mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
1021 lines
32 KiB
YAML
1021 lines
32 KiB
YAML
title: Elastic Common Schema (ECS) implementation for Zeek using filebeat modules enabled based on version 7.6.1
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- es-rule
|
|
- elasticsearch-rule
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
logsources:
|
|
zeek:
|
|
product: zeek
|
|
index: 'filebeat*'
|
|
zeek-category-accounting:
|
|
category: accounting
|
|
rewrite:
|
|
product: zeek
|
|
service: syslog
|
|
zeek-category-firewall:
|
|
category: firewall
|
|
rewrite:
|
|
product: zeek
|
|
service: conn
|
|
zeek-category-dns:
|
|
category: dns
|
|
rewrite:
|
|
product: zeek
|
|
service: dns
|
|
zeek-category-proxy:
|
|
category: proxy
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-category-webserver:
|
|
category: webserver
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-conn:
|
|
product: zeek
|
|
service: conn
|
|
conditions:
|
|
event.dataset: zeek.conn
|
|
zeek-conn_long:
|
|
product: zeek
|
|
service: conn_long
|
|
conditions:
|
|
event.dataset: zeek.conn_long
|
|
zeek-dce_rpc:
|
|
product: zeek
|
|
service: dce_rpc
|
|
conditions:
|
|
event.dataset: zeek.dce_rpc
|
|
zeek-dns:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
event.dataset: zeek.dns
|
|
zeek-dnp3:
|
|
product: zeek
|
|
service: dnp3
|
|
conditions:
|
|
event.dataset: zeek.dnp3
|
|
zeek-dpd:
|
|
product: zeek
|
|
service: dpd
|
|
conditions:
|
|
event.dataset: zeek.dpd
|
|
zeek-files:
|
|
product: zeek
|
|
service: files
|
|
conditions:
|
|
event.dataset: zeek.files
|
|
zeek-ftp:
|
|
product: zeek
|
|
service: ftp
|
|
conditions:
|
|
event.dataset: zeek.ftp
|
|
zeek-gquic:
|
|
product: zeek
|
|
service: gquic
|
|
conditions:
|
|
event.dataset: zeek.gquic
|
|
zeek-http:
|
|
product: zeek
|
|
service: http
|
|
conditions:
|
|
event.dataset: zeek.http
|
|
zeek-http2:
|
|
product: zeek
|
|
service: http2
|
|
conditions:
|
|
event.dataset: zeek.http2
|
|
zeek-intel:
|
|
product: zeek
|
|
service: intel
|
|
conditions:
|
|
event.dataset: zeek.intel
|
|
zeek-irc:
|
|
product: zeek
|
|
service: irc
|
|
conditions:
|
|
event.dataset: zeek.irc
|
|
zeek-kerberos:
|
|
product: zeek
|
|
service: kerberos
|
|
conditions:
|
|
event.dataset: zeek.kerberos
|
|
zeek-known_certs:
|
|
product: zeek
|
|
service: known_certs
|
|
conditions:
|
|
event.dataset: zeek.known_certs
|
|
zeek-known_hosts:
|
|
product: zeek
|
|
service: known_hosts
|
|
conditions:
|
|
event.dataset: zeek.known_hosts
|
|
zeek-known_modbus:
|
|
product: zeek
|
|
service: known_modbus
|
|
conditions:
|
|
event.dataset: zeek.known_modbus
|
|
zeek-known_services:
|
|
product: zeek
|
|
service: known_services
|
|
conditions:
|
|
event.dataset: zeek.known_services
|
|
zeek-modbus:
|
|
product: zeek
|
|
service: modbus
|
|
conditions:
|
|
event.dataset: zeek.modbus
|
|
zeek-modbus_register_change:
|
|
product: zeek
|
|
service: modbus_register_change
|
|
conditions:
|
|
event.dataset: zeek.modbus_register_change
|
|
zeek-mqtt_connect:
|
|
product: zeek
|
|
service: mqtt_connect
|
|
conditions:
|
|
event.dataset: zeek.mqtt_connect
|
|
zeek-mqtt_publish:
|
|
product: zeek
|
|
service: mqtt_publish
|
|
conditions:
|
|
event.dataset: zeek.mqtt_publish
|
|
zeek-mqtt_subscribe:
|
|
product: zeek
|
|
service: mqtt_subscribe
|
|
conditions:
|
|
event.dataset: zeek.mqtt_subscribe
|
|
zeek-mysql:
|
|
product: zeek
|
|
service: mysql
|
|
conditions:
|
|
event.dataset: zeek.mysql
|
|
zeek-notice:
|
|
product: zeek
|
|
service: notice
|
|
conditions:
|
|
event.dataset: zeek.notice
|
|
zeek-ntlm:
|
|
product: zeek
|
|
service: ntlm
|
|
conditions:
|
|
event.dataset: zeek.ntlm
|
|
zeek-ntp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: zeek.ntp
|
|
zeek-ocsp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
event.dataset: zeek.ocsp
|
|
zeek-pe:
|
|
product: zeek
|
|
service: pe
|
|
conditions:
|
|
event.dataset: zeek.pe
|
|
zeek-pop3:
|
|
product: zeek
|
|
service: pop3
|
|
conditions:
|
|
event.dataset: zeek.pop3
|
|
zeek-radius:
|
|
product: zeek
|
|
service: radius
|
|
conditions:
|
|
event.dataset: zeek.radius
|
|
zeek-rdp:
|
|
product: zeek
|
|
service: rdp
|
|
conditions:
|
|
event.dataset: zeek.rdp
|
|
zeek-rfb:
|
|
product: zeek
|
|
service: rfb
|
|
conditions:
|
|
event.dataset: zeek.rfb
|
|
zeek-sip:
|
|
product: zeek
|
|
service: sip
|
|
conditions:
|
|
event.dataset: zeek.sip
|
|
zeek-smb_files:
|
|
product: zeek
|
|
service: smb_files
|
|
conditions:
|
|
event.dataset: zeek.smb_files
|
|
zeek-smb_mapping:
|
|
product: zeek
|
|
service: smb_mapping
|
|
conditions:
|
|
event.dataset: zeek.smb_mapping
|
|
zeek-smtp:
|
|
product: zeek
|
|
service: smtp
|
|
conditions:
|
|
event.dataset: zeek.smtp
|
|
zeek-smtp_links:
|
|
product: zeek
|
|
service: smtp_links
|
|
conditions:
|
|
event.dataset: zeek.smtp_links
|
|
zeek-snmp:
|
|
product: zeek
|
|
service: snmp
|
|
conditions:
|
|
event.dataset: zeek.snmp
|
|
zeek-socks:
|
|
product: zeek
|
|
service: socks
|
|
conditions:
|
|
event.dataset: zeek.socks
|
|
zeek-software:
|
|
product: zeek
|
|
service: software
|
|
conditions:
|
|
event.dataset: zeek.software
|
|
zeek-ssh:
|
|
product: zeek
|
|
service: ssh
|
|
conditions:
|
|
event.dataset: zeek.ssh
|
|
zeek-ssl:
|
|
product: zeek
|
|
service: ssl
|
|
conditions:
|
|
event.dataset: zeek.tls
|
|
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
|
|
product: zeek
|
|
service: tls
|
|
conditions:
|
|
event.dataset: zeek.tls
|
|
zeek-syslog:
|
|
product: zeek
|
|
service: syslog
|
|
conditions:
|
|
event.dataset: zeek.syslog
|
|
zeek-tunnel:
|
|
product: zeek
|
|
service: tunnel
|
|
conditions:
|
|
event.dataset: zeek.tunnel
|
|
zeek-traceroute:
|
|
product: zeek
|
|
service: traceroute
|
|
conditions:
|
|
event.dataset: zeek.traceroute
|
|
zeek-weird:
|
|
product: zeek
|
|
service: weird
|
|
conditions:
|
|
event.dataset: zeek.weird
|
|
zeek-x509:
|
|
product: zeek
|
|
service: x509
|
|
conditions:
|
|
event.dataset: zeek.x509
|
|
zeek-ip_search:
|
|
product: zeek
|
|
service: network
|
|
conditions:
|
|
event.dataset:
|
|
- connection
|
|
#- conn_long
|
|
- dce_rpc
|
|
- dhcp
|
|
- dnp3
|
|
- dns
|
|
- ftp
|
|
- gquic
|
|
- http
|
|
- irc
|
|
- kerberos
|
|
- modbus
|
|
- mqtt_connect
|
|
- mqtt_publish
|
|
- mqtt_subscribe
|
|
- mysql
|
|
- ntlm
|
|
- ntp
|
|
- radius
|
|
- rfb
|
|
- sip
|
|
- smb_files
|
|
- smb_mapping
|
|
- smtp
|
|
- smtp_links
|
|
- snmp
|
|
- socks
|
|
- ssh
|
|
- tls #SSL
|
|
- tunnel
|
|
- weird
|
|
defaultindex: 'filebeat*'
|
|
fieldmappings:
|
|
# All Logs Applied Mapping & Taxonomy
|
|
dst:
|
|
- destination.address
|
|
- destination.ip
|
|
dst_ip:
|
|
- destination.address
|
|
- destination.ip
|
|
dst_port: destination.port
|
|
#host: host.ip # Not implemented by Elastic (Beats) yet
|
|
#inner_vlan: network.vlan.inner.id # Not implemented by Elastic (Beats) yet
|
|
#mac: source.mac
|
|
#mime_type: file.mime_type # Not implemented by Elastic (Beats) yet
|
|
network_application: network.protocol
|
|
network_community_id: network.community_id
|
|
network_protocol: network.transport
|
|
#password: source.user.password
|
|
#port_num: labels.known.port
|
|
proto: network.transport
|
|
#result: event.outcome # Not implemented by Elastic (Beats) yet
|
|
#rtt: event.duration # Not implemented by Elastic (Beats) yet
|
|
#server_name: destination.domain
|
|
src:
|
|
- source.address
|
|
- source.ip
|
|
src_ip: source.ip
|
|
src_port: source.port
|
|
#success: event.outcome # Not implemented by Elastic (Beats) yet
|
|
#uri: url.original
|
|
#user: source.user.name
|
|
#username: source.user.name # Not complete by Elastic (Beats) yet
|
|
#user_agent: user_agent.original
|
|
#vlan: network.vlan.id # Not implemented by Elastic (Beats) yet
|
|
# Overlapping fields/mappings (aka: shared fields)
|
|
action: 'zeek.smb_files.action'
|
|
mqtt_action: smb.action
|
|
smb_action: smb.action
|
|
tunnel_action: tunnel.action
|
|
addl: 'zeek.weird.additional_info'
|
|
dns_addl: zeek.dns.addl
|
|
weird_addl: zeek.weird.additional_info
|
|
arg: 'zeek.*.arg'
|
|
ftp_arg: zeek.ftp.arg
|
|
mysql_arg: zeek.mysql.arg
|
|
pop3_arg: zeek.pop3.arg
|
|
auth: 'zeek.*.auth*'
|
|
cipher: 'zeek.*.cipher'
|
|
kerberos_cipher: zeek.kerberos.cipher
|
|
ssl_cipher: zeek.ssl.cipher
|
|
tls_cipher: zeek.ssl.cipher
|
|
client: 'zeek.*.client*'
|
|
command: 'zeek.*.command'
|
|
ftp_command: zeek.irc.command
|
|
irc_command: zeek.ftp.command
|
|
pop3_command: zeek.pop3.command
|
|
date: 'zeek.*.date'
|
|
duration: event.duration
|
|
from: 'zeek.*.from'
|
|
kerberos_from: zeek.smtp.from
|
|
smtp_from: zeek.kerberos.valid.from
|
|
is_orig: 'zeek.*.is_orig'
|
|
local_orig: 'zeek.*.local_orig'
|
|
method: http.request.method
|
|
http_method: http.request.method
|
|
sip_method: zeek.sip.sequence.method
|
|
name: 'zeek.smb_files.name'
|
|
smb_files_name: zeek.smb_files.name
|
|
software_name: zeek.software.name
|
|
weird_name: zeek.weird.name
|
|
path: 'zeek.*.path'
|
|
smb_mapping_path: zeek.smb_mapping.path
|
|
smb_files_path: zeek.smb_files.path
|
|
smtp_files_path: zeek.smtp.path
|
|
password: 'zeek.*.password'
|
|
reply_msg: 'zeek.*.reply*msg'
|
|
reply_to: 'zeek.*.reply_to'
|
|
response_body_len: http.response.body.bytes
|
|
request_body_len: http.request.body.bytes
|
|
rtt: event.duration
|
|
status_code: 'http.response.status_code'
|
|
status_msg: 'zeek.*status*msg'
|
|
#_service:
|
|
service: 'zeek.*.service'
|
|
kerberos_service: zeek.kerberos.service
|
|
smb_mapping_kerberos: zeek.smb_mapping.service
|
|
#_subject:
|
|
subject:
|
|
- 'zeek.*.subject'
|
|
known_certs_subject: zeek.known_certs.subject
|
|
sip_subject: zeek.sip.subject
|
|
smtp_subject: zeek.smtp.subject
|
|
ssl_subject: zeek.ssl.subject
|
|
trans_depth: 'zeek.*.trans*depth'
|
|
username: 'zeek.*.username'
|
|
uri: 'url.original'
|
|
user: 'zeek.*user*'
|
|
#_user_agent
|
|
user_agent:
|
|
- 'zeek.*user_agent*'
|
|
http_user_agent: user_agent.original
|
|
gquic_user_agent: zeek.gquic.user_agent
|
|
sip_user_agent: zeek.sip.user_agent
|
|
smtp_user_agent: zeek.smtp.user_agent
|
|
#_version
|
|
version: 'zeek.*.version'
|
|
gquic_version: zeek.gquic.version
|
|
http_version: http.version
|
|
ntp_version: zeek.ntp.version
|
|
socks_version: zeek.socks.version
|
|
snmp_version: zeek.snmp.version
|
|
ssh_version: zeek.ssh.version
|
|
tls_version: zeek.ssl.version
|
|
# DNS matching Taxonomy & DNS Category
|
|
answer: dns.answers.name
|
|
question_length: labels.dns.query_length
|
|
record_type: dns.question.type
|
|
parent_domain: dns.question.registered_domain
|
|
# HTTP matching Taxonomy & Web/Proxy Category
|
|
cs-bytes: http.request.body.bytes
|
|
cs-cookie: http.cookie_vars
|
|
r-dns:
|
|
- url.domain
|
|
- destination.domain
|
|
sc-bytes: http.response.body.bytes
|
|
sc-status: http.response.status_code
|
|
c-uri: url.original
|
|
c-uri-extension: url.extension
|
|
c-uri-query: url.query
|
|
c-uri-stem: url.original
|
|
c-useragent: user_agent.original
|
|
cs-host:
|
|
- url.domain
|
|
- destination.domain
|
|
cs-method: http.request.method
|
|
cs-referrer: http.request.referrer
|
|
cs-version: http.version
|
|
uid: zeek.session_id
|
|
# Conn
|
|
cache_add_rx_ev: zeek.connection.cache_add_rx_ev
|
|
cache_add_rx_mpg: zeek.connection.cache_add_rx_mpg
|
|
cache_add_rx_new: zeek.connection.cache_add_rx_new
|
|
cache_add_tx_ev: zeek.connection.cache_add_tx_ev
|
|
cache_add_tx_mpg: zeek.connection.cache_add_tx_mpg
|
|
cache_del_mpg: zeek.connection.cache_del_mpg
|
|
cache_entries: zeek.connection.cache_entries
|
|
conn_state: zeek.connection.conn_state
|
|
conn_uids: zeek.files.session_ids
|
|
corelight_shunted: zeek.connection.corelight_shunted
|
|
history: zeek.connection.history
|
|
id.orig_h.name_src: zeek.connection.id.orig_h_name.src
|
|
id.orig_h.names_vals: zeek.connection.id.orig_h_names.vals
|
|
id.resp_h.name_src: zeek.connection.id.resp_h_name.src
|
|
id.resp_h.name_vals: zeek.connection.id.resp_h_name.vals
|
|
#local_orig: zeek.connection.local_orig
|
|
local_resp: zeek.connection.local_resp
|
|
missed_bytes: zeek.connection.missed_bytes
|
|
orig_bytes: source.bytes
|
|
orig_cc: source.geo.country_iso_code
|
|
orig_ip_bytes: zeek.connection.orig_ip_bytes
|
|
orig_l2_addr: source.mac
|
|
orig_pkts: source.packets
|
|
resp_bytes: destination.bytes
|
|
resp_cc: destination.geo.country_iso_code
|
|
resp_ip_bytes: zeek.connection.resp.ip_bytes
|
|
resp_l2_addr: destination.mac
|
|
resp_pkts: destination.packets
|
|
# DCE-RPC Specific
|
|
endpoint: zeek.dce_rpc.endpoint
|
|
named_pipe: zeek.dce_rpc.named_pipe
|
|
operation: zeek.dce_rpc.operation
|
|
#rtt: zeek.dce_rpc.rtt
|
|
# DHCP
|
|
domain: zeek.dhcp.domain
|
|
host_name: zeek.dhcp.hostname
|
|
lease_time: zeek.dhcp.lease_time
|
|
agent_remote_id: zeek.dhcp.agent_remote_id
|
|
assigned_addr: zeek.dhcp.assigned_addr
|
|
circuit_id: zeek.dhcp.circuit_id
|
|
client_message: zeek.dhcp.client_message
|
|
client_software: zeek.dhcp.client_software
|
|
client_fqdn: zeek.dhcp.client_fqdn
|
|
#mac: source.mac
|
|
msg_orig: zeek.dhcp.msg_orig
|
|
msg_types: zeek.dhcp.msg_types
|
|
requested_addr: zeek.dhcp.requested_addr
|
|
server_addr: destination.ip
|
|
server_message: zeek.dhcp.server_message
|
|
server_software: zeek.dhcp.server_software
|
|
subscriber_id: zeek.dhcp.subscriber_id
|
|
#zeek.zeek.dhcp.client_port: Elastic has this, but is not actually a zeek log field for dhcp
|
|
#zeek.zeek.dhcp.server_port: Elastic has this, but is not actually a zeek log field for dhcp
|
|
# DNS
|
|
AA: zeek.dns.AA
|
|
#addl: zeek.dns.addl
|
|
#auth: zeek.dns.auth
|
|
answers: dns.answers.name
|
|
TTLs: dns.answers.ttl
|
|
RA: zeek.dns.RA
|
|
RD: zeek.dns.RD
|
|
rejected: zeek.dns.rejected
|
|
TC: zeek.dns.TC
|
|
Z: zeek.dns.Z
|
|
qclass: zeek.dns.qclass
|
|
qclass_name: dns.question.class
|
|
qtype: zeek.dns.qtype
|
|
qtype_name: dns.question.type
|
|
query: dns.question.name
|
|
rcode_name: dns.response_code
|
|
rcode: zeek.dns.rcode
|
|
#rtt: zeek.dns.rtt
|
|
trans_id: dns.id
|
|
# DNP3
|
|
fc_reply: dnp3.function.reply
|
|
fc_request: dnp3.function.request
|
|
iin: dnp3.inn
|
|
# DPD
|
|
#analyzer: dpd.analyzer
|
|
failure_reason: dpd.failure_reason
|
|
packet_segment: dpd.packet_segment
|
|
# Files
|
|
rx_hosts: zeek.files.rx_host
|
|
tx_hosts: zeek.files.tx_host
|
|
#analyzer: zeek.files.analyzer
|
|
depth: zeek.files.depth
|
|
#duration: zeek.files.duration
|
|
extracted: zeek.files.extracted
|
|
extracted_cutoff: zeek.files.extracted_cutoff
|
|
extracted_size: zeek.files.extracted_size
|
|
entropy: zeek.files.entropy
|
|
md5: zeek.files.md5
|
|
sha1: zeek.files.sha1
|
|
sha256: zeek.files.sha256
|
|
#is_orig: zeek.files.is_orig
|
|
#local_orig: zeek.files.local_orig
|
|
missing_bytes: zeek.files.missing_bytes
|
|
filename: zeek.files.filename
|
|
overflow_bytes: zeek.files.overflow_bytes
|
|
seen_bytes: zeek.files.seen_bytes
|
|
total_bytes: zeek.files.total_bytes
|
|
timedout: zeek.files.timedout
|
|
# GQUIC/QUIC
|
|
cyu: gquic.cyu
|
|
cyutags: gquic.cyutags
|
|
#server_name: destination.domain
|
|
tag_count: gquic.tag_count
|
|
#user_agent: user_agent.original
|
|
#version: gquic.version
|
|
# FTP
|
|
#arg: zeek.ftp.arg
|
|
#command: zeek.ftp.command
|
|
cwd: zeek.ftp.cwd
|
|
data_channel.passive: zeek.ftp.data_channel.passive
|
|
data_channel.orig_h: zeek.ftp.data_channel.originating_host
|
|
data_channel.resp_h: zeek.ftp.data_channel.response_host
|
|
data_channel.resp_p: zeek.ftp.data_channel.response_port
|
|
file_size: zeek.ftp.file.size
|
|
passive: zeek.ftp.passive
|
|
#password: zeek.ftp.password
|
|
reply_code: zeek.ftp.reply.code
|
|
#reply_msg: zeek.ftp.reply.msg
|
|
#user: zeek.ftp.user.name
|
|
# HTTP
|
|
client_header_names: zeek.http.client_header_names
|
|
cookie_vars: zeek.http.cookie_vars
|
|
flash_version: zeek.http.flash_version
|
|
info_code: zeek.http.info_code
|
|
info_msg: zeek.http.info_msg
|
|
#method: http.request.method
|
|
omniture: zeek.http.omniture
|
|
orig_filenames: zeek.http.orig_filenames
|
|
orig_mime_types: zeek.http.orig_mime_types
|
|
origin: zeek.http.origin
|
|
#password: zeek.http.password
|
|
#response_body_len: http.response.body.bytes
|
|
#request_body_len: http.request.body.bytes
|
|
referrer: http.request.referrer
|
|
post_body: zeek.http.post_body
|
|
proxied: zeek.http.proxied
|
|
resp_filenames: zeek.http.resp_filenames
|
|
resp_mime_types: zeek.http.resp_mime_types
|
|
server_header_names: zeek.http.server_header_names
|
|
#status_msg: zeek.http.status_msg
|
|
#trans_depth: zeek.http.trans_depth
|
|
#uri: url.original
|
|
uri_vars: zeek.http.uri_vars
|
|
#user_agent: user_agent.original
|
|
#username: source.user.name
|
|
#version: http.version
|
|
# Intel
|
|
file_mime_type: zeek.intel.mime_type
|
|
file_desc: zeek.intel.file_desc
|
|
host: zeek.intel.seen.host
|
|
matched: zeek.intel.matched
|
|
indicator: zeek.intel.seen.indicator
|
|
indicator_type: zeek.intel.seen.indicator_type
|
|
node: zeek.intel.seen.node
|
|
where: zeek.intel.seen.where
|
|
sources: zeek.intel.seen.sources
|
|
# IRC
|
|
dcc_file_name: zeek.irc.dcc.file.name
|
|
dcc_file_size: zeek.irc.dcc.file.size
|
|
dcc_mime_type: zeek.irc.dcc.mime_type
|
|
#command: zeek.irc.command
|
|
nick: zeek.irc.nick
|
|
#user: zeek.irc.username
|
|
value: zeek.irc.command
|
|
# Kerberos
|
|
auth_ticket: zeek.kerberos.ticket.auth
|
|
#cipher: zeek.kerberos.cipher
|
|
#client: zeek.kerberos.cert.client.value
|
|
client_cert_subject: zeek.kerberos.cert.client.subject
|
|
error_code: zeek.kerberos.error.code
|
|
error_msg: zeek.kerberos.error.msg
|
|
forwardable: zeek.kerberos.forwardable
|
|
#from: zeek.kerberos.valid.from
|
|
new_ticket: zeek.kerberos.ticket.new
|
|
renewable: zeek.kerberos.renewable
|
|
request_type: zeek.kerberos.request_type
|
|
#service: zeek.kerberos.service
|
|
success: zeek.kerberos.success
|
|
server_cert_subject: zeek.kerberos.cert.server.subject
|
|
till: zeek.kerberos.valid.until
|
|
# Known_Certs
|
|
#host: host.ip # known_services not in Elastic Beats at all
|
|
#issuer_subject: known_certs.issuer_subject # known_services not in Elastic Beats at all
|
|
#port_num: labels.known.port # known_services not in Elastic Beats at all
|
|
#serial: known_certs.serial # known_services not in Elastic Beats at all
|
|
#subject: known_certs.subject # known_services not in Elastic Beats at all
|
|
# Known_Modbus
|
|
#host: host.ip # known_services not in Elastic Beats at all
|
|
#device_type: known_modbus.device_type # known_services not in Elastic Beats at all
|
|
# Known_Services
|
|
#port_proto: network.transport # known_services not in Elastic Beats at all
|
|
#port_num: labels.known.port # known_services not in Elastic Beats at all
|
|
# Modbus
|
|
delta: zeek.modbus.delta
|
|
new_val: zeek.modbus.new_val
|
|
old_val: zeek.modbus.old_val
|
|
register: zeek.modbus.register
|
|
func: zeek.modbus.function
|
|
exception: zeek.modbus.exception
|
|
track_address: zeek.modbus.track_address
|
|
# ModBus_Register_Change
|
|
#delta: modbus.delta # modbus_register_change not in Elastic Beats at all
|
|
#new_val: modbus.new_val # modbus_register_change not in Elastic Beats at all
|
|
#old_val: modbus.old_val # modbus_register_change not in Elastic Beats at all
|
|
#register: modbus.register # modbus_register_change not in Elastic Beats at all
|
|
# MQTT_Connect , MQTT_Publish, MQTT_Subscribe
|
|
#ack: mqtt.ack # mqtt logs not in Elastic Beats at all
|
|
#action: mqtt.action # mqtt logs not in Elastic Beats at all
|
|
#client_id: mqtt.client_id # mqtt logs not in Elastic Beats at all
|
|
#connect_status: mqtt.connect_status # mqtt logs not in Elastic Beats at all
|
|
#from_client: mqtt.from_client # mqtt logs not in Elastic Beats at all
|
|
#granted_qos_level: mqtt.granted_qos_level # mqtt logs not in Elastic Beats at all
|
|
#payload: mqtt.payload # mqtt logs not in Elastic Beats at all
|
|
#payload_len: mqtt.payload_len # mqtt logs not in Elastic Beats at all
|
|
#proto_name: mqtt.proto_name # mqtt logs not in Elastic Beats at all
|
|
#proto_version: mqtt.proto_version # mqtt logs not in Elastic Beats at all
|
|
#qos: mqtt.qos # mqtt logs not in Elastic Beats at all
|
|
#qos_levels: mqtt.qos_levels # mqtt logs not in Elastic Beats at all
|
|
#retain: mqtt.retain # mqtt logs not in Elastic Beats at all
|
|
##status: mqtt.status # mqtt logs not in Elastic Beats at all
|
|
#topic: mqtt.topic # mqtt logs not in Elastic Beats at all
|
|
#topics: mqtt.topics # mqtt logs not in Elastic Beats at all
|
|
#will_payload: mqtt.will_payload # mqtt logs not in Elastic Beats at all
|
|
#will_topic: mqtt.will_topic # mqtt logs not in Elastic Beats at all
|
|
# MYSQL
|
|
#arg: mysql.arg
|
|
cmd: zeek.mysql.cmd
|
|
response: zeek.mysql.response
|
|
rows: zeek.mysql.rows
|
|
#success: event.outcome
|
|
# Notice
|
|
actions: zeek.notice.actions
|
|
#conn: # Not an actual field logged, but Beats has it
|
|
#iconn: # Not an actual field logged, but Beats has it
|
|
dropped: zeek.notice.dropped
|
|
#dst: destination.ip
|
|
email_body_sections: zeek.notice.email_body_sections
|
|
email_delay_tokens: zeek.notice.email_delay_tokens
|
|
identifier: zeek.notice.identifier
|
|
msg: zeek.notice.msg
|
|
n: zeek.notice.n
|
|
note: zeek.notice.note
|
|
p: destination.port
|
|
peer_descr: zeek.notice.peer_descr
|
|
peer_name: zeek.notice.peer_name
|
|
#proto: network.transport
|
|
#src: source.ip
|
|
sub: zeek.notice.sub
|
|
subpress_for: zeek.notice.subpress_for
|
|
# NTLM
|
|
domainname: zeek.ntlm.domain
|
|
hostname: zeek.ntlm.hostname
|
|
#username: notice.username
|
|
server_nb_computer_name: zeek.ntlm.server.name.netbios
|
|
server_tree_name: zeek.ntlm.server.name.tree
|
|
#success: event.outcome
|
|
server_dns_computer_name: zeek.ntlm.server.name.dns
|
|
# NTP
|
|
#mode: ntp.mode # ntp not in Elastic Beats at all
|
|
#num_exts: ntp.num_exts # ntp not in Elastic Beats at all
|
|
#org_time: ntp.org_time # ntp not in Elastic Beats at all
|
|
#poll: ntp.poll # ntp not in Elastic Beats at all
|
|
#precision: ntp.precision # ntp not in Elastic Beats at all
|
|
#rec_time: ntp.rec_time # ntp not in Elastic Beats at all
|
|
#ref_id: ntp.ref_id # ntp not in Elastic Beats at all
|
|
#ref_time: ntp.ref_time # ntp not in Elastic Beats at all
|
|
#root_delay: ntp.root_delay # ntp not in Elastic Beats at all
|
|
#root_disp: ntp.root_disp # ntp not in Elastic Beats at all
|
|
#stratum: ntp.stratum # ntp not in Elastic Beats at all
|
|
##version: ntp.version # ntp not in Elastic Beats at all
|
|
#xmt_time: ntp.xmt_time # ntp not in Elastic Beats at all
|
|
# OCSP
|
|
certStatus: zeek.ocsp.status
|
|
hashAlgorithm: zeek.ocsp.hash.algorithm
|
|
issuerKeyHash: zeek.ocsp.hash.issuer.key
|
|
issuerNameHash: zeek.ocsp.hash.issuer.name
|
|
nextUpdate: zeek.ocsp.update.next
|
|
revokereason: zeek.ocsp.revoke.reason
|
|
revoketime: zeek.ocsp.revoke.date
|
|
serialNumber: zeek.ocsp.serial_number
|
|
thisUpdate: zeek.ocsp.update.this
|
|
# PE
|
|
compile_ts: zeek.pe.compile_time
|
|
has_cert_table: zeek.pe.has_cert_table
|
|
has_debug_data: zeek.pe.has_debug_data
|
|
has_import_table: zeek.pe.has_import_table
|
|
has_export_table: zeek.pe.has_export_table
|
|
is_64bit: zeek.pe.is_64bit
|
|
is_exe: zeek.pe.is_exe
|
|
machine: zeek.pe.machine
|
|
os: zeek.pe.os
|
|
section_names: zeek.pe.section_names
|
|
subsystem: zeek.pe.subsystem
|
|
uses_aslr: zeek.pe.uses_aslr
|
|
uses_code_integrity: zeek.pe.uses_code_integrity
|
|
uses_dep: zeek.pe.uses_dep
|
|
uses_seh: zeek.pe.uses_seh
|
|
# POP3
|
|
#arg: pop3.arg # pop3 not in Elastic Beats at all
|
|
#command: pop3.command # pop3 not in Elastic Beats at all
|
|
#current_request: pop3.current_request # pop3 not in Elastic Beats at all
|
|
#current_response: pop3.current_response # pop3 not in Elastic Beats at all
|
|
#data: pop3.data # pop3 not in Elastic Beats at all
|
|
#failed_commands: pop3.failed_commands # pop3 not in Elastic Beats at all
|
|
#has_client_activity: pop3.has_client_activity # pop3 not in Elastic Beats at all
|
|
#is_orig: pop3.is_orig # pop3 not in Elastic Beats at all
|
|
#msg: pop3.msg # pop3 not in Elastic Beats at all
|
|
#password: source.user.password # pop3 not in Elastic Beats at all
|
|
#pending: pop3.pending # pop3 not in Elastic Beats at all
|
|
#status: pop3.status # pop3 not in Elastic Beats at all
|
|
#successful_commands: pop3.successful_commands # pop3 not in Elastic Beats at all
|
|
#username: pop3.username # pop3 not in Elastic Beats at all
|
|
# Radius
|
|
connect_info: zeek.radius.connect_info
|
|
framed_addr: zeek.radius.framed_addr
|
|
mac: zeek.radius.mac
|
|
#reply_msg: zeek.radius.reply_msg
|
|
result: zeek.radius.result
|
|
ttl: zeek.radius.ttl
|
|
tunnel_client: zeek.radius.tunnel_client
|
|
#username: zeek.radius.username
|
|
# RDP
|
|
#result: event.outcome
|
|
cert_count: zeek.rdp.cert.count
|
|
cert_permanent: zeek.rdp.cert.permanent
|
|
cert_type: zeek.rdp.cert.type
|
|
client_build: zeek.rdp.client.build
|
|
client_dig_product_id: zeek.rdp.client.product_id
|
|
client_name: zeek.rdp.client.name
|
|
cookie: zeek.rdp.cookie
|
|
desktop_height: zeek.rdp.desktop.height
|
|
desktop_width: zeek.rdp.desktop.width
|
|
encryption_level: zeek.rdp.encryption.level
|
|
encryption_method: zeek.rdp.encryption.method
|
|
keyboard_layout: zeek.rdp.keyboard_layout
|
|
requested_color_depth: zeek.rdp.desktop.color_depth
|
|
security_protocol: zeek.rdp.security_protocol
|
|
ssl: zeek.rdp.ssl
|
|
# RFB
|
|
#auth: zeek.rfb.auth.success
|
|
authentication_method: zeek.rfb.auth.method
|
|
client_major_version: zeek.rfb.version.client.major
|
|
client_minor_version: zeek.rfb.version.client.minor
|
|
desktop_name: zeek.rfb.desktop_name
|
|
height: zeek.rfb.height
|
|
server_major_version: zeek.rfb.version.server.major
|
|
server_minor_version: zeek.rfb.version.server.minor
|
|
share_flag: zeek.rfb.share_flag
|
|
width: zeek.rfb.width
|
|
# SIP
|
|
call_id: zeek.sip.call_id
|
|
content_type: zeek.sip.content_type
|
|
#date: zeek.sip.date
|
|
#method: zeek.sip.sequence.method
|
|
#reply_to: zeek.sip.reply_to
|
|
#request_body_len: zeek.sip.response.body_length
|
|
request_from: zeek.sip.request.from
|
|
request_path: zeek.sip.request.path
|
|
request_to: zeek.sip.request.to
|
|
#response_body_len: zeek.sip.request.body_length
|
|
response_from: zeek.sip.response.from
|
|
response_path: zeek.sip.response.path
|
|
response_to: zeek.sip.response.to
|
|
seq: zeek.sip.seq
|
|
#status_code: zeek.sip.status.code
|
|
#status_msg: zeek.sip.status.msg
|
|
#subject: zeek.sip.subject
|
|
#trans_depth: zeek.sip.transaction_depth
|
|
#uri: zeek.sip.uri
|
|
warning: zeek.sip.warning
|
|
#user_agent: zeek.sip.user_agent
|
|
# SMB_Files
|
|
#action: zeek.smb_files.action
|
|
#name: zeek.smb_files.name
|
|
#path: zeek.smb_files.path
|
|
prev_name: zeek.smb_files.prev_name
|
|
size: zeek.smb_files.size
|
|
times_accessed: zeek.smb_files.accessed
|
|
times_changed: zeek.smb_files.ctime
|
|
times_created: zeek.smb_files.created
|
|
times_modified: zeek.smb_files.mtime
|
|
# SMB_Mapping
|
|
native_file_system: zeek.smb_mapping.native_file_system
|
|
#path: zeek.smb_mapping.path
|
|
share_type: zeek.smb_mapping.share_type
|
|
#service: zeek.smb_mapping.service
|
|
# SMTP
|
|
cc: zeek.smtp.cc
|
|
#date: zeek.smtp.date
|
|
first_received: zeek.smtp.first_received
|
|
#from: zeek.smtp.from
|
|
helo: zeek.smtp.helo
|
|
in_reply_to: zeek.smtp.in_reply_to
|
|
is_webmail: zeek.smtp.is_webmail
|
|
last_reply: zeek.smtp.last_reply
|
|
mailfrom: zeek.smtp.mail_from
|
|
msg_id: zeek.smtp.msg_id
|
|
#path: zeek.smtp.path
|
|
rcptto: zeek.smtp.rcpt_to
|
|
#reply_to: zeek.smtp.reply_to
|
|
second_received: zeek.smtp.second_received
|
|
#subject: zeek.smtp.subject
|
|
tls: zeek.smtp.tls
|
|
to: zeek.smtp.to
|
|
#trans_depth: zeek.smtp.transaction_depth
|
|
x_originating_ip: zeek.smtp.x_originating_ip
|
|
#user_agent: zeek.smtp.user_agent
|
|
# SMTP_Links
|
|
#cs-host: url.domain # smtp_links not in Elastic Beats at all
|
|
#c-uri: url.original # smtp_links not in Elastic Beats at all
|
|
# SNMP
|
|
#duration: zeek.snmp.duration
|
|
community: zeek.snmp.community
|
|
display_string: zeek.snmp.display_string
|
|
get_bulk_requests: zeek.snmp.get.bulk_requests
|
|
#get_responses: # this is in Elastic Beats, but not an actual zeek field for snmp
|
|
get_requests: zeek.snmp.get.requests
|
|
set_requests: zeek.snmp.set.requests
|
|
up_since: zeek.snmp.up_since
|
|
#version: zeek.snmp.version
|
|
# Socks
|
|
#password: zeek.socks.password
|
|
bound_host: zeek.socks.bound_host
|
|
bound_name: zeek.socks.bound_name
|
|
bound_p: zeek.socks.bound.port
|
|
request_host: zeek.socks.request_host
|
|
request_name: zeek.socks.request.host
|
|
request_p: zeek.socks.request.port
|
|
status: zeek.socks.status
|
|
#version: zeek.socks.version
|
|
# Software
|
|
##host: host.ip # software not in Elastic Beats at all
|
|
#host_p: software.host_port # software not in Elastic Beats at all
|
|
#version.major: software.version.major # software not in Elastic Beats at all
|
|
#version.minor: software.version.minor # software not in Elastic Beats at all
|
|
#version.minor2: software.version.minor2 # software not in Elastic Beats at all
|
|
#version.minor3: software.version.minor3 # software not in Elastic Beats at all
|
|
##name: software.name # software not in Elastic Beats at all
|
|
#unparsed_version: software.unparsed_version # software not in Elastic Beats at all
|
|
#software_type: software.software_type # software not in Elastic Beats at all
|
|
##url: url.original # software not in Elastic Beats at all
|
|
# SSH
|
|
auth_attempts: zeek.ssh.auth.attempts
|
|
auth_success: zeek.ssh.auth.success
|
|
cipher_alg: zeek.ssh.algorithm.cipher
|
|
#client: zeek.ssh.client
|
|
compression_alg: zeek.ssh.algorithm.compression
|
|
cshka: zeek.ssh.cshka
|
|
direction: zeek.ssh.direction
|
|
hassh: zeek.ssh.hassh
|
|
hasshAlgorithms: zeek.ssh.hasshAlgorithms
|
|
hasshServer: zeek.ssh.hasshServer
|
|
hasshServerAlgorithms: zeek.ssh.hasshServerAlgorithms
|
|
hasshVersion: zeek.ssh.hasshVersion
|
|
host_key: zeek.ssh.host_key
|
|
host_key_alg: zeek.ssh.algorithm.host_key
|
|
kex_alg: zeek.ssh.algorithm.key_exchange
|
|
mac_alg: zeek.ssh.algorithm.mac
|
|
server: zeek.ssh.server
|
|
#version: zeek.ssh.version
|
|
# SSL / TLS
|
|
#cert_chain # Does not exist in ssl log but Elastic Beats has it
|
|
#cipher: tls.cipher # Not implemented in Elastic Beats
|
|
#cipher: zeek.ssl.cipher
|
|
#client_issuer: tls.client.issuer # Not implemented in Elastic Beats
|
|
client_issuer: zeek.ssl.client_issuer
|
|
#client_subject: tls.client.subject # Not implemented in Elastic Beats
|
|
client_subject: zeek.ssl.client_subject
|
|
#curve: tls.curve # Not implemented in Elastic Beats
|
|
curve: zeek.ssl.curve
|
|
#established: tls.established # Not implemented in Elastic Beats
|
|
established: zeek.ssl.established
|
|
#issuer: tls.server.issuer # Not implemented in Elastic Beats
|
|
issuer: zeek.ssl.issuer
|
|
#ja3: tls.client.ja3 # Not implemented in Elastic Beats
|
|
ja3: zeek.ssl.ja3
|
|
#ja3s: tls.client.ja3s # Not implemented in Elastic Beats
|
|
ja3s: zeek.ssl.ja3s
|
|
last_alert: zeek.ssl.last_alert
|
|
#next_protocol: tls.next_protocol # Not implemented in Elastic Beats
|
|
next_protocol: zeek.ssl.next_protocol
|
|
notary: zeek.ssl.notary
|
|
ocsp_status: zeek.ssl.oscp_status
|
|
#orig_certificate_sha1: tls.client.hash.sha1 # Not implemented in Elastic Beats
|
|
orig_certificate_sha1: zeek.ssl.orig_certificate_sha1
|
|
#resp_certificate_sha1: tls.server.hash.sha1 # Not implemented in Elastic Beats
|
|
resp_certificate_sha1: zeek.ssl.resp_certificate_sha1
|
|
#resumed: tls.resumed # Not implemented in Elastic Beats
|
|
resumed: zeek.ssl.resumed
|
|
#server_name: tls.client.server_name # Not implemented in Elastic Beats
|
|
server_name: zeek.ssl.server.name
|
|
#subject: tls.server.subject # Not implemented in Elastic Beats
|
|
#subject: zeek.ssl.subject
|
|
valid_ct_logs: zeek.ssl.valid_ct_logs
|
|
valid_ct_operators: zeek.ssl.validct_operators
|
|
valid_ct_operators_list: zeek.ssl.valid_ct_operators_list
|
|
#validation_code # Does not exist in ssl log but Elastic Beats has it
|
|
validation_status: zeek.ssl.validation_status
|
|
#version: tls.version # Not implemented in Elastic Beats
|
|
#version: zeek.ssl.version
|
|
version_num: zeek.ssl.version_num
|
|
# Syslog
|
|
#facility: log.syslog.facility.name # Not implemented in Elastic Beats
|
|
facility: zeek.syslog.facility
|
|
#severity: log.syslog.severity.name # Not implemented in Elastic Beats
|
|
severity: zeek.syslog.severity
|
|
#message: syslog.message # Not implemented in Elastic Beats
|
|
message: zeek.syslog.msg # why did Elastic beats do this
|
|
# Traceroute
|
|
#proto: network.transport
|
|
#dst: destination.ip
|
|
#src: source.ip
|
|
# Tunnel
|
|
#action: zeek.tunnel.action
|
|
tunnel_type: zeek.tunnel.type
|
|
# Weird
|
|
#addl: zeek.weird.additional_info
|
|
#name: zeek.weird.name
|
|
notice: zeek.weird.notice
|
|
peer: zeek.weird.peer
|
|
# X509
|
|
basic_constraints.ca: zeek.x509.certificate.basic_constraints.certificate_authority
|
|
basic_constraints.path_len: zeek.x509.certificate.basic_constraints.path_length
|
|
certificate.cn: zeek.x509.certificate.common_name
|
|
certificate.curve: zeek.x509.certificate.curve
|
|
certificate.exponent: zeek.x509.certificate.exponent
|
|
certificate.issuer: zeek.x509.certificate.iss # why did Elastic beats do this
|
|
certificate.key_alg: zeek.x509.certificate.key.algorithm
|
|
certificate.key_length: zeek.x509.certificate.key.length
|
|
certificate.key_type: zeek.x509.certificate.key.type
|
|
certificate.not_valid_after: zeek.x509.certificate.valid.until
|
|
certificate.not_valid_before: zeek.x509.certificate.valid.from
|
|
certificate.serial: zeek.x509.certificate.serial
|
|
certificate.sig_alg: zeek.x509.certificate.signature_algorithm
|
|
certificate.subject: zeek.x509.certificate.sub # why did Elastic beats do this
|
|
certificate.version: zeek.x509.certificate.version
|
|
logcert: zeek.x509.logcert
|
|
san.dns: zeek.x509.san.dns
|
|
san.email: zeek.x509.san.email
|
|
san.ip: zeek.x509.san.ip
|
|
san.uri: zeek.x509.san.url
|
|
# Temporary one off rule name's people have written
|
|
agent.version: version
|
|
c-cookie: http.cookie_vars
|
|
c-ip: source.ip
|
|
cs-uri: url.original
|
|
clientip: source.ip
|
|
clientIP: source.io
|
|
dest_domain:
|
|
- query
|
|
- host
|
|
- server_name
|
|
dest_ip: destination.ip
|
|
dest_port: destination.port
|