mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
475 lines
9.3 KiB
YAML
475 lines
9.3 KiB
YAML
title: Zeek field mappings for default collection of JSON logs with no parsing/normalization done and sending into logstash-*index
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- elasticsearch-rule
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
logsources:
|
|
zeek:
|
|
product: zeek
|
|
index: 'logstash*'
|
|
zeek-category-accounting:
|
|
category: accounting
|
|
rewrite:
|
|
product: zeek
|
|
service: syslog
|
|
zeek-category-firewall:
|
|
category: firewall
|
|
rewrite:
|
|
product: zeek
|
|
service: conn
|
|
zeek-category-dns:
|
|
category: dns
|
|
rewrite:
|
|
product: zeek
|
|
service: dns
|
|
zeek-category-proxy:
|
|
category: proxy
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-category-webserver:
|
|
category: webserver
|
|
rewrite:
|
|
product: zeek
|
|
service: http
|
|
zeek-conn:
|
|
product: zeek
|
|
service: conn
|
|
conditions:
|
|
'@stream': conn
|
|
zeek-conn_long:
|
|
product: zeek
|
|
service: conn_long
|
|
conditions:
|
|
'@stream': conn_long
|
|
zeek-dce_rpc:
|
|
product: zeek
|
|
service: dce_rpc
|
|
conditions:
|
|
'@stream': dce_rpc
|
|
zeek-dns:
|
|
product: zeek
|
|
service: dns
|
|
conditions:
|
|
'@stream': dns
|
|
zeek-dnp3:
|
|
product: zeek
|
|
service: dnp3
|
|
conditions:
|
|
'@stream': dnp3
|
|
zeek-dpd:
|
|
product: zeek
|
|
service: dpd
|
|
conditions:
|
|
'@stream': dpd
|
|
zeek-files:
|
|
product: zeek
|
|
service: files
|
|
conditions:
|
|
'@stream': files
|
|
zeek-ftp:
|
|
product: zeek
|
|
service: ftp
|
|
conditions:
|
|
'@stream': ftp
|
|
zeek-gquic:
|
|
product: zeek
|
|
service: gquic
|
|
conditions:
|
|
'@stream': gquic
|
|
zeek-http:
|
|
product: zeek
|
|
service: http
|
|
conditions:
|
|
'@stream': http
|
|
zeek-http2:
|
|
product: zeek
|
|
service: http2
|
|
conditions:
|
|
'@stream': http2
|
|
zeek-intel:
|
|
product: zeek
|
|
service: intel
|
|
conditions:
|
|
'@stream': intel
|
|
zeek-irc:
|
|
product: zeek
|
|
service: irc
|
|
conditions:
|
|
'@stream': irc
|
|
zeek-kerberos:
|
|
product: zeek
|
|
service: kerberos
|
|
conditions:
|
|
'@stream': kerberos
|
|
zeek-known_certs:
|
|
product: zeek
|
|
service: known_certs
|
|
conditions:
|
|
'@stream': known_certs
|
|
zeek-known_hosts:
|
|
product: zeek
|
|
service: known_hosts
|
|
conditions:
|
|
'@stream': known_hosts
|
|
zeek-known_modbus:
|
|
product: zeek
|
|
service: known_modbus
|
|
conditions:
|
|
'@stream': known_modbus
|
|
zeek-known_services:
|
|
product: zeek
|
|
service: known_services
|
|
conditions:
|
|
'@stream': known_services
|
|
zeek-modbus:
|
|
product: zeek
|
|
service: modbus
|
|
conditions:
|
|
'@stream': modbus
|
|
zeek-modbus_register_change:
|
|
product: zeek
|
|
service: modbus_register_change
|
|
conditions:
|
|
'@stream': modbus_register_change
|
|
zeek-mqtt_connect:
|
|
product: zeek
|
|
service: mqtt_connect
|
|
conditions:
|
|
'@stream': mqtt_connect
|
|
zeek-mqtt_publish:
|
|
product: zeek
|
|
service: mqtt_publish
|
|
conditions:
|
|
'@stream': mqtt_publish
|
|
zeek-mqtt_subscribe:
|
|
product: zeek
|
|
service: mqtt_subscribe
|
|
conditions:
|
|
'@stream': mqtt_subscribe
|
|
zeek-mysql:
|
|
product: zeek
|
|
service: mysql
|
|
conditions:
|
|
'@stream': mysql
|
|
zeek-notice:
|
|
product: zeek
|
|
service: notice
|
|
conditions:
|
|
'@stream': notice
|
|
zeek-ntlm:
|
|
product: zeek
|
|
service: ntlm
|
|
conditions:
|
|
'@stream': ntlm
|
|
zeek-ntp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
'@stream': ntp
|
|
zeek-ocsp:
|
|
product: zeek
|
|
service: ntp
|
|
conditions:
|
|
'@stream': ocsp
|
|
zeek-pe:
|
|
product: zeek
|
|
service: pe
|
|
conditions:
|
|
'@stream': pe
|
|
zeek-pop3:
|
|
product: zeek
|
|
service: pop3
|
|
conditions:
|
|
'@stream': pop3
|
|
zeek-radius:
|
|
product: zeek
|
|
service: radius
|
|
conditions:
|
|
'@stream': radius
|
|
zeek-rdp:
|
|
product: zeek
|
|
service: rdp
|
|
conditions:
|
|
'@stream': rdp
|
|
zeek-rfb:
|
|
product: zeek
|
|
service: rfb
|
|
conditions:
|
|
'@stream': rfb
|
|
zeek-sip:
|
|
product: zeek
|
|
service: sip
|
|
conditions:
|
|
'@stream': sip
|
|
zeek-smb_files:
|
|
product: zeek
|
|
service: smb_files
|
|
conditions:
|
|
'@stream': smb_files
|
|
zeek-smb_mapping:
|
|
product: zeek
|
|
service: smb_mapping
|
|
conditions:
|
|
'@stream': smb_mapping
|
|
zeek-smtp:
|
|
product: zeek
|
|
service: smtp
|
|
conditions:
|
|
'@stream': smtp
|
|
zeek-smtp_links:
|
|
product: zeek
|
|
service: smtp_links
|
|
conditions:
|
|
'@stream': smtp_links
|
|
zeek-snmp:
|
|
product: zeek
|
|
service: snmp
|
|
conditions:
|
|
'@stream': snmp
|
|
zeek-socks:
|
|
product: zeek
|
|
service: socks
|
|
conditions:
|
|
'@stream': socks
|
|
zeek-software:
|
|
product: zeek
|
|
service: software
|
|
conditions:
|
|
'@stream': software
|
|
zeek-ssh:
|
|
product: zeek
|
|
service: ssh
|
|
conditions:
|
|
'@stream': ssh
|
|
zeek-ssl:
|
|
product: zeek
|
|
service: ssl
|
|
conditions:
|
|
'@stream': ssl
|
|
zeek-tls: # In case people call it TLS even though orig log is called ssl
|
|
product: zeek
|
|
service: tls
|
|
conditions:
|
|
'@stream': ssl
|
|
zeek-syslog:
|
|
product: zeek
|
|
service: syslog
|
|
conditions:
|
|
'@stream': syslog
|
|
zeek-tunnel:
|
|
product: zeek
|
|
service: tunnel
|
|
conditions:
|
|
'@stream': tunnel
|
|
zeek-traceroute:
|
|
product: zeek
|
|
service: traceroute
|
|
conditions:
|
|
'@stream': traceroute
|
|
zeek-weird:
|
|
product: zeek
|
|
service: weird
|
|
conditions:
|
|
'@stream': weird
|
|
zeek-x509:
|
|
product: zeek
|
|
service: x509
|
|
conditions:
|
|
'@stream': x509
|
|
zeek-ip_search:
|
|
product: zeek
|
|
service: network
|
|
conditions:
|
|
'@stream':
|
|
- conn
|
|
- conn_long
|
|
- dce_rpc
|
|
- dhcp
|
|
- dnp3
|
|
- dns
|
|
- ftp
|
|
- gquic
|
|
- http
|
|
- irc
|
|
- kerberos
|
|
- modbus
|
|
- mqtt_connect
|
|
- mqtt_publish
|
|
- mqtt_subscribe
|
|
- mysql
|
|
- ntlm
|
|
- ntp
|
|
- radius
|
|
- rfb
|
|
- sip
|
|
- smb_files
|
|
- smb_mapping
|
|
- smtp
|
|
- smtp_links
|
|
- snmp
|
|
- socks
|
|
- ssh
|
|
- tls #SSL
|
|
- tunnel
|
|
- weird
|
|
defaultindex: 'logstash-*'
|
|
fieldmappings:
|
|
# All Logs Applied Mapping & Taxonomy
|
|
dst_ip: id.resp_h
|
|
dst_port: id.resp_p
|
|
network_protocol: proto
|
|
src_ip: id.orig_h
|
|
src_port: id.orig_p
|
|
# DNS matching Taxonomy & DNS Category
|
|
answer: answers
|
|
#question_length: # Does not exist in open source version
|
|
record_type: qtype_name
|
|
#parent_domain: # Does not exist in open source version
|
|
# HTTP matching Taxonomy & Web/Proxy Category
|
|
cs-bytes: request_body_len
|
|
cs-cookie: cookie
|
|
r-dns: host
|
|
sc-bytes: response_body_len
|
|
sc-status: status_code
|
|
c-uri: uri
|
|
c-uri-extension: uri
|
|
c-uri-query: uri
|
|
c-uri-stem: uri
|
|
c-useragent: user_agent
|
|
cs-host: host
|
|
cs-method: method
|
|
cs-referrer: referrer
|
|
cs-version: version
|
|
# Few other variations of names from zeek source itself
|
|
id_orig_h: id.orig_h
|
|
id_orig_p: id.orig_p
|
|
id_resp_h: id.resp_h
|
|
id_resp_p: id.resp_p
|
|
# Temporary one off rule name fields
|
|
agent.version: version
|
|
c-cookie: cookie
|
|
c-ip: id.orig_h
|
|
cs-uri: uri
|
|
clientip: id.orig_h
|
|
clientIP: id.orig_h
|
|
dest_domain:
|
|
- query
|
|
- host
|
|
- server_name
|
|
dest_ip: id.resp_h
|
|
dest_port: id.resp_p
|
|
#TODO:WhatShouldThisBe?==dest:
|
|
#TODO:WhatShouldThisBe?==destination:
|
|
#TODO:WhatShouldThisBe?==Destination:
|
|
destination.hostname:
|
|
- query
|
|
- host
|
|
- server_name
|
|
DestinationAddress: id.resp_h
|
|
DestinationHostname:
|
|
- host
|
|
- query
|
|
- server_name
|
|
DestinationIp: id.resp_h
|
|
DestinationIP: id.resp_h
|
|
DestinationPort: id.resp_p
|
|
dst-ip: id.resp_h
|
|
dstip: id.resp_h
|
|
dstport: id.resp_p
|
|
Host:
|
|
- host
|
|
- query
|
|
- server_name
|
|
HostVersion: http.version
|
|
http_host:
|
|
- host
|
|
- query
|
|
- server_name
|
|
http_uri: uri
|
|
http_url: uri
|
|
http_user_agent: user_agent
|
|
http.request.url-query-params: uri
|
|
HttpMethod: method
|
|
in_url: uri
|
|
# parent_domain: # Not in open source zeek
|
|
post_url_parameter: uri
|
|
Request Url: uri
|
|
request_url: uri
|
|
request_URL: uri
|
|
RequestUrl: uri
|
|
#response: status_code
|
|
resource.url: uri
|
|
resource.URL: uri
|
|
sc_status: status_code
|
|
sender_domain:
|
|
- query
|
|
- server_name
|
|
service.response_code: status_code
|
|
source: id.orig_h
|
|
SourceAddr: id.orig_h
|
|
SourceAddress: id.orig_h
|
|
SourceIP: id.orig_h
|
|
SourceIp: id.orig_h
|
|
SourceNetworkAddress: id.orig_h
|
|
SourcePort: id.orig_p
|
|
srcip: id.orig_h
|
|
Status: status_code
|
|
status: status_code
|
|
url: uri
|
|
URL: uri
|
|
url_query: uri
|
|
url.query: uri
|
|
uri_path: uri
|
|
user_agent: user_agent
|
|
user_agent.name: user_agent
|
|
user-agent: user_agent
|
|
User-Agent: user_agent
|
|
useragent: user_agent
|
|
UserAgent: user_agent
|
|
User Agent: user_agent
|
|
web_dest:
|
|
- host
|
|
- query
|
|
- server_name
|
|
web.dest:
|
|
- host
|
|
- query
|
|
- server_name
|
|
Web.dest:
|
|
- host
|
|
- query
|
|
- server_name
|
|
web.host:
|
|
- host
|
|
- query
|
|
- server_name
|
|
Web.host:
|
|
- host
|
|
- query
|
|
- server_name
|
|
web_method: method
|
|
Web_method: method
|
|
web.method: method
|
|
Web.method: method
|
|
web_src: id.orig_h
|
|
web_status: status_code
|
|
Web_status: status_code
|
|
web.status: status_code
|
|
Web.status: status_code
|
|
web_uri: uri
|
|
web_url: uri
|
|
# Most are in ECS, but for things not using Elastic - these need renamed
|
|
destination.ip: id.resp_h
|
|
destination.port: id.resp_p
|
|
http.request.body.content: post_body
|
|
#source.domain:
|
|
source.ip: id.orig_h
|
|
source.port: id.orig_p
|