valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b31ed47ccf
SigmaHQ/tools/config/ecs-zeek-corelight.yml

1292 lines
33 KiB
YAML
Raw Blame History

title: Corelight Zeek and Corelight Opensource Zeek Elastic Common Schema (ECS) implementation
description: Uses the mappings as created by Corelight here https://github.com/corelight/ecs-mapping
order: 20
backends:
- es-qs
- corelight_es-qs
- es-dsl
- elasticsearch-rule
- corelight_elasticsearch-rule
- kibana
- kibana-ndjson
- corelight_kibana
- xpack-watcher
- corelight_xpack-watcher
- elastalert
- elastalert-dsl
- ee-outliers
logsources:
zeek:
product: zeek
index: '*ecs-*'
#'*ecs-corelight*'
#'*ecs-zeek-*
zeek-category-accounting:
category: accounting
rewrite:
product: zeek
service: syslog
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
conditions:
event.dataset: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-category-webserver:
category: webserver
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
event.dataset: conn
zeek-conn_long:
product: zeek
service: conn_long
conditions:
event.dataset: conn_long
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
event.dataset: dce_rpc
zeek-dns:
product: zeek
service: dns
conditions:
event.dataset: dns
zeek-dnp3:
product: zeek
service: dnp3
conditions:
event.dataset: dnp3
zeek-dpd:
product: zeek
service: dpd
conditions:
event.dataset: dpd
zeek-files:
product: zeek
service: files
conditions:
event.dataset: files
zeek-ftp:
product: zeek
service: ftp
conditions:
event.dataset: ftp
zeek-gquic:
product: zeek
service: gquic
conditions:
event.dataset: gquic
zeek-http:
product: zeek
service: http
conditions:
event.dataset: http
zeek-http2:
product: zeek
service: http2
conditions:
event.dataset: http2
zeek-intel:
product: zeek
service: intel
conditions:
event.dataset: intel
zeek-irc:
product: zeek
service: irc
conditions:
event.dataset: irc
zeek-kerberos:
product: zeek
service: kerberos
conditions:
event.dataset: kerberos
zeek-known_certs:
product: zeek
service: known_certs
conditions:
event.dataset: known_certs
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
event.dataset: known_hosts
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
event.dataset: known_modbus
zeek-known_services:
product: zeek
service: known_services
conditions:
event.dataset: known_services
zeek-modbus:
product: zeek
service: modbus
conditions:
event.dataset: modbus
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
event.dataset: modbus_register_change
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
event.dataset: mqtt_connect
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
event.dataset: mqtt_publish
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
event.dataset: mqtt_subscribe
zeek-mysql:
product: zeek
service: mysql
conditions:
event.dataset: mysql
zeek-notice:
product: zeek
service: notice
conditions:
event.dataset: notice
zeek-ntlm:
product: zeek
service: ntlm
conditions:
event.dataset: ntlm
zeek-ntp:
product: zeek
service: ntp
conditions:
event.dataset: ntp
zeek-ocsp:
product: zeek
service: ntp
conditions:
event.dataset: ocsp
zeek-pe:
product: zeek
service: pe
conditions:
event.dataset: pe
zeek-pop3:
product: zeek
service: pop3
conditions:
event.dataset: pop3
zeek-radius:
product: zeek
service: radius
conditions:
event.dataset: radius
zeek-rdp:
product: zeek
service: rdp
conditions:
event.dataset: rdp
zeek-rfb:
product: zeek
service: rfb
conditions:
event.dataset: rfb
zeek-sip:
product: zeek
service: sip
conditions:
event.dataset: sip
zeek-smb_files:
product: zeek
service: smb_files
conditions:
event.dataset: smb_files
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
event.dataset: smb_mapping
zeek-smtp:
product: zeek
service: smtp
conditions:
event.dataset: smtp
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
event.dataset: smtp_links
zeek-snmp:
product: zeek
service: snmp
conditions:
event.dataset: snmp
zeek-socks:
product: zeek
service: socks
conditions:
event.dataset: socks
zeek-software:
product: zeek
service: software
conditions:
event.dataset: software
zeek-ssh:
product: zeek
service: ssh
conditions:
event.dataset: ssh
zeek-ssl:
product: zeek
service: ssl
conditions:
event.dataset: tls
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
event.dataset: tls
zeek-syslog:
product: zeek
service: syslog
conditions:
event.dataset: syslog
zeek-tunnel:
product: zeek
service: tunnel
conditions:
event.dataset: tunnel
zeek-traceroute:
product: zeek
service: traceroute
conditions:
event.dataset: traceroute
zeek-weird:
product: zeek
service: weird
conditions:
event.dataset: weird
zeek-x509:
product: zeek
service: x509
conditions:
event.dataset: x509
zeek-ip_search:
product: zeek
service: network
conditions:
event.dataset:
- conn
- conn_long
- dce_rpc
- dhcp
- dnp3
- dns
- ftp
- gquic
- http
- irc
- kerberos
- modbus
- mqtt_connect
- mqtt_publish
- mqtt_subscribe
- mysql
- ntlm
- ntp
- radius
- rfb
- sip
- smb_files
- smb_mapping
- smtp
- smtp_links
- snmp
- socks
- ssh
- tls #SSL
- tunnel
- weird
defaultindex: '*ecs-*'
fieldmappings:
# All Logs Applied Mapping & Taxonomy
dst: destination.ip
dst_ip: destination.ip
dst_port: destination.port
host: host.ip
inner_vlan: network.vlan.inner.id
mac: source.mac
mime_type: file.mime_type
network_application: network.protocol
network_community_id: network.community_id
network_protocol: network.transport
password: source.user.password
port_num: labels.known.port
proto: network.transport
result: event.outcome
rtt: event.duration
server_name: destination.domain
src: source.ip
src_ip: source.ip
src_port: source.port
success: event.outcome
uri: url.original
user: source.user.name
username: source.user.name
user_agent: user_agent.original
vlan: network.vlan.id
# DNS matching Taxonomy & DNS Category
answer: dns.answers.name
question_length: labels.dns.query_length
record_type: dns.question.type
parent_domain: dns.question.registered_domain
# HTTP matching Taxonomy & Web/Proxy Category
cs-bytes: http.request.body.bytes
cs-cookie: http.cookie_vars
r-dns:
- url.domain
- destination.domain
sc-bytes: http.response.body.bytes
sc-status: http.response.status_code
c-uri: url.original
c-uri-extension: url.extension
c-uri-query: url.query
c-uri-stem: url.original
c-useragent: user_agent.original
cs-host:
- url.domain
- destination.domain
cs-method: http.request.method
cs-referrer: http.request.referrer
cs-version: http.version
# All log UIDs
cert_chain_fuids: log.id.cert_chain_fuids
client_cert_chain_fuids: log.id.client_cert_chain_fuids
client_cert_fuid: log.id.client_cert_fuid
conn_uids: log.id.conn_uids
fid: log.id.fid
fuid: log.id.fuid
fuids: log.id.fuids
id: log.id.id
orig_fuids: log.id.orig_fuids
parent_fuid: log.id.parent_fuid
related_fuids: log.id.related_fuids
resp_fuids: log.id.resp_fuids
server_cert_fuid: log.id.server_cert_fuid
tunnel_parents: log.id.tunnel_parents
uid: log.id.uid
uids: log.id.uids
uuid: log.id.uuid
# Deep mappings / Overlapping fields/mappings (aka: shared fields)
#_action
action:
#- '*.action'
service=mqtt: mqtt.action
service=smb_files: smb.action
service=tunnel: tunnel.action
mqtt_action: smb.action
smb_action: smb.action
tunnel_action: tunnel.action
#_addl
addl:
#- '*.addl'
service=dns: dns.addl
service=weird: weird.addl
dns_addl: dns.addl
weird_addl: weird.addl
#_analyzer
analyzer:
#- '*.analyzer'
service=dpd: dpd.analyzer
service=files: files.analyzer
dpd_analyzer: dpd.analyzer
files_analyzer: file.analyzer
#_arg
arg:
#- '*.arg'
service=ftp: ftp.arg
service=msqyl: mysql.arg
service=pop3: pop3.arg
ftp_arg: ftp.arg
mysql_arg: mysql.arg
pop3_arg: pop3.arg
#_auth
auth:
#- dns.auth
service=dns: dns.auth
service=rfb: rfb.auth
dns_auth: dns.auth
rfb_auth: rfb.auth
#_cipher
cipher:
#- '*.client'
service=kerberos: kerberos.cipher
service=ssl: tls.cipher
kerberos_cipher: kerberos.cipher
ssl_cipher: tls.cipher
tls_cipher: tls.cipher
#_client
client:
#- '*.client'
service=kerberos: kerberos.client
service=ssh: ssh.client
kerberos_client: kerberos.client
ssh_client: ssh.client
#_command
command:
#- '*.command'
service=irc: irc.command
service=ftp: ftp.command
service=pop3: pop3.command
ftp_command: ftp.command
irc_command: irc.command
pop3_command: pop3.command
#_date
date:
#- '*.date'
service=sip: sip.date
service=smtp: smtp.date
sip_date: sip.date
smtp_date: smtp.date
#_duration
duration:
#- event.duration
service=conn: event.duration
service=files: files.duration
service=snmp: event.duration
conn_duration: event.duration
files_duration: files.duration
snmp_duration: event.duration
#_from
from:
#- '*.from'
service=kerberos: kerberos.from
service=smtp: smtp.from
kerberos_from: kerberos.from
smtp_from: smtp.from
#_is_orig
is_orig:
#- '*.is_orig'
service=file: file.is_orig
service=pop3: pop3.is_orig
files_is_orig: file.is_orig
pop3_is_orig: pop3.is_orig
#_local_orig
local_orig:
#- '*.local_orig'
service=conn: conn.local_orig
service=files: file.local_orig
conn_local_orig: conn.local_orig
files_local_orig: file.local_orig
#_method
method:
#- http.request.method
service=http: http.request.method
service=sip: sip.method
http_method: http.request.method
sip_method: sip.method
#_msg
msg:
#- notice.msg
service=notice: notice.msg
service=pop3: pop3.msg
notice_msg: notice.msg
pop3_msg: pop3.msg
#_name
name:
#- file.name
service=smb_files: file.name
service=software: software.name
service=weird: weird.name
smb_files_name: file.name
software_name: software.name
weird_name: weird.name
#_path
path:
#- file.path
service=smb_files: file.path
service=smb_mapping: file.path
service=smtp: smtp.path
smb_files_path: file.path
smb_mapping_path: file.path
smtp_path: smtp.path
#_reply_msg
reply_msg:
#- '*.reply_msg'
service=ftp: ftp.reply_msg
service=radius: radius.reply_msg
ftp_reply_msg: ftp.reply_msg
radius_reply_msg: radius.reply_msg
#_reply_to
reply_to:
#- '*.reply_to'
service=sip: sip.reply_to
service=smtp: smtp.reply_to
sip_reply_to: sip.reply_to
smtp_reply_to: smtp.reply_to
#_response_body_len
response_body_len:
#- http.response.body.bytes
service=http: http.response.body.bytes
service=sip: sip.response_body_len
http_response_body_len: http.response.body.bytes
sip_response_body_len: sip.response_body_len
#_request_body_len
request_body_len:
#- http.request.body.bytes
service=http: http.response.body.bytes
service=sip: sip.request_body_len
http_request_body_len: http.response.body.bytes
sip_request_body_len: sip.response_body_len
#_rtt
#rtt:
#- event.duration
#- 'zeek.*.rtt'
#service=dns: event.duration
#service=dce_rpc: event.duration
dns_rtt: event.duration
dce_rpc_rtt: event.duration
#_service
service:
#- '*.service'
service=kerberos: kerberos.service
service=smb_mapping: smb.service
kerberos_service: kerberos.service
smb_mapping_kerberos: smb.service
#_status
status:
#- '*.status'
service=mqtt: mqtt.status
service=pop3: pop3.status
service=socks: socks.status
mqtt_status: mqtt.status
pop3_status: pop3.status
socks_status: socks.status
#_status_code
status_code:
#- 'http.response.status_code'
service=http: http.response.status_code
service=sip: sip.status_code
http_status_code: http.response.status_code
sip_status_code: sip.status_code
#_status_msg
status_msg:
#- '*.status_msg'
service=http: http.status_msg
service=sip: sip.status_msg
http_status_msg: http.status_msg
sip_status_msg: sip.status_msg
#_subject
subject:
#- '*.subject'
service=known_certs: known_certs.subject
service=sip: sip.subject
service=smtp: smtp.subject
service=ssl: tls.subject
known_certs_subject: known_certs.subject
sip_subject: sip.subject
smtp_subject: smtp.subject
ssl_subject: tls.subject
#_service
#_trans_depth
trans_depth:
#- '*.trans_depth'
service=http: http.trans_depth
service=sip: sip.trans_depth
service=smtp: smtp.trans_depth
http_trans_depth: http.trans_depth
sip_trans_depth: sip.trans_depth
smtp_trans_depth: smtp.trans_depth
#_user_agent
#user_agent: #already normalized
http_user_agent: user_agent.original
gquic_user_agent: user_agent.original
sip_user_agent: user_agent.original
smtp_user_agent: user_agent.original
#_version
version:
#- '*.version'
service=gquic: gquic.version
service=http: http.version
service=ntp: ntp.version
service=socks: socks.version
service=snmp: snmp.version
service=ssh: ssh.version
service=tls: tls.version
gquic_version: gquic.version
http_version: http.version
ntp_version: ntp.version
socks_version: socks.version
snmp_version: snmp.version
ssh_version: ssh.version
ssl_version: tls.version
tls_version: tls.version
# Conn and Conn Long
cache_add_rx_ev: conn.cache_add_rx_ev
cache_add_rx_mpg: conn.cache_add_rx_mpg
cache_add_rx_new: conn.cache_add_rx_new
cache_add_tx_ev: conn.cache_add_tx_ev
cache_add_tx_mpg: conn.cache_add_tx_mpg
cache_del_mpg: conn.cache_del_mpg
cache_entries: conn.cache_entries
conn_state: conn.conn_state
corelight_shunted: conn.corelight_shunted
history: conn.history
id.orig_h.name_src: conn.id.orig_h_name.src
id.orig_h.names_vals: conn.id.orig_h_names.vals
id.resp_h.name_src: conn.id.resp_h_name.src
id.resp_h.name_vals: conn.id.resp_h_name.vals
#local_orig: conn.local_orig
local_resp: conn.local_resp
missed_bytes: conn.missed_bytes
orig_bytes: source.bytes
orig_cc: source.geo.country_iso_code
orig_ip_bytes: conn.orig_ip_bytes
orig_l2_addr: source.mac
orig_pkts: source.packets
resp_bytes: destination.bytes
resp_cc: destination.geo.country_iso_code
resp_ip_bytes: conn.resp.ip_bytes
resp_l2_addr: destination.mac
resp_pkts: destination.packets
# DCE-RPC Specific
endpoint: dce_rpc.endpoint
named_pipe: dce_rpc.named_pipe
operation: dce_rpc.operation
#rtt: dce_rpc.rtt
# DHCP
domain: source.domain
host_name: source.hostname
lease_time: dhcp.lease_time
agent_remote_id: dhcp.agent_remote_id
assigned_addr: dhcp.assigned_addr
circuit_id: dhcp.circuit_id
client_message: dhcp.client_message
client_software: dhcp.client_software
client_fqdn: source.fqdn
#mac: source.mac
msg_orig: dhcp.msg_orig
msg_types: dhcp.msg_types
requested_addr: dhcp.requested_addr
server_addr: destination.ip
server_message: dhcp.server_message
server_software: dhcp.server_software
subscriber_id: dhcp.subscriber_id
# DNS
AA: dns.AA
#addl: dns.addl
answers: dns.answers.name
TTLs: dns.answers.ttl
RA: dns.RA
RD: dns.RD
rejected: dns.rejected
TC: dns.TC
Z: dns.Z
qclass: dns.qclass
qclass_name: dns.question.class
qtype: dns.qtype
qtype_name: dns.question.type
query: dns.question.name
rcode_name: dns.response_code
rcode: dns.rcode
#rtt: dns.rtt
trans_id: dns.id
# DNP3
fc_reply: dnp3.fc_reply
fc_request: dnp3.fc_request
iin: dnp3.inn
# DPD
#analyzer: dpd.analyzer
failure_reason: dpd.failure_reason
packet_segment: dpd.packet_segment
# Files
rx_hosts: source.ip
tx_hosts: destination.ip
#analyzer: files.analyzer
depth: files.depth
#duration: files.duration
extracted: files.extracted
extracted_cutoff: files.extracted_cutoff
extracted_size: files.extracted_size
entropy: files.entropy
md5: file.hash.md5
sha1: file.hash.sha1
sha256: file.hash.sha256
#is_orig: file.is_orig
#local_orig: files.local_orig
missing_bytes: files.missing_bytes
filename: file.name
overflow_bytes: files.overflow_bytes
seen_bytes: files.seen_bytes
source: network.protocol
total_bytes: file.size
timedout: files.timedout
# GQUIC/QUIC
cyu: gquic.cyu
cyutags: gquic.cyutags
#server_name: destination.domain
tag_count: gquic.tag_count
#user_agent: user_agent.original
#version: gquic.version
# FTP
#arg: ftp.arg
#command: ftp.command
cwd: ftp.cwd
data_channel.orig_h: ftp.data_channel.orig_h
data_channel.passive: ftp.data_channel.passive
data_channel.resp_h: ftp.data_channel.resp_h
data_channel.resp_p: ftp.data_channel.resp_p
passive: ftp.passive
file_size: file.size
#mime_type: file.mime_type
#password: ftp.password
reply_code: ftp.reply_code
#reply_msg: ftp.reply_msg
#user: source.user.name
# HTTP
client_header_names: http.client_header_names
cookie_vars: http.cookie_vars
flash_version: http.flash_version
info_code: http.info_code
info_msg: http.info_msg
#method: http.request.method
omniture: http.omniture
orig_filenames: http.orig_filenames
orig_mime_types: http.orig_mime_types
origin: http.origin
#password: source.user.password
#response_body_len: http.response.body.bytes
#request_body_len: http.request.body.bytes
referrer: http.request.referrer
post_body: http.post_body
proxied: http.proxied
resp_filenames: http.resp_filenames
resp_mime_types: http.resp_mime_types
server_header_names: http.server_header_names
#status_code: http.response.status_code
#status_msg: http.status_msg
#trans_depth: http.trans_depth
uri_vars: http.uri_vars
#user_agent: user_agent.original
#username: source.user.name
#version: http.version
# Intel
file_mime_type: file.mime_type
file_desc: intel.file_desc
#host: host.ip
matched: intel.matched
indicator: intel.seen.indicator
indicator_type: intel.seen.indicator_type
node: intel.seen.node
where: intel.seen.where
sources: intel.seen.sources
# IRC
dcc_file_name: file.name
dcc_file_size: file.size
dcc_mime_type: file.mime_type
#command: irc.command
nick: irc.nick
#user: source.user.name
value: irc.command
# Kerberos
auth_ticket: kerberos.auth_ticket
#cipher: kerberos.cipher
#client: kerberos.client
client_cert_subject: kerberos.client_cert_subject
error_code: kerberos.error_code
error_msg: kerberos.error_msg
#from: kerberos.from
forwardable: kerberos.forwardable
new_ticket: kerberos.new_ticket
renewable: kerberos.renewable
request_type: kerberos.request_type
server_cert_subject: kerberos.server_cert_subject
#service: kerberos.service
#success: event.outcome
till: kerberos.till
# Known_Certs
#host: host.ip
issuer_subject: known_certs.issuer_subject
#port_num: labels.known.port
serial: known_certs.serial
#subject: known_certs.subject
# Known_Modbus
#host: host.ip
device_type: known_modbus.device_type
# Known_Services
port_proto: network.transport
#port_num: labels.known.port
# Modbus All
delta: modbus.delta
new_val: modbus.new_val
old_val: modbus.old_val
register: modbus.register
# Modbus
func: modbus.func
exception: modbus.exception
track_address: modbus.track_address
# ModBus_Register_Change
#delta: modbus.delta
#new_val: modbus.new_val
#old_val: modbus.old_val
#register: modbus.register
# MQTT_Connect , MQTT_Publish, MQTT_Subscribe
ack: mqtt.ack
#action: mqtt.action
client_id: mqtt.client_id
connect_status: mqtt.connect_status
from_client: mqtt.from_client
granted_qos_level: mqtt.granted_qos_level
payload: mqtt.payload
payload_len: mqtt.payload_len
proto_name: mqtt.proto_name
proto_version: mqtt.proto_version
qos: mqtt.qos
qos_levels: mqtt.qos_levels
retain: mqtt.retain
#status: mqtt.status
topic: mqtt.topic
topics: mqtt.topics
will_payload: mqtt.will_payload
will_topic: mqtt.will_topic
# MYSQL
#arg: mysql.arg
cmd: mysql.command
response: mysql.response
rows: mysql.rows
#success: event.outcome
# Notice
actions: notice.actions
dropped: notice.dropped
#dst: destination.ip
email_body_sections: notice.email_body_sections
email_delay_tokens: notice.email_delay_tokens
identifier: notice.identifier
#msg: notice.msg
n: notice.n
note: notice.note
p: destination.port
peer_descr: notice.peer_descr
peer_name: notice.peer_name
#proto: network.transport
#src: source.ip
sub: notice.sub
subpress_for: notice.subpress_for
# NTLM
domainname: ntlm.domainname
hostname: ntlm.hostname
#username: source.user.name
server_nb_computer_name: ntlm.server_nb_computer_name
server_tree_name: ntlm.server_tree_name
#success: event.outcome
server_dns_computer_name: ntlm.server_dns_computer_name
# NTP
mode: ntp.mode
num_exts: ntp.num_exts
org_time: ntp.org_time
poll: ntp.poll
precision: ntp.precision
rec_time: ntp.rec_time
ref_id: ntp.ref_id
ref_time: ntp.ref_time
root_delay: ntp.root_delay
root_disp: ntp.root_disp
stratum: ntp.stratum
#version: ntp.version
xmt_time: ntp.xmt_time
# OCSP
certStatus: oscp.certStatus
hashAlgorithm: oscp.hashAlgorithm
issuerKeyHash: oscp.issuerKeyHash
issuerNameHash: oscp.issuerNameHash
nextUpdate: oscp.nextUpdate
revokereason: oscp.revokereason
revoketime: oscp.revoketime
serialNumber: oscp.serialNumber
thisUpdate: oscp.thisUpdate
# PE
compile_ts: pe.compile_ts
has_cert_table: pe.has_cert_table
has_debug_data: pe.has_debug_data
has_import_table: pe.has_import_table
has_export_table: pe.has_export_table
is_64bit: pe.is_64bit
is_exe: pe.is_exe
machine: pe.machine
os: pe.os
section_names: pe.section_names
subsystem: pe.subsystem
uses_aslr: pe.uses_aslr
uses_code_integrity: pe.uses_code_integrity
uses_dep: pe.uses_dep
uses_seh: pe.uses_seh
# POP3
#arg: pop3.arg
#command: pop3.command
current_request: pop3.current_request
current_response: pop3.current_response
data: pop3.data
failed_commands: pop3.failed_commands
has_client_activity: pop3.has_client_activity
#is_orig: pop3.is_orig
#msg: pop3.msg
#password: source.user.password
pending: pop3.pending
#status: pop3.status
successful_commands: pop3.successful_commands
#username: source.user.name
# Radius
connect_info: radius.connect_info
framed_addr: radius.framed_addr
#mac: source.mac
#reply_msg: radius.reply_msg
#result: event.outcome
ttl: event.duration
tunnel_client: radius.tunnel_client
#username: source.user.name
# RDP
cert_count: rdp.cert_count
cert_permanent: rdp.cert_permanent
cert_type: rdp.cert_type
client_build: rdp.client_build
client_dig_product_id: rdp.client_dig_product_id
client_name: source.hostname
cookie: rdp.cookie
desktop_height: rdp.desktop_height
desktop_width: rdp.desktop_width
encryption_level: rdp.encryption_level
encryption_method: rdp.encryption_method
keyboard_layout: rdp.keyboard_layout
requested_color_depth: rdp.requested_color_depth
#result: event.outcome
security_protocol: rdp.security_protocol
ssl: rdp.ssl
# RFB
#auth: event.outcome
authentication_method: rfb.authentication_method
client_major_version: rfb.client_major_version
client_minor_version: rfb.client_minor_version
desktop_name: destination.hostname
height: rfb.height
server_major_version: rfb.server_major_version
server_minor_version: rfb.server_minor_version
share_flag: rfb.share_flag
width: rfb.width
# SIP
call_id: sip.call_id
content_type: sip.content_type
#date: sip.date
#method: sip.method
#reply_to: sip.reply_to
#request_body_len: sip.request_body_len
request_from: sip.request_from
request_path: sip.request_path
request_to: sip.request_to
#response_body_len: sip.response_body_len
response_from: sip.response_from
response_path: sip.response_path
response_to: sip.response_to
seq: sip.seq
#status_code: sip.status_code
#status_msg: sip.status_msg
#subject: sip.subject
#trans_depth: sip.trans_depth
#uri: url.original
warning: sip.warning
#user_agent: user_agent.original
# SMB_Files
#action: smb.action
#name: file.name
#path: file.path
prev_name: smb.prev_name
size: file.size
times_accessed: file.accessed
times_changed: file.ctime
times_created: file.created
times_modified: file.mtime
# SMB_Mapping
native_file_system: smb.native_file_system
#path: file.path
share_type: smb.share_type
#service: smb.service
# SMTP
cc: smtp.cc
#date: smtp.date
first_received: smtp.first_received
#from: smtp.from
helo: smtp.helo
in_reply_to: smtp.in_reply_to
is_webmail: smtp.is_webmail
last_reply: smtp.last_reply
mailfrom: smtp.mailfrom
msg_id: smtp.msg_id
#path: smtp.path
rcptto: smtp.rcptto
#reply_to: smtp.reply_to
second_received: smtp.second_received
#subject: smtp.subject
tls: smtp.tls
to: smtp.to
#trans_depth: smtp.trans_depth
x_originating_ip: smtp.x_originating_ip
#user_agent: user_agent.original
# SMTP_Links
#cs-host: url.domain
#c-uri: url.original
# SNMP
#duration: event.duration
community: snmp.community
display_string: snmp.display_string
get_bulk_requests: snmp.get_bulk_requests
get_requests: snmp.get_requests
set_requests: snmp.set_requests
up_since: snmp.up_since
#version: snmp.version
# Socks
#password: source.user.password
bound_host: socks.bound_host
bound_name: socks.bound_name
bound_p: socks.bound_p
request_host: socks.request_host
request_name: socks.request_name
request_p: socks.request_p
#status: socks.status
#version: socks.version
# Software
#host: host.ip
host_p: software.host_port
version.major: software.version.major
version.minor: software.version.minor
version.minor2: software.version.minor2
version.minor3: software.version.minor3
#name: software.name
unparsed_version: software.unparsed_version
software_type: software.software_type
#url: url.original
# SSH
auth_attempts: ssh.auth_attempts
auth_success: event.outcome
cipher_alg: ssh.cipher_alg
#client: ssh.client
compression_alg: ssh.compression_alg
cshka: ssh.cshka
direction: network.direction
hassh: ssh.hassh
hasshAlgorithms: ssh.hasshAlgorithms
hasshServer: ssh.hasshServer
hasshServerAlgorithms: ssh.hasshServerAlgorithms
hasshVersion: ssh.hasshVersion
host_key: ssh.host_key
host_key_alg: ssh.host_key_alg
kex_alg: ssh.kex_alg
mac_alg: ssh.mac_alg
server: ssh.server
#version: ssh.version
# SSL / TLS
#cipher: tls.cipher
client_issuer: tls.client.issuer
client_subject: tls.client.subject
curve: tls.curve
established: tls.established
issuer: tls.server.issuer
ja3: tls.client.ja3
ja3s: tls.client.ja3s
last_alert: ssl.last_alert
next_protocol: tls.next_protocol
notary: ssl.notary
ocsp_status: ssl.oscp_status
orig_certificate_sha1: tls.client.hash.sha1
resp_certificate_sha1: tls.server.hash.sha1
resumed: tls.resumed
#server_name: tls.client.server_name
#subject: tls.server.subject
valid_ct_logs: ssl.valid_ct_logs
valid_ct_operators: ssl.validct_operators
valid_ct_operators_list: ssl.valid_ct_operators_list
validation_status: ssl.validation_status
#version: tls.version
version_num: ssl.version_num
# Syslog
facility: log.syslog.facility.name
severity: log.syslog.severity.name
message: syslog.message
# Traceroute
#proto: network.transport
#dst: destination.ip
#src: source.ip
# Tunnel
#action: tunnel.action
tunnel_type: tunnel.tunnel_type
# Weird
#addl: weird.addl
#name: weird.name
notice: weird.notice
peer: weird.peer
# X509
basic_constraints.ca: x509.certificate.basic_constraints_ca
basic_constraints.path_len: x509.certificate.basic_constraints_path_length
certificate.cn: x509.certificate.cn
certificate.curve: x509.certificate.curve
certificate.exponent: x509.certificate.exponent
certificate.issuer: x509.certificate.issuer
certificate.key_alg: x509.certificate.key_alg
certificate.key_length: x509.certificate.key_length
certificate.key_type: x509.certificate.key_type
certificate.not_valid_after: x509.certificate.not_valid_after
certificate.not_valid_before: x509.certificate.not_valid_before
certificate.serial: x509.certificate.serial
certificate.sig_alg: x509.certificate.sig_alg
certificate.subject: x509.certificate.subject
certificate.version: x509.certificate.version
logcert: x509.logcert
san.dns: x509.san.dns
san.email: x509.san.email
san.ip: x509.san.ip
san.uri: x509.san.url
# Few other variations of names from zeek source itself
id_orig_h: source.ip
id_orig_p: source.port
id_resp_h: destination.ip
id_resp_p: destination.port
# Temporary one off rule name fields
cs-uri: url.original
# destination.domain:
# destination.ip:
# destination.port:
# http.response.status_code
# http.request.body.content
# source.domain:
# source.ip:
# source.port:
agent.version: http.version
c-ip: source.ip
clientip: source.ip
clientIP: source.ip
dest_domain:
- destination.domain
- url.domain
dest_ip: destination.ip
dest_port: destination.port
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
- destination.domain
- url.domain
DestinationAddress: destination.ip
DestinationHostname:
- destination.domain
- url.domain
DestinationIp: destination.ip
DestinationIP: destination.ip
DestinationPort: destination.port
dst-ip: destination.ip
dstip: destination.ip
dstport: destination.port
Host:
- destination.domain
- url.domain
#host:
# - destination.domain
# - url.domain
HostVersion: http.version
http_host:
- destination.domain
- url.domain
http_uri: url.original
http_url: url.original
#http_user_agent: user_agent.original
http.request.url-query-params: url.original
HttpMethod: http.request.method
in_url: url.original
#parent_domain:
# - url.registered_domain
# - destination.registered_domain
post_url_parameter: url.original
Request Url: url.original
request_url: url.original
request_URL: url.original
RequestUrl: url.original
#response: http.response.status_code
resource.url: url.original
resource.URL: url.original
sc_status: http.response.status_code
sender_domain:
- destination.domain
- url.domain
service.response_code: http.response.status_code
SourceAddr:
- source.address
- source.ip
SourceAddress: source.ip
SourceIP: source.ip
SourceIp: source.ip
SourceNetworkAddress:
- source.address
- source.ip
SourcePort: source.port
srcip: source.ip
Status: http.response.status_code
#status: http.response.status_code
url: url.original
URL: url.original
url_query: url.original
url.query: url.original
uri_path: url.original
#user_agent: user_agent.original
user_agent.name: user_agent.original
user-agent: user_agent.original
User-Agent: user_agent.original
useragent: user_agent.original
UserAgent: user_agent.original
User Agent: user_agent.original
web_dest:
- url.domain
- destination.domain
web.dest:
- url.domain
- destination.domain
Web.dest:
- url.domain
- destination.domain
web.host:
- url.domain
- destination.domain
Web.host:
- url.domain
- destination.domain
web_method: http.request.method
Web_method: http.request.method
web.method: http.request.method
Web.method: http.request.method
web_src: source.ip
web_status: http.response.status_code
Web_status: http.response.status_code
web.status: http.response.status_code
Web.status: http.response.status_code
web_uri: url.original
web_url: url.original
Reference in New Issue View Git Blame Copy Permalink