: url.original
|
|
#parent_domain:
|
|
# - url.registered_domain
|
|
# - destination.registered_domain
|
|
post_url_parameter: url.original
|
|
Request Url: url.original
|
|
request_url: url.original
|
|
request_URL: url.original
|
|
RequestUrl: url.original
|
|
#response: http.response.status_code
|
|
resource.url: url.original
|
|
resource.URL: url.original
|
|
sc_status: http.response.status_code
|
|
sender_domain:
|
|
- destination.domain
|
|
- url.domain
|
|
service.response_code: http.response.status_code
|
|
SourceAddr:
|
|
- source.address
|
|
- source.ip
|
|
SourceAddress: source.ip
|
|
SourceIP: source.ip
|
|
SourceIp: source.ip
|
|
SourceNetworkAddress:
|
|
- source.address
|
|
- source.ip
|
|
SourcePort: source.port
|
|
srcip: source.ip
|
|
Status: http.response.status_code
|
|
#status: http.response.status_code
|
|
url: url.original
|
|
URL: url.original
|
|
url_query: url.original
|
|
url.query: url.original
|
|
uri_path: url.original
|
|
#user_agent: user_agent.original
|
|
user_agent.name: user_agent.original
|
|
user-agent: user_agent.original
|
|
User-Agent: user_agent.original
|
|
useragent: user_agent.original
|
|
UserAgent: user_agent.original
|
|
User Agent: user_agent.original
|
|
web_dest:
|
|
- url.domain
|
|
- destination.domain
|
|
web.dest:
|
|
- url.domain
|
|
- destination.domain
|
|
Web.dest:
|
|
- url.domain
|
|
- destination.domain
|
|
web.host:
|
|
- url.domain
|
|
- destination.domain
|
|
Web.host:
|
|
- url.domain
|
|
- destination.domain
|
|
web_method: http.request.method
|
|
Web_method: http.request.method
|
|
web.method: http.request.method
|
|
Web.method: http.request.method
|
|
web_src: source.ip
|
|
web_status: http.response.status_code
|
|
Web_status: http.response.status_code
|
|
web.status: http.response.status_code
|
|
Web.status: http.response.status_code
|
|
web_uri: url.original
|
|
web_url: url.original
|