Collect Corelight Sensor logs

Supported in:

This document describes how you can collect Corelight Sensor logs by configuring the Corelight Sensor and a Google Security Operations forwarder. This document also lists the supported log types generated by the Corelight Sensor and supported Corelight versions.

For more information, see Data ingestion to Google Security Operations.

Before you begin

  • Verify the version of Corelight Sensor. The Corelight Google SecOps parser was designed for version 27.12 and earlier. Later versions of the Corelight Sensor might have additional logs that the parser won't recognize, and those logs might receive limited or no field parsing. However, the log content will still be available in the raw log format in Google SecOps.
  • Ensure that all systems in the deployment architecture are configured with the UTC time zone.
  • Ensure that you have the credentials for the Corelight documentation.

Deployment and Log Ingestion Methods

The following deployment architecture diagram illustrates how a Corelight Sensor is set up to send logs to Google Security Operations using two different ingestion architectures. It's important to note that each customer deployment may vary from this representation and could be more complex.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CORELIGHT ingestion label.

Ingesting Logs into Google SecOps using Corelight Exporters

Deployment architecture

The architecture diagram shows the following components:

  • Corelight Sensor: The system running the Corelight Sensor .

  • Corelight Sensor exporters: The Corelight Sensor exporter collects log data from the Sensor, and forwards it to Google Security Operations.

  • Google Security Operations: Google Security Operations retains and analyzes the logs from Corelight Sensor.

Configure the Corelight log Exporter for Google SecOps

  1. Sign into Corelight Sensor as an adminstrator.

  2. Select the Exporters (Dynamic) tab and select Google SecOps.

  3. Configure the following input parameters:

    • Exporter Name: the name of the exporter.
    • Google SecOps Customer ID: the customer Id of the Google SecOps.
    • Google SecOps Namespace: the unique namespace associated with Google SecOps for organizing and managing data.
    • Google SecOps Labels: a set of key-value pairs representing the labels.
    • Region: the geographical region where Google SecOps is deployed.
    • Credentials: the authentication details required to securely connect and export data to Google SecOps.
    • Proxy URL: the URL of the proxy server used to route traffic between the exporter and Google SecOps.
    • Log Type Filter: specify whether to include or exclude certain log types.
    • Zeek Logs: select which log types to include or exclude by selecting all applicable options.
  4. Click Done

Ingesting Logs into Google SecOps Using a Forwarder

Deployment architecture

The architecture diagram shows the following components:

  • Corelight Sensor: The system running the Corelight Sensor .

  • Corelight Sensor exporter: The Corelight Sensor exporter collects log data from the Sensor, and forwards it to the Google Security Operations forwarder.

  • Google Security Operations forwarder: The Google Security Operations forwarder is a lightweight software component, deployed in the customer's network, that supports syslog. The Google Security Operations forwarder forwards the logs to Google Security Operations.

  • Google Security Operations: Google Security Operations retains and analyzes the logs from Corelight Sensor.

Configure the Google Security Operations forwarder

To configure the Google Security Operations forwarder, do the following:

  1. Set up a Google Security Operations forwarder. See Install and configure the forwarder on Linux.

  2. Configure the Google Security Operations forwarder to send logs to Google Security Operations.

      collectors:
        - syslog:
            common:
              enabled: true
              data_type:  CORELIGHT
              data_hint:
              batch_n_seconds: 10
              batch_n_bytes: 1048576
            tcp_address: <Chronicle forwarder listening IP:Port>
            tcp_buffer_size: 524288
            udp_address: <Chronicle forwarder listening IP:Port>
            connection_timeout_sec: 60
    

Configure the Corelight Sensor exporter

  1. Log into Corelight Sensor as an adminstrator.
  2. Select the Export tab.
  3. Find and enable EXPORT TO SYSLOG option.
  4. Under EXPORT TO SYSLOG, configure the following fields:
    • SYSLOG SERVER: Specify the IP address and port of the Google Security Operations forwarder syslog listener.
    • Navigate to Advanced Settings > SYSLOG FORMAT, and change the setting to Legacy.
  5. Click Apply Changes.

Supported Corelight log types

The Corelight parser supports the following log types generated by Corelight Sensor.

Log Type

  • conn
  • conn_long
  • conn_red
  • dce_rpc
  • dns
  • dns_red
  • files
  • files_red
  • http
  • http2
  • http_red
  • intel
  • irc
  • notice
  • rdp
  • sip
  • smb_files
  • smb_mapping
  • smtp
  • smtp_links
  • ssh
  • ssl
  • ssl_red
  • suricata_corelight
  • bacnet
  • cip
  • corelight_burst
  • corelight_overall_capture_loss
  • corelight_profiling
  • datared
  • dga
  • dhcp
  • dnp3
  • dpd
  • encrypted_dns
  • enip
  • enip_debug
  • enip_list_identity
  • etc_viz
  • ftp
  • generic_dns_tunnels
  • generic_icmp_tunnels
  • icmp_specific_tunnels
  • ipsec
  • iso_cotp
  • kerberos
  • known_certs
  • known_devices
  • known_domains
  • known_hosts
  • known_names
  • known_remotes
  • known_services
  • known_users
  • ldap
  • ldap_search
  • local_subnets
  • local_subnets_dj
  • local_subnets_graphs
  • log4shell
  • modbus
  • mqtt_connect
  • mqtt_publish
  • mqtt_subscribe
  • mysql
  • napatech_shunting
  • ntlm
  • ntp
  • pe
  • profinet
  • profinet_dce_rpc
  • profinet_debug
  • radius
  • reporter
  • rfb
  • s7comm
  • smartpcap
  • snmp
  • socks
  • software
  • specific_dns_tunnels
  • stepping
  • stun
  • stun_nat
  • suricata_eve
  • suricata_stats
  • syslog
  • tds
  • tds_rpc
  • tds_sql_batch
  • traceroute
  • tunnel
  • unknown-smartpcap
  • vpn
  • weird
  • weird_red
  • wireguard
  • x509
  • x509_red

Field mapping reference

This section explains how the Google Security Operations parser maps Corelight fields to Google Security Operations Unified Data Model (UDM) fields.

Field mapping reference: CORELIGHT - Common Fields

The following table lists common fields of the CORELIGHT log and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Corelight.
_path (string) metadata.product_event_type
_system_name (string) observer.hostname
_write_ts metadata.collected_timestamp
id.orig_ep_cid (string) additional.fields [id_orig_ep_cid]
id.orig_ep_source (string) additional.fields [id_orig_ep_source]
id.orig_ep_status (string) additional.fields [id_orig_ep_status]
id.orig_ep_uid (string) additional.fields [id_orig_ep_uid]
id.orig_h (string - addr) principal.ip
id.orig_p (integer - port) principal.port
id.resp_ep_cid (string) additional.fields [id_resp_ep_cid]
id.resp_ep_source (string) additional.fields [id_resp_ep_source]
id.resp_ep_status (string) additional.fields [id_resp_ep_status]
id.resp_ep_uid (string) additional.fields [id_resp_ep_uid]
id.resp_h (string - addr) target.ip
id.resp_p (integer - port) target.port
id.vlan (integer - int) additional.fields [id_vlan]
id.vlan_inner (integer - int) additional.fields [id_vlan_inner]
ts (time) metadata.event_timestamp
uid (string) about.labels [uid]

Field mapping reference: CORELIGHT - conn, conn_red, conn_long

The following table lists the log fields of the conn, conn_red, conn_long log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
app (array[string] - vector of string) about.application
community_id (string) network.community_id
conn_state (string) metadata.description If the conn_state log field value is equal to S0, then the metadata.description UDM field is set to S0: Connection attempt seen, no reply.

Else, if the conn_state log field value is equal to S1, then the metadata.description UDM field is set to S1: Connection established, not terminated.

Else, if the conn_state log field value is equal to S2, then the metadata.description UDM field is set to S2: Connection established and close attempt by originator seen (but no reply from responder).

Else, if the conn_state log field value is equal to S3, then the metadata.description UDM field is set to S3: Connection established and close attempt by responder seen (but no reply from originator).

Else, if the conn_state log field value is equal to SF, then the metadata.description UDM field is set to SF: Normal SYN/FIN completion.

Else, if the conn_state log field value is equal to REJ, then the metadata.description UDM field is set to REJ: Connection attempt rejected.

Else, if the conn_state log field value is equal to RSTO, then the metadata.description UDM field is set to RSTO: Connection established, originator aborted (sent a RST).

Else, if the conn_state log field value is equal to RSTOS0, then the metadata.description UDM field is set to RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

Else, if the conn_state log field value is equal to RSTOSH, then the metadata.description UDM field is set to RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

Else, if the conn_state log field value is equal to RSTR, then the metadata.description UDM field is set to RSTR: Established, responder aborted.

Else, if the conn_state log field value is equal to SH, then the metadata.description UDM field is set to SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

Else, if the conn_state log field value is equal to SHR, then the metadata.description UDM field is set to SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

Else, if the conn_state log field value is equal to OTH, then the metadata.description UDM field is set to OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed).
corelight_shunted (boolean - bool) about.labels [corelight_shunted]
duration (number - interval) network.session_duration
history (string) about.labels [history]
id_orig_h_n.src (string) principal.labels [id_orig_h_n_src]
id_orig_h_n.vals (array[string] - set[string]) principal.labels [id_orig_h_n_val]
id_resp_h_n.src (string) target.labels [id_resp_h_n_src]
id_resp_h_n.vals (array[string] - set[string]) target.labels [id_resp_h_n_val]
inner_vlan (integer - int) intermediary.labels [inner_vlan]
local_orig (boolean - bool) about.labels [local_orig]
local_resp (boolean - bool) about.labels [local_resp]
missed_bytes (integer - count) about.labels [missed_bytes]
orig_bytes (integer - count) network.sent_bytes
orig_cc (string) principal.ip_geo_artifact.location.country_or_region
orig_ep_cid (string) additional.fields [orig_ep_cid]
orig_ep_source (string) additional.fields [orig_ep_source]
orig_ep_status (string) additional.fields [orig_ep_status]
orig_ep_uid (string) additional.fields [orig_ep_uid]
orig_ip_bytes (integer - count) principal.labels [orig_ip_bytes]
orig_l2_addr (string) principal.mac
orig_pkts (integer - count) network.sent_packets
orig_shunted_bytes (integer - count) principal.labels [orig_shunted_bytes]
orig_shunted_pkts (integer - count) principal.labels [orig_shunted_pkts]
proto (string - enum) network.ip_protocol
resp_bytes (integer - count) network.received_bytes
resp_cc (string) target.ip_geo_artifact.location.country_or_region
resp_ep_cid (string) additional.fields [resp_ep_cid]
resp_ep_source (string) additional.fields [resp_ep_source]
resp_ep_status (string) additional.fields [resp_ep_status]
resp_ep_uid (string) additional.fields [resp_ep_uid]
resp_ip_bytes (integer - count) target.labels [resp_ip_bytes]
resp_l2_addr (string) target.mac
resp_pkts (integer - count) network.received_packets
resp_shunted_bytes (integer - count) target.labels [resp_shunted_bytes]
resp_shunted_pkts (integer - count) target.labels [resp_shunted_pkts]
service (string) network.application_protocol
service (string) about.labels [service]
spcap.rule (integer - count) security_result.rule_labels [spcap_rule]
spcap.trigger (string) security_result.detection_fields [spcap_trigger]
spcap.url (string) security_result.url_back_to_product
suri_ids (array[string] - set[string]) security_result.rule_id
tunnel_parents (array[string] - set[string]) intermediary.labels [tunnel_parent]
vlan (integer - int) intermediary.labels [vlan]

Field mapping reference: CORELIGHT - dce_rpc

The following table lists the log fields of the dce_rpc log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
intermediary.resource.resource_type If the named_pipe log field value is not empty, then the intermediary.resource.resource_type UDM field is set to PIPE.
network.application_protocol The network.application_protocol UDM field is set to DCERPC.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
endpoint (string) target.labels [endpoint]
named_pipe (string) intermediary.resource.name
operation (string) target.labels [operation]
operation, endpoint, named_pipe (string) metadata.description The metadata.description UDM field is set with operation, endpoint, named_pipe log fields as "operation operation on endpoint using named pipe named_pipe".
rtt (number - interval) network.session_duration

Field mapping reference: CORELIGHT - dns, dns_red

The following table lists the log fields of the dns, dns_red log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
network.application_protocol The network.application_protocol UDM field is set to DNS.
AA (boolean - bool) network.dns.authoritative
answers (array[string] - vector of string) network.dns.answers.name
icann_domain (string) network.dns_domain
icann_host_subdomain (string) about.labels [icann_host_subdomain]
icann_tld (string) about.labels [icann_tld]
is_trusted_domain (string) about.labels [is_trusted_domain]
num (integer - count) security_result.detection_fields [num]
proto (string - enum) network.ip_protocol
qclass (integer - count) network.dns.questions.class
qclass_name (string) about.labels [qclass_name]
qtype (integer - count) network.dns.questions.type
qtype_name (string) about.labels [qtype_name]
query (string) network.dns.questions.name
RA (boolean - bool) network.dns.recursion_available
rcode (integer - count) network.dns.response_code
rcode (integer - count) network.dns.response If the rcode log field value is not empty, then the network.dns.response UDM field is set to true.
rcode_name (string) about.labels [rcode_name]
RD (boolean - bool) network.dns.recursion_desired
rejected (boolean - bool) about.labels [rejected]
rtt (number - interval) network.session_duration
TC (boolean - bool) network.dns.truncated
trans_id (integer - count) network.dns.id
TTLs (array[number] - vector of interval) network.dns.answers.ttl
Z (integer - count) about.labels [Z]

Field mapping reference: CORELIGHT - http, http_red, http2

The following table lists the log fields of the http, http_red, http2 log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_HTTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
encoding (string) about.labels [encoding]
host (string) target.hostname
info_code (integer - count) about.labels [info_code]
info_msg (string) about.labels [info_msg]
method (string) network.http.method
orig_filenames (array[string] - vector of string) src.file.names The orig_filenames log field is mapped to src.file.names UDM field when index value in orig_filenames is equal to 0.

For every other index value, orig_filenames log field is mapped to the about.file.names.
orig_fuids (array[string] - vector of string) about.labels [orig_fuid]
orig_mime_types (array[string] - vector of string) src.file.mime_type The orig_mime_types log field is mapped to src.file.mime_type UDM field when index value in orig_mime_types is equal to 0.

For every other index value, orig_mime_types log field is mapped to the about.file.mime_type.
origin (string) principal.hostname
password (string) extensions.auth.auth_details
post_body (string) about.labels [post_body]
proxied (array[string] - set[string]) intermediary.hostname
push (boolean - bool) about.labels [push]
referrer (string) network.http.referral_url
request_body_len (integer - count) network.sent_bytes
resp_filenames (array[string] - vector of string) target.file.names The resp_filenames log field is mapped to target.file.names UDM field when index value in resp_filenames is equal to 0.

For every other index value, resp_filenames log field is mapped to the about.file.names.
resp_fuids (array[string] - vector of string) about.labels [resp_fuid]
resp_mime_types (array[string] - vector of string) target.file.mime_type The resp_mime_types log field is mapped to target.file.mime_type UDM field when index value in resp_mime_types is equal to 0.

For every other index value, resp_mime_types log field is mapped to the about.file.mime_type.
response_body_len (integer - count) network.received_bytes
status_code (integer - count) network.http.response_code
status_msg (string) about.labels [status_msg]
stream_id (integer - count) about.labels [stream_id]
tags (array[string] - set[enum]) about.labels [tags]
trans_depth (integer - count) about.labels [trans_depth]
uri (string) target.url
user_agent (string) network.http.user_agent
username (string) principal.user.user_display_name
version (string) network.application_protocol_version

The following table lists the log fields of the smtp_links log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMTP.
domain (string) about.domain.name
fuid (string) about.labels [fuid]
link (string) about.url

Field mapping reference: CORELIGHT - irc

The following table lists the log fields of the irc log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
command, value, addl principal.process.command_line
dcc_file_name (string) src.file.names
dcc_file_size (integer - count) src.file.size
dcc_mime_type (string) src.file.mime_type
fuid (string) about.labels [fuid]
nick (string) principal.user.user_display_name
user (string) principal.user.userid If the user log field value is less than or equal to 255, then the user log field is mapped to the principal.user.userid UDM field.

Else, the user log field is mapped to the about.labels UDM field.

Field mapping reference: CORELIGHT - files, files_red

The following table lists the log fields of the files, files_red log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
analyzers (array[string] - set[string]) about.labels [analyzer]
conn_uids (array[string] - set[string]) about.labels [conn_uid]
depth (integer - count) about.labels [depth]
duration (number - interval) about.labels [duration]
extracted (array[string] - set[string]) about.file.names
extracted_cutoff (boolean - bool) about.labels [extracted_cutoff]
extracted_size (integer - count) about.labels [extracted_size]
filename (string) about.file.names
fuid (string) about.labels [fuid]
is_orig (boolean - bool) about.labels [is_orig]
local_orig (boolean - bool) about.labels [local_orig]
md5 (string) about.file.md5
md5 (string) network.tls.client.certificate.md5 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.md5 UDM field is set to md5.
md5 (string) network.tls.server.certificate.md5 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.md5 UDM field is set to md5.
mime_type (string) about.file.mime_type
missing_bytes (integer - count) about.labels [missing_bytes]
num (integer - count) about.labels [num]
overflow_bytes (integer - count) about.labels [overflow_bytes]
parent_fuid (string) about.labels [parent_fuid]
rx_hosts (array[string] - set[addr]) target.ip
seen_bytes (integer - count) about.file.size
sha1 (string) about.file.sha1
sha1 (string) network.tls.client.certificate.sha1 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha1 UDM field is set to sha1.
sha1 (string) network.tls.server.certificate.sha1 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha1 UDM field is set to sha1.
sha256 (string) about.file.sha256
sha256 (string) network.tls.client.certificate.sha256 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha256 UDM field is set to sha256.
sha256 (string) network.tls.server.certificate.sha256 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha256 UDM field is set to sha256.
source (string) about.labels [source]
timedout (boolean - bool) about.labels [timedout]
total_bytes (integer - count) about.labels [total_bytes]
tx_hosts (array[string] - set[addr]) principal.ip
vlan (integer - int) additional.fields [vlan]
vlan_inner (integer - int) additional.fields [vlan_inner]

Field mapping reference: CORELIGHT - notice

The following table lists the log fields of the notice log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
security_result.action The security_result.action UDM field is set to ALLOW.
security_result.severity
If the severity.level log field value contain one of the following values
  • 0
  • 1
then, the security_result.severity UDM field is set to HIGH.
Else, If severity.level log field value is equal to 2 then, the security_result.severity UDM field is set to CRITICAL.
Else, If severity.level log field value is equal to 3 then, the security_result.severity UDM field is set to ERROR.
Else, If severity.level log field value contain one of the following values
  • 4
  • 5
  • 6
then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, If severity.level log field value is equal to 7 then, the security_result.severity UDM field is set to LOW.
Else The security_result.severity UDM field is set to UNKNOWN_SEVERITY.
actions (array[string] - set[enum]) security_result.action_details
dst (string - addr) target.ip
file_desc (string) about.labels [file_desc]
file_mime_type (string) target.file.mime_type
fuid (string) about.labels [fuid]
msg (string) metadata.description
n (integer - count) about.labels [n]
note (string - enum) security_result.description
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity_details
orig_vulnerable_host.cve (string) principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.host_uid (string) additional.fields [orig_vulnerable_host_uid]
orig_vulnerable_host.hostname (string) principal.asset.hostname
orig_vulnerable_host.machine_domain (string) principal.asset.network_domain
orig_vulnerable_host.os_version (string) principal.asset.platform_software.platform_version
orig_vulnerable_host.source (string) principal.asset.vulnerabilities.cve_description
p (integer - port) about.port
peer_descr (string) about.labels [peer_descr]
proto (string - enum) network.ip_protocol
remote_location.city (string) about.location.city
remote_location.country_code (string) about.location.country_or_region The about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.latitude (number - double) about.location.region_coordinates.latitude
remote_location.longitude (number - double) about.location.region_coordinates.longitude
remote_location.region (string) about.location.country_or_region The about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity_details
resp_vulnerable_host.cve (string) target.asset.vulnerabilities.cve_id
resp_vulnerable_host.host_uid (string) additional.fields [resp_vulnerable_host_uid]
resp_vulnerable_host.hostname (string) target.asset.hostname
resp_vulnerable_host.machine_domain (string) target.asset.network_domain
resp_vulnerable_host.os_version (string) target.asset.platform_software.platform_version
resp_vulnerable_host.source (string) target.asset.vulnerabilities.cve_description
severity.level security_result.detection_fields [severity_level]
severity.name security_result.severity_details
src (string - addr) principal.ip
sub (string) about.labels [sub]
suppress_for (number - interval) about.labels [suppress_for]

Field mapping reference: CORELIGHT - smb_files

The following table lists the log fields of the smb_files log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type If the action log field value is equal to SMB::FILE_READ, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the action log field value is equal to SMB::FILE_WRITE, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the action log field value is equal to SMB::FILE_OPEN, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the action log field value is equal to SMB::FILE_CLOSE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, if the action log field value is equal to SMB::FILE_DELETE, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the action log field value is equal to SMB::FILE_RENAME, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the action log field value is equal to SMB::FILE_SET_ATTRIBUTE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMB.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
action (string - enum) target.labels [action]
action, name metadata.description The metadata.description UDM field is set with action, name log fields as "action: action on: name".
data_len_req (integer - count) target.labels [data_len_req]
data_len_rsp (integer - count) target.labels [data_len_rsp]
data_offset_req (integer - count) target.labels [data_offset_req]
fuid (string) about.labels [fuid]
name (string) target.file.names
path (string) target.file.full_path
prev_name (string) src.file.names
size (integer - count) target.file.size
times.accessed (time) target.file.last_seen_time
times.changed (time) target.labels [times_changed]
times.created (time) target.file.first_seen_time
times.modified (time) target.file.last_modification_time

Field mapping reference: CORELIGHT - smb_mapping

The following table lists the log fields of the smb_mapping log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMB.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
native_file_system (string) target.resource.attribute.labels [native_file_system]
path (string) target.resource.attribute.labels [path]
service (string) target.application
share_type (string) target.resource.resource_type If the share_type log field value is equal to DISK, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.

Else, if the share_type log field value is equal to PIPE, then the target.resource.resource_type UDM field is set to PIPE.

Else, the target.resource.resource_type UDM field is set to UNSPECIFIED.
share_type (string) target.resource.resource_subtype

Field mapping reference: CORELIGHT - ssl, ssl_red

The following table lists the log fields of the ssl, ssl_red log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to HTTPS.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
cert_chain_fps (array[string] - vector of string) target.labels [cert_chain_fps]
cipher (string) network.tls.cipher
client_cert_chain_fps (array[string] - vector of string) principal.labels [client_cert_chain_fps]
curve (string) network.tls.curve
established (boolean - bool) network.tls.established
ja3 (string) network.tls.client.ja3
ja3s (string) network.tls.server.ja3s
last_alert (string) security_result.description
next_protocol (string) network.tls.next_protocol
resumed (boolean - bool) network.tls.resumed
server_name (string) network.tls.client.server_name
sni_matches_cert (boolean - bool) about.labels [sni_matches_cert]
ssl_history (string) about.labels [ssl_history]
validation_status (string) security_result.detection_fields [validation_status]
version (string) network.tls.version

Field mapping reference: CORELIGHT - rdp

The following table lists the log fields of the rdp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
auth_success (boolean - bool) about.labels [auth_success]
cert_count (integer - count) about.labels [cert_count]
cert_permanent (boolean - bool) about.labels [cert_permanent ]
cert_type (string) about.labels [cert_type]
channels_joined (integer - int) intermediary.labels [channels_joined]
client_build (string) principal.labels [client_build]
client_channels (array[string] - vector of string) intermediary.labels [client_channels]
client_dig_product_id (string) principal.labels [client_dig_product_id ]
client_name (string) principal.hostname
cookie (string) about.labels [cookie]
desktop_height (integer - count) principal.labels [desktop_height]
desktop_width (integer - count) principal.labels [desktop_width]
encryption_level (string) about.labels [encryption_level]
encryption_method (string) about.labels [encryption_method]
inferences (array[string] - set[string]) about.labels [inferences]
keyboard_layout (string) principal.labels [keyboard_layout]
rdfp_hash (string) principal.labels [rdfp_hash]
rdfp_string (string) principal.labels [rdfp_string]
rdpeudp_uid (string) about.labels [rdpeudp_uid]
requested_color_depth (string) principal.labels [requested_color_depth]
result (string) about.labels [result]
result, security_protocol security_result.description The security_result.description UDM field is set with result, security_protocol log fields as "result connection with security protocol security_protocol".
security_protocol (string) target.labels [security_protocol]

Field mapping reference: CORELIGHT - sip

The following table lists the log fields of the sip log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SIP.
call_id (string) network.session_id
content_type (string) about.labels [content_type]
date (string) about.labels [date]
method (string) about.labels [method]
reply_to (string) about.labels [reply_to]
request_body_len (integer - count) network.sent_bytes
request_from (string) principal.labels [request_from]
request_path (array[string] - vector of string) about.labels [request_path]
request_to (string) target.labels [request_to]
response_body_len (integer - count) network.received_bytes
response_from principal.labels [response_from]
response_path (array[string] - vector of string) about.labels [response_path]
response_to (string) target.labels [response_to]
seq (string) about.labels [seq]
status_code (integer - count) about.labels [status_code]
status_msg (string) security_result.description
subject (string) about.labels [subject]
trans_depth (integer - count) about.labels [trans_depth]
uri (string) target.url
user_agent (string) about.labels [user_agent]
warning (string) security_result.summary

Field mapping reference: CORELIGHT - intel

The following table lists the log fields of the intel log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
entity.resource.resource_type If the indicator.type log field value is equal to Intel::SUBNET, then the entity.resource.resource_name UDM field is set to VPC_NETWORK.
associated (array[string] - set[string]) entity.labels [associated]
campaigns (array[string] - set[string]) entity.labels [campaign]
category (array[string] - set[string]) ioc.categorization The category log field is mapped to ioc.categorization UDM field when index value in category is equal to 0.

For every other index value, entity.labels.key UDM field is set to category and category log field is mapped to the entity.labels.value.
category (array[string] - set[string]) about.labels [category]
confidence (array[number] - set[double]) ioc.confidence_score The confidence log field is mapped to ioc.confidence_score UDM field when index value in confidence is equal to 0.

For every other index value, entity.labels.key UDM field is set to confidence and confidence log field is mapped to the entity.labels.value.
confidence (array[number] - set[double]) about.labels [confidence]
desc (array[string] - set[string]) ioc.description The desc log field is mapped to ioc.description UDM field when index value in desc is equal to 0.

For every other index value, entity.labels.key UDM field is set to desc and desc log field is mapped to the entity.labels.value.
file_desc (string) metadata.threat.detection_fields [file_desc]
file_mime_type (string) entity.file.mime_type
firstseen (array[string] - set[string]) ioc.active_timerange.start The firstseen log field is mapped to ioc.active_timerange.start UDM field when index value in firstseen is equal to 0.

For every other index value, entity.labels.key UDM field is set to firstseen and firstseen log field is mapped to the entity.labels.value.
fuid (string) about.labels [fuid]
lastseen (array[string] - set[string]) ioc.active_timerange.end The lastseen log field is mapped to ioc.active_timerange.end UDM field when index value in lastseen is equal to 0.

For every other index value, entity.labels.key UDM field is set to lastseen and lastseen log field is mapped to the entity.labels.value.
matched (array[string] - set[enum]) entity.labels [matched]
reports (array[string] - set[string]) entity.labels [report]
seen.indicator (string) entity.ip If the indicator.type log field value is equal to Intel::ADDR, then the seen.indicator log field is mapped to the entity.ip UDM field.
seen.indicator (string) entity.url If the indicator.type log field value is equal to Intel::URL, then the seen.indicator log field is mapped to the entity.url UDM field.
seen.indicator (string) entity.domain.name If the indicator.type log field value is equal to Intel::DOMAIN, then the seen.indicator log field is mapped to the entity.domain.name UDM field.
seen.indicator (string) entity.user.email_address If the indicator.type log field value is equal to Intel::USER_NAME or Intel::EMAIL, then the seen.indicator log field is mapped to the entity.user.email_address UDM field.
seen.indicator (string) entity.file.names If the indicator.type log field value is equal to Intel::FILE_HASH or Intel::FILE_NAME, then the seen.indicator log field is mapped to the entity.file.full_path UDM field.
seen.indicator (string) entity.resource.name If the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicatior log field is mapped to the entity.resource.name UDM field.
seen.indicator (string) about.labels [indicator]
seen.indicator_type (string - enum) entity.metadata.entity_type If the indicator.type log field value is equal to Intel::ADDR, then the metadata.entity_type UDM field is set to IP_ADDRESS.

Else, if the indicator.type log field value is equal to Intel::SUBNET or Intel::SOFTWARE or Intel::CERT_HASH or Intel::PUBKEY_HASH, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the indicator.type log field value is equal to Intel::URL, then the metadata.entity_type UDM field is set to URL.

Else, if the indicator.type log field value is equal to the Intel::EMAIL or Intel::USER_NAME, then the metadata.entity_type UDM field is set to USER.

Else, if the indicator.type log field value is equal to Intel::DOMAIN, then the metadata.entity_type UDM field is set to DOMAIN_NAME.

Else, if the indicator.type log field value is equal to the Intel::FILE_HASH or Intel::FILE_NAME, then the metadata.entity_type UDM field is set to FILE.

Else, the metadata.entity_type UDM field is set to RESOURCE.
seen.indicator_type (string - enum) entity.resource.resource_sub_type If the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicatior_type log field is mapped to the entity.resource.resource_sub_type UDM field.
seen.indicator_type (string - enum) about.labels [indicator_type]
seen.where (string - enum) entity.metadata.source_labels [seen_where]
seen.where (string - enum) about.labels [where]
sources (array[string] - set[string]) entity.metadata.source_labels [source]
sources (array[string] - set[string]) about.labels [sources]
threat_score (array[number] - set[double]) entity.security_result.detection_fields[threat_score]
url (array[string] - set[string]) metadata.threat.url_back_to_product
verdict (array[string] - set[string]) entity.security_result.verdict_info.verdict_response Iterate through verdict,
If the verdict log field value matches the regular expression pattern "(?i)Malicious" or the verdict log field value is equal to "1" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to MALICIOUS.
Else, If verdict log field value matches the regular expression pattern "(?i)Benign" or the verdict log field value is equal to "2" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to BENIGN.
Else The "entity.security_result.verdict_info.verdict_response" UDM field is set to VERDICT_RESPONSE_UNSPECIFIED.
verdict_source (array[string] - set[string]) entity.security_result.verdict_info.source_provider Iterate through verdict_source,
verdict_source log field is mapped to the entity.security_result.VerdictInfo.source_provider UDM field.

Field mapping reference: CORELIGHT - smtp

The following table lists the log fields of the smtp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMTP.
cc (array[string] - set[string]) network.email.cc
date (string) about.labels [date]
domains (array[string] - set[string]) about.domain.name
first_received (string) about.labels [first_received]
from (string) network.email.from
fuids (array[string] - vector of string) about.labels [fuid]
helo (string) target.domain.name
in_reply_to (string) about.labels [in_reply_to]
is_webmail (boolean - bool) network.smtp.is_webmail
last_reply (string) network.smtp.server_response
mailfrom (string) network.smtp.mail_from
msg_id (string) network.email.mail_id
path (array[string] - vector of addr) intermediary.ip
rcptto (array[string] - set[string]) network.smtp.rcpt_to
reply_to (string) network.email.reply_to
second_received (string) about.labels [second_received]
subject (string) network.email.subject
tls (boolean - bool) network.smtp.is_tls
to (array[string] - set[string]) network.email.to
trans_depth (integer - count) about.labels [trans_depth]
urls (array[string] - set[string]) about.url
user_agent (string) about.labels [user_agent]
x_originating_ip (string - addr) principal.ip

Field mapping reference: CORELIGHT - ssh

The following table lists the log fields of the ssh log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SSH.
auth_attempts (integer - count) extensions.auth.auth_details The extensions.auth.auth_details UDM field is set with auth_attempts log field as "auth_attempts: auth_attempts".
auth_success (boolean - bool) security_result.action_details
auth_success (boolean - bool) security_result.action If the auth_success log field value is not equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to BLOCK.
cipher_alg (string) network.tls.cipher
client (string) principal.application
compression_alg (string) security_result.detection_fields [compression_alg]
cshka (string) about.labels [cshka]
direction (string - enum) network.direction If the direction log field value is equal to INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the direction log field value is equal to OUTBOUND, then the network.direction UDM field is set to OUTBOUND.
hassh (string) principal.labels [hassh]
hasshAlgorithms (string) about.labels [hassh_algorithms]
hasshServer (string) target.labels [hassh_server]
hasshServerAlgorithms (string) about.labels [hassh_server_algorithms]
hasshVersion (string) about.labels [hassh_version]
host_key (string) security_result.detection_fields [host_key]
host_key_alg (string) security_result.detection_fields [host_key_alg]
inferences (array[string] - set[string]) security_result.summary, security_result.description If the inferences log field value is equal to ABP, then the security_result.summary UDM field is set to Client Authentication Bypass and the security_result.description UDM field is set to A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after enctyption begins.

If the inferences log field value is equal to AFR, then the security_result.summary UDM field is set to SSH Agent Forwarding Requested and the security_result.description UDM field is set to Agent Forwarding is requested by tge Client.

If the inferences log field value is equal to APWA, then the security_result.summary UDM field is set to Automated Password Authentication and the security_result.description UDM field is set to The client authenticated with an automated password tool (like sshpass).

If the inferences log field value is equal to AUTO, then the security_result.summary UDM field is set to Automated Interaction and the security_result.description UDM field is set to The client is a script automated utility and not driven by a user.

If the inferences log field value is equal to BAN, then the security_result.summary UDM field is set to Server Banner and the security_result.description UDM field is set to The server sent the client a pre-authentication banner, likely for legal reasons.

If the inferences log field value is equal to BF, then the security_result.summary UDM field is set to Client Brute Force Guessing and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

If the inferences log field value is equal to BFS, then the security_result.summary UDM field is set to Client Brute Force Success and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

If the inferences log field value is equal to CTS, then the security_result.summary UDM field is set to Client Trusted Server and the security_result.description UDM field is set to The client already has an entry in its known_hosts file for this server.

If the inferences log field value is equal to CUS, then the security_result.summary UDM field is set to Client Untrusted Server and the security_result.description UDM field is set to The client did not have an entry in its known_hosts file for this server.

If the inferences log field value is equal to IPWA, then the security_result.summary UDM field is set to Interactive Password Authentication and the security_result.description UDM field is set to The client interactively typed their password to authenticate.

If the inferences log field value is equal to KS, then the security_result.summary UDM field is set to Keystrokes and the security_result.description UDM field is set to An interactive session occurred in which the client set user-driven keystrokes to the server.

If the inferences log field value is equal to LFD, then the security_result.summary UDM field is set to Large Client File Donwload and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

If the inferences log field value is equal to LFU, then the security_result.summary UDM field is set to Large Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets.

If the inferences log field value is equal to MFA, then the security_result.summary UDM field is set to Multifactor Authentication and the security_result.description UDM field is set to The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it.

If the inferences log field value is equal to NA, then the security_result.summary UDM field is set to None Authentication and the security_result.description UDM field is set to The client successfully authenticated using the None method.

If the inferences log field value is equal to NRC, then the security_result.summary UDM field is set to No Remote Command and the security_result.description UDM field is set to The -N flag was used in SSH authentication.

If the inferences log field value is equal to PKA, then the security_result.summary UDM field is set to Public Key Authentication and the security_result.description UDM field is set to The client automatically authenticated using pubkey authentication.

If the inferences log field value is equal to RSI, then the security_result.summary UDM field is set to Reverse SSH Initiated and the security_result.description UDM field is set to The Reverse session is initiated from the server back to the client.

If the inferences log field value is equal to RSIA, then the security_result.summary UDM field is set to Reverse SSH Initiated Automated and the security_result.description UDM field is set to The inititation of the Reverse session happened very early in the packet stream, indicating automation.

If the inferences log field value is equal to RSK, then the security_result.summary UDM field is set to Reverse SSH Keystrokes and the security_result.description UDM field is set to Keystrokes are detected within the Reverse tunnel.

If the inferences log field value is equal to RSL, then the security_result.summary UDM field is set to Reverse SSH Logged In and the security_result.description UDM field is set to The Reverse Tunnel login has succeeded.

If the inferences log field value is equal to RSP, then the security_result.summary UDM field is set to Reverse SSH Providioned and the security_result.description UDM field is set to The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time.

If the inferences log field value is equal to SA, then the security_result.summary UDM field is set to Authentication Scanning and the security_result.description UDM field is set to The client scanned authentication method with the server and then disconnected.

If the inferences log field value is equal to SC, then the security_result.summary UDM field is set to Capabilities Scanning and the security_result.description UDM field is set to The client exchanged capabilities with the server and then disconnected.

If the inferences log field value is equal to SFD, then the security_result.summary UDM field is set to Small Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

If the inferences log field value is equal to SFU, then the security_result.summary UDM field is set to Small Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server.

If the inferences log field value is equal to SP, then the security_result.summary UDM field is set to Other Scanning and the security_result.description UDM field is set to A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.

If the inferences log field value is equal to SV, then the security_result.summary UDM field is set to Version Scanning and the security_result.description UDM field is set to A client exchanged version strings with the server and than disconnected.

If the inferences log field value is equal to UA, then the security_result.summary UDM field is set to Unknown Authentication and the security_result.description UDM field is set to The authentication method is not determinated or is unknown.
kex_alg (string) security_result.detection_fields [kex_alg]
mac_alg (string) security_result.detection_fields [mac_alg]
remote_location.city (string) target.location.city
remote_location.country_code (string) target.location.country_or_region
remote_location.latitude (number - double) target.location.region_coordinates.latitude
remote_location.longitude (number - double) target.location.region_coordinates.longitude
remote_location.region (string) target.location.country_or_region
server (string) target.application
sshka (string) about.labels [sshka]
version (integer - count) network.application_protocol_version The network.application_protocol_version UDM field is set with version log field as "SSH version".

Field mapping reference: CORELIGHT - suricata_corelight

The following table lists the log fields of the suricata_corelight log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Suricata.
idm.is_alert The idm.is_alert UDM field is set to true.
idm.is_significant The idm.is_significant UDM field is set to true.
alert.action (string) security_result.action_details
alert.category (string) security_result.category_details
alert.gid (integer - count) security_result.detection_fields [alert_gid]
alert.metadata (array[string] - vector of string) security_result.detection_fields [alert_metadata]
alert.references (array[string] - vector of string) security_result.detection_fields[alert_references] iterate through alert.references,
alert.references log field is mapped to the security_result.detection_fields.alert_references UDM field.
alert.rev (integer - count) security_result.detection_fields [alert_rev]
alert.rule (string) security_result.description
alert.severity (integer - count) security_result.severity_details
alert.signature (string) security_result.summary
alert.signature (string) security_result.rule_name
alert.signature_id (integer - count) security_result.rule_id
attack_target security_result.detection_fields[alert_rule_attack_target] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The attack_target is extracted from rule_metadata using kv filter then the extracted attack_target field is mapped to security_result.detection_fields [alert_rule_attack_target] UDM field.
community_id (string) network.community_id
created_at security_result.detection_fields[alert_rule_created_at] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The created_at is extracted from rule_metadata using kv filter then the extracted created_at field is mapped to security_result.detection_fields [alert_rule_created_at] UDM field.
deployment security_result.detection_fields[alert_rule_deployment] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The deployment is extracted from rule_metadata using kv filter then the extracted deployment field is mapped to security_result.detection_fields [alert_rule_deployment] UDM field.
flow_id (integer - count) network.session_id
hostname target.hostname If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.
http_method network.http.method If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.
icmp_code (integer - count) about.labels [icmp_code]
icmp_type (integer - count) about.labels [icmp_type]
id.vlan (integer - count) intermediary.labels [id_vlan]
id.vlan_inner (integer - count) intermediary.labels [id_vlan_inner]
meta (array[string] - vector of string) additional.fields [meta]
metadata (array[string] - vector of string) security_result.detection_fields [metadata]
orig_cve (string) extensions.vulns.vulnerabilities.cve_id
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4" then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3" then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1" then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2" then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0" then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity_details
orig_vulnerable_host.cve(string) principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.host_uid(string) about.labels [orig_vulnerable_host_uid]
orig_vulnerable_host.hostname(string) principal.asset.hostname
orig_vulnerable_host.machine_domain(string) principal.asset.network_domain
orig_vulnerable_host.os_version(string) principal.asset.platform_software.platform_version
orig_vulnerable_host.source(string) principal.asset.vulnerabilities.cve_description
packet (string) about.labels [packet]
packet (string) about.labels [packet_decoded]
payload (string) about.labels [payload]
payload (string) about.labels [payload_decoded]
payload_printable (string) security_result.detection_fields[payload_printable]
pcap_cnt (integer - count) about.labels [pcap_cnt]
performance_impact security_result.detection_fields[alert_rule_performance_impact] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The performance_impact is extracted from rule_metadata using kv filter then the extracted performance_impact field is mapped to security_result.detection_fields [alert_rule_performance_impact] UDM field.
proto_version network.application_protocol_version If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.
reference_url security_result.detection_fields[alert_rule_reference_url] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}reference:url,%{DATA:reference_url}; then, the reference_url extracted field is mapped to security_result.detection_fields [alert_rule_reference_url] UDM field.
references (array[string] - vector of string) security_result.detection_fields[references] iterate through references,
references log field is mapped to the security_result.detection_fields.references UDM field.
resp_cve (string) extensions.vulns.vulnerabilities.cve_id
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity_details
resp_vulnerable_host.cve(string) target.asset.vulnerabilities.cve_id
resp_vulnerable_host.host_uid(string) about.labels [resp_vulnerable_host_uid]
resp_vulnerable_host.hostname(string) target.asset.hostname
resp_vulnerable_host.machine_domain(string) target.asset.network_domain
resp_vulnerable_host.os_version(string) target.asset.platform_software.platform_version
resp_vulnerable_host.source(string) target.asset.vulnerabilities.cve_description
rule_classtype security_result.detection_fields [alert_rule_classtype] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}classtype:%{DATA:rule_classtype}; then, the rule_classtype extracted field is mapped to security_result.detection_fields [alert_rule_classtype] UDM field.
rule_content security_result.detection_fields[alert_rule_content] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}content:\\"%{GREEDYDATA:rule_content}\\" then, the rule_content extracted field is mapped to security_result.detection_fields [alert_rule_content] UDM field.
service (string) network.application_protocol
service (string) about.labels [service]
signature_severity security_result.severity If alert.rule log field value matches the grok pattern signature_severity (?Critical|Major|Minor|Informational) then
If the signature_severity extracted field value is equal to Critical then, the security_result.severity UDM field is set to CRITICAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Major then, the security_result.severity UDM field is set to MEDIUM and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Minor then, the security_result.severity UDM field is set to LOW and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Informational then, the security_result.severity UDM field is set to INFORMATIONAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
suri_id (string) metadata.product_log_id
tx_id (integer - count) about.labels [tx_id]
updated_at security_result.detection_fields[alert_rule_updated_at] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The updated_at is extracted from rule_metadata using kv filter then the extracted updated_at field is mapped to security_result.detection_fields [alert_rule_updated_at] UDM field.
uri target.url If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.
user_agent target.http.useragent If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.

Field mapping reference: CORELIGHT - bacnet

The following table lists the log fields of the bacnet log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
apdu_type (string) about.labels [apdu_type]
bvlc_function (string) about.labels [bvlc_function]
bvlc_len (integer - count) about.labels [bvlc_len]
data (array[string] - vector of string) about.labels [data]
invoke_id (integer - count) additional.fields [invoke_id]
is_orig (boolean - bool) additional.fields [is_orig]
pdu_service (string) additional.fields [pdu_service]
pdu_type (string) additional.fields [pdu_type]
result_code (string) additional.fields [result_code]
service_choice (string) about.labels [service_choice]

Field mapping reference: CORELIGHT - cip

The following table lists the log fields of the cip log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
attribute_id (string) additional.fields [attribute_id]
cip_extended_status (string) additional.fields [cip_extended_status]
cip_extended_status_code (string) additional.fields [cip_extended_status_code]
cip_sequence_count (integer - count) additional.fields [cip_sequence_count]
cip_service (string) additional.fields [cip_service]
cip_service_code (string) additional.fields [cip_service_code]
cip_status (string) additional.fields [cip_status]
cip_status_code (string) additional.fields [cip_status_code]
class_id (string) additional.fields [class_id]
class_name (string) additional.fields [class_name]
direction (string) additional.fields [direction]
instance_id (string) additional.fields [instance_id]
is_orig (boolean - bool) additional.fields [is_orig]
service (string) about.labels [service]
status (string) about.labels [status]
tags (string) about.labels [tag]

Field mapping reference: CORELIGHT - corelight_burst

The following table lists the log fields of the corelight_burst log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
age_of_conn (number - interval) about.labels [age_of_conn]
mbps (number - double) about.labels [mbps]
orig_size (integer - count) network.sent_bytes
proto (string - enum) network.ip_protocol
resp_size (integer - count) network.received_bytes

Field mapping reference: CORELIGHT - corelight_overall_capture_loss

The following table lists the log fields of the corelight_overall_capture_loss log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.description The metadata.description UDM field is set with _system_name, percent_lost, ts. log fields as "node _system_name experienced percent_lost% packet loss at ts.".
acks (number - double) security_result.detection_fields [acks]
gaps (number - double) security_result.detection_fields [gaps]
percent_lost (number - double) security_result.detection_fields [percent_lost]

Field mapping reference: CORELIGHT - corelight_profiling

The following table lists the log fields of the corelight_profiling log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
node (string) principal.hostname
prof.core_stack (string) about.labels [prof_core_stack]
prof.sched_wait_ns (integer - count) about.labels [prof_sched_wait_ns]
prof.script_stack (string) about.labels [prof_script_stack]

Field mapping reference: CORELIGHT - datared

The following table lists the log fields of the datared log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
conn_red (integer - count) about.labels [conn_red]
conn_total (integer - count) about.labels [conn_total]
dns_coal_miss (integer - count) about.labels [dns_coal_miss]
dns_red (integer - count) about.labels [dns_red]
dns_total (integer - count) about.labels [dns_total]
files_coal_miss (integer - count) about.labels [files_coal_miss]
files_red (integer - count) about.labels [files_red]
files_total (integer - count) about.labels [files_total]
http_red (integer - count) about.labels [http_red]
http_total (integer - count) about.labels [http_total]
ssl_coal_miss (integer - count) about.labels [ssl_coal_miss]
ssl_red (integer - count) about.labels [ssl_red]
ssl_total (integer - count) about.labels [ssl_total]
weird_red (integer - count) about.labels [weird_red]
weird_total (integer - count) about.labels [weird_total]
x509_coal_miss (integer - count) about.labels [x509_coal_miss]
x509_red (integer - count) about.labels [x509_red]
x509_total (integer - count) about.labels [x509_total]

Field mapping reference: CORELIGHT - dhcp

The following table lists the log fields of the dhcp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DHCP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DHCP.
assigned_addr (string - addr) network.dhcp.yiaddr
client_addr (string - addr) network.dhcp.ciaddr
client_fqdn (string) principal.domain.name
client_message (string) security_result.description
domain (string) target.domain.name
duration (number - interval) about.labels [duration]
host_name (string) network.dhcp.client_hostname
lease_time (number - interval) network.dhcp.lease_time_seconds
mac (string) network.dhcp.chaddr
msg_types (array[string] - vector of string) network.dhcp.type The msg_types log field is mapped to network.dhcp.type UDM field when index value in msg_types is equal to 0.

For every other index value, about.labels.key UDM field is set to msg_types and msg_types log field is mapped to the about.labels.value.
requested_addr (string - addr) network.dhcp.requested_address
server_addr (string - addr) network.dhcp.siaddr
server_message (string) security_result.description
uids (array[string] - set[string]) about.labels [uid]

Field mapping reference: CORELIGHT - dga

The following table lists the log fields of the dga log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
family (string) about.labels [family]
is_collision_heavy (boolean - bool) security_result.detection_fields [is_collision_heavy]
qtype_name (string) about.labels [qtype_name]
query (string) network.dns.questions.name
rcode (integer - count) network.dns.response_code
ruse (boolean - bool) about.labels [ruse]

Field mapping reference: CORELIGHT - dnp3

The following table lists the log fields of the dnp3 log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
fc_reply (string) about.labels [fc_reply]
fc_request (string) about.labels [fc_request]
iin (integer - count) about.labels [iin]

Field mapping reference: CORELIGHT - iso_cotp

The following table lists the log fields of the iso_cotp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
pdu_type (string) about.labels [pdu_type]

Field mapping reference: CORELIGHT - kerberos

The following table lists the log fields of the kerberos log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to KRB5.
cipher (string) about.labels [cipher]
client (string) principal.hostname
client_cert_fuid (string) about.labels [client_cert_fuid]
client_cert_subject (string) about.labels [client_cert_subject]
error_msg (string) security_result.action_details
forwardable (boolean - bool) about.labels [forwardable]
from (time) about.labels [from]
renewable (boolean - bool) about.labels [renewable]
request_type (string) principal.application
server_cert_fuid (string) about.labels [server_cert_fuid]
server_cert_subject (string) about.labels [server_cert_subject]
service (string) target.application
success (boolean - bool) security_result.action If the success log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
till (time) about.labels [till]

Field mapping reference: CORELIGHT - ldap

The following table lists the log fields of the ldap log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to LDAP.
argument (array[string] - vector of string) about.labels [argument]
diagnostic_message (array[string] - vector of string) security_result.description
message_id (integer - int) about.labels [message_id]
object (array[string] - vector of string) about.labels [object]
opcode (array[string] - set[string]) security_result.detection_fields [opcode]
proto (string) about.labels [proto]
result (array[string] - set[string]) security_result.detection_fields [result]
version (integer - int) network.application_protocol_version

The following table lists the log fields of the ldap_search log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to LDAP.
attributes (array[string] - vector of string) about.labels [attributes]
base_object (array[string] - vector of string) about.labels [base_object]
deref (array[string] - set[string]) about.labels [deref]
diagnostic_message (array[string] - vector of string) security_result.description
filter (string) about.labels [filter]
message_id (integer - int) about.labels [message_id]
proto (string) about.labels [proto]
result (array[string] - set[string]) security_result.detection_fields [result]
result_count (integer - count) security_result.detection_fields [result_count]
scope (array[string] - set[string]) about.labels [scope]

Field mapping reference: CORELIGHT - local_subnets

The following table lists the log fields of the local_subnets log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
bipartite (boolean - bool) about.labels [bipartite]
component_ids (array[integer] - set[count]) about.labels [component_id]
inferred_site (boolean - bool) about.labels [inferred_site]
ip_version (integer - count) about.labels [ip_version]
other_ips (array[string] - set[addr]) about.ip
round (integer - count) about.labels [round]
size_of_component (integer - count) about.labels [size_of_component]
subnets (array[string] - set[subnet]) about.labels [subnet]

Field mapping reference: CORELIGHT - local_subnets_dj

The following table lists the log fields of the local_subnets_dj log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
component_id (integer - count) additional.fields [component_id]
ip_version (integer - count) about.labels [ip_version]
round (integer - count) additional.fields [round]
side (string) about.labels [side]
v (string - addr) about.ip

Field mapping reference: CORELIGHT - local_subnets_graphs

The following table lists the log fields of the local_subnets_graphs log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
ip_version (integer - count) about.labels [ip_version]
v1 (string - addr) about.ip
v2 (string - addr) about.ip

Field mapping reference: CORELIGHT - syslog

The following table lists the log fields of the syslog log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
facility (string) about.labels [facility]
message (string) metadata.description
proto (string - enum) network.ip_protocol
severity (string) about.labels [severity]

Field mapping reference: CORELIGHT - tds

The following table lists the log fields of the tds log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
command (string) principal.process.command_line

Field mapping reference: CORELIGHT - tds_rpc

The following table lists the log fields of the tds_rpc log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
parameters (array[string] - vector of string) about.labels [parameter]
procedure_name (string) about.labels [procedure_name]

Field mapping reference: CORELIGHT - tds_sql_batch

The following table lists the log fields of the tds_sql_batch log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
target.resource.resource_type The target.resource.resource_type UDM field is set to DATABASE.
header_type (string) target.resource.attribute.labels [header_type]
query (string) target.resource.attribute.labels [query]

Field mapping reference: CORELIGHT - traceroute

The following table lists the log fields of the traceroute log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
dst (string - addr) target.ip
proto (string) network.ip_protocol
src (string - addr) principal.ip

Field mapping reference: CORELIGHT - tunnel

The following table lists the log fields of the tunnel log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
security_result.description The security_result.description UDM field is set with action, tunnel_type log fields as "action action on tunnel type tunnel_type".
action (string - enum) security_result.action_details
tunnel_type (string - enum) intermediary.labels [tunnel_type]

Field mapping reference: CORELIGHT - weird, weird_red

The following table lists the log fields of the weird, weird_red log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
addl (string) about.labels [addl]
name (string) about.labels [name]
notice (boolean - bool) about.labels [notice]
peer (string) about.labels [peer]
source (string) about.labels [source]

Field mapping reference: CORELIGHT - wireguard

The following table lists the log fields of the wireguard log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
established (boolean - bool) about.labels [established]
initiations (integer - count) about.labels [initiations]
responses (integer - count) about.labels [responses]

Field mapping reference: CORELIGHT - vpn

The following table lists the log fields of the vpn log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
client_info (string) principal.labels [client_info]
duration (number - interval) network.session_duration
inferences (array[string] - set[string]) about.labels [inference]
issuer (string) network.tls.client.certificate.issuer
ja3 (string) network.tls.client.ja3
ja3s (string) network.tls.server.ja3s
orig_bytes (integer - count) network.sent_bytes
orig_cc (string) principal.location.country_or_region
orig_city (string) principal.location.city
orig_region (string) principal.location.country_or_region
proto (string - enum) network.ip_protocol
resp_bytes (integer - count) network.received_bytes
resp_cc (string) target.location.country_or_region
resp_city (string) target.location.city
resp_region (string) target.location.country_or_region
server_name (string) network.tls.client.server_name
service (string) target.application
subject (string) network.tls.client.certificate.subject
vpn_type (string - enum) about.labels [vpn_type]

Field mapping reference: CORELIGHT - x509, x509_red

The following table lists the log fields of the x509, x509_red log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
basic_constraints.ca (boolean - bool) about.labels [basic_constraints_ca]
basic_constraints.path_len (integer - count) about.labels [basic_constraints_path_len]
certificate.curve (string) network.tls.curve
certificate.exponent (string) about.labels [certificate_exponent]
certificate.issuer (string) network.tls.server.certificate.issuer
certificate.key_alg (string) about.labels [certificate_key_alg]
certificate.key_length (integer - count) about.labels [certificate_key_length]
certificate.key_type (string) about.labels [certificate_key_type]
certificate.not_valid_after (time) network.tls.server.certificate.not_after
certificate.not_valid_before (time) network.tls.server.certificate.not_before
certificate.serial (string) network.tls.server.certificate.serial
certificate.sig_alg (string) about.labels [certificate_sig_alg]
certificate.subject (string) network.tls.server.certificate.subject
certificate.version (integer - count) network.tls.server.certificate.version
client_cert (boolean - bool) about.labels [client_cert]
fingerprint (string) about.labels [fingerprint]
host_cert (boolean - bool) about.labels [host_cert]
san.dns (array[string] - vector of string) about.labels [san_dns]
san.email (array[string] - vector of string) about.labels [san_email]
san.ip (array[string] - vector of addr) about.ip
san.uri (array[string] - vector of string) about.url
vlan (integer - int) additional.fields [vlan]
vlan_inner (integer - int) additional.fields [vlan_inner]

Field mapping reference: CORELIGHT - unknown-smartpcap

The following table lists the log fields of the unknown-smartpcap log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Smartpcap.
pkts (integer - count) about.labels [pkts]
tid (string) about.labels [tid]
url (string) security_result.url_back_to_product

Field mapping reference: CORELIGHT - mysql

The following table lists the log fields of the mysql log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
target.resource.resource_type The target.resource.resource_type UDM field is set to DATABASE.
arg (string) principal.process.command_line
cmd (string) target.resource.attribute.labels [cmd]
response (string) target.resource.attribute.labels [response]
rows (integer - count) target.resource.attribute.labels [rows]
success (boolean - bool) target.resource.attribute.labels [success]

Field mapping reference: CORELIGHT - napatech_shunting

The following table lists the log fields of the napatech_shunting log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
peer (string) about.labels [peer]
shunted_flows (integer - count) security_result.detection_fields [shunted_flows]
terminated_flows (integer - count) about.labels [terminated_flows]

Field mapping reference: CORELIGHT - ntlm

The following table lists the log fields of the ntlm log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
domainname (string) principal.domain.name
hostname (string) principal.hostname
server_dns_computer_name (string) target.domain.name
server_nb_computer_name (string) target.hostname
server_tree_name (string) target.labels [server_tree_name]
success (boolean - bool) extensions.auth.auth_details If the success log field value is equal to true, then the extensions.auth.auth_details UDM field is set to Authentication successful.

Else, the extensions.auth.auth_details UDM field is set to Authentication failed.
username (string) target.user.userid

Field mapping reference: CORELIGHT - pe

The following table lists the log fields of the pe log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
compile_ts (time) about.labels [compile_ts]
has_cert_table (boolean - bool) about.labels [has_cert_table]
has_debug_data (boolean - bool) about.labels [has_debug_data]
has_export_table (boolean - bool) about.labels [has_export_table]
has_import_table (boolean - bool) about.labels [has_import_table]
id (string) about.labels [id]
is_64bit (boolean - bool) about.labels [is_64bit]
is_exe (boolean - bool) about.file.file_type If the is_exe log field value is equal to true, then the about.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
machine (string) target.labels [machine]
os (string) target.platform If the os log field value is equal to windows, then the target.platform UDM field is set to WINDOWS.

Else, if is equal to linux, then the target.platform UDM field is set to LINUX.

Else, if the os log field value is equal to mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.
section_names (array[string] - vector of string) about.labels [section_names]
subsystem (string) target.application
uses_aslr (boolean - bool) about.labels [uses_aslr]
uses_code_integrity (boolean - bool) about.labels [uses_code_integrity]
uses_dep (boolean - bool) about.labels [uses_dep]
uses_seh (boolean - bool) about.labels [uses_seh ]

Field mapping reference: CORELIGHT - ntp

The following table lists the log fields of the ntp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to NTP.
network.ip_protocol The network.ip_protocol UDM field is set to UDP.
mode (integer - count) about.labels [mode]
num_exts (integer - count) about.labels [num_exts]
org_time (time) about.labels [org_time]
poll (number - interval) about.labels [poll]
precision (number - interval) about.labels [precision]
rec_time (time) about.labels [rec_time]
ref_id (string) target.ip If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field.

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_id (string) target.labels [ref_id] If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field.

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_time (time) about.labels [ref_time]
root_delay (number - interval) about.labels [root_delay]
root_disp (number - interval) about.labels [root_disp]
stratum (integer - count) about.labels [stratum]
version (integer - count) network.application_protocol_version
xmt_time (time) about.labels [rec_time]

Field mapping reference: CORELIGHT - radius

The following table lists the log fields of the radius log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
connect_info (string) about.labels [connect_info]
framed_addr (string - addr) intermediary.ip
mac (string) principal.mac
reply_msg (string) about.labels [reply_msg]
result (string) extensions.auth.auth_details
ttl (number - interval) network.session_duration
tunnel_client (string) intermediary.ip If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
tunnel_client (string) intermediary.domain.name If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
username (string) target.user.userid

Field mapping reference: CORELIGHT - reporter

The following table lists the log fields of the reporter log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
level (string - enum) security_result.severity If the level log field value is equal to CRITICAL or ERROR or HIGH or INFORMATIONAL or LOW or MEDIUM, then the level log field is mapped to the security_result.severity UDM field.
level (string - enum) security_result.severity_details
location (string) about.labels [location]
message (string) security_result.description

Field mapping reference: CORELIGHT - log4shell

The following table lists the log fields of the log4shell log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
extensions.vulns.vulnerabilities.cve_id The extensions.vulns.vulnerabilities.cve_id UDM field is set to CVE-2021-44228.
http_uri (string) about.labels [http_uri]
is_orig (boolean - bool) about.labels [is_orig]
matched_name (boolean - bool) about.labels [matched_name]
matched_value (boolean - bool) about.labels [matched_value]
method (string) network.http.method
name (string) about.labels.key
stem (string) target.labels [stem]
target_host (string) target.hostname
target_port (string) target.port
uri (string) target.url
value (string) about.labels.value

Field mapping reference: CORELIGHT - modbus

The following table lists the log fields of the modbus log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MODBUS.
exception (string) security_result.description
func (string) about.labels [func]
pdu_type (string) additional.fields [pdu_type]
tid (integer - count) additional.fields [tid]
unit (integer - count) additional.fields [unit]

Field mapping reference: CORELIGHT - mqtt_connect

The following table lists the log fields of the mqtt_connect log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
client_id (string) principal.labels [client_id]
connect_status (string) security_result.description
proto_name (string) about.labels [proto_name]
proto_version (string) network.application_protocol_version
will_payload (string) about.labels [will_payload]
will_topic (string) about.labels [will_topic]

Field mapping reference: CORELIGHT - mqtt_publish

The following table lists the log fields of the mqtt_publish log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
from_client (boolean - bool) about.labels [from_client]
payload (string) about.labels [payload]
payload_len (integer - count) about.labels [payload_len]
qos (string) about.labels [qos]
retain (boolean - bool) target.labels [retain]
status (string) security_result.description
topic (string) about.labels [topic]

Field mapping reference: CORELIGHT - mqtt_subscribe

The following table lists the log fields of the mqtt_subscribe log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
ack (boolean - bool) security_result.detection_fields [ack]
action (string - enum) security_result.action_details
granted_qos_level (integer - count) about.labels [granted_qos_level]
qos_levels (array[integer] - vector of count) about.labels [qos_levels]
topics (array[string] - vector of string) about.labels [topics]

Field mapping reference: CORELIGHT - dpd

The following table lists the log fields of the dpd log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
analyzer (string) about.labels [analyzer]
failure_reason (string) about.labels [failure_reason]
proto (string - enum) network.ip_protocol

Field mapping reference: CORELIGHT - encrypted_dns

The following table lists the log fields of the encrypted_dns log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
cert.cn (string) about.labels [cert_cn]
cert.sans (array[string] - set[string]) about.labels [cert_sans]
match (string) about.labels [match]
resp_h (string - addr) target.ip
sni (string) network.tls.client.server_name

Field mapping reference: CORELIGHT - enip

The following table lists the log fields of the enip log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
command (string) principal.process.command_line
enip_command (string) additional.fields [enip_command]
enip_command_code (string) additional.fields [enip_command_code]
enip_status (string) additional.fields [enip_status]
is_orig (boolean - bool) additional.fields [is_orig]
length (integer - count) about.labels [length]
options (string) about.labels [options]
sender_context (string) about.labels [sender_context]
session_handle (string) network.session_id
status (string) about.labels [status]

Field mapping reference: CORELIGHT - enip_debug

The following table lists the log fields of the enip_debug log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
raw_data (string) about.labels [raw_data]

Field mapping reference: CORELIGHT - enip_list_identity

The following table lists the log fields of the enip_list_identity log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
device_ip (string - addr) target.asset.ip
device_type (string) target.asset.attribute.labels [device_type]
product_code (integer - count) target.asset.attribute.labels [product_code]
product_name (string) target.asset.attribute.labels [product_name]
revision (number - double) target.asset.attribute.labels [revision]
serial_number (string) target.asset.asset_id The target.asset.asset_id UDM field is set with serial_number log fields as "CORELIGHT: serial_number".
state (string) target.asset.attribute.labels [state]
status (string) about.labels [status]
vendor (string) target.asset.hardware.manufacturer

Field mapping reference: CORELIGHT - etc_viz

The following table lists the log fields of the etc_viz log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
c2s_viz.clr_ex (string) about.labels [c2s_viz_clr_ex]
c2s_viz.clr_frac (number - double) about.labels [c2s_viz_clr_frac]
c2s_viz.enc_dev (number - double) about.labels [c2s_viz_enc_dev]
c2s_viz.enc_frac (number - double) about.labels [c2s_viz_enc_frac]
c2s_viz.pdu1_enc (boolean - bool) about.labels [c2s_viz_pdu1_enc]
c2s_viz.size (integer - count) about.labels [c2s_viz_size]
s2c_viz.clr_ex (string) about.labels [s2c_viz_clr_ex]
s2c_viz.clr_frac (number - double) about.labels [s2c_viz_clr_frac]
s2c_viz.enc_dev (number - double) about.labels [s2c_viz_enc_dev]
s2c_viz.enc_frac (number - double) about.labels [s2c_viz_enc_frac]
s2c_viz.pdu1_enc (boolean - bool) about.labels [s2c_viz_pdu1_enc]
s2c_viz.size (integer - count) about.labels [s2c_viz_size]
server_a (string - addr) target.ip
server_p (integer - port) target.port
service (array[string] - set[string]) target.application The service log field is mapped to target.application UDM field when index value in service is equal to 0.

For every other index value, target.labels.key UDM field is set to service and service log field is mapped to the target.labels.value.
viz_stat (string) about.labels [viz_stat]

Field mapping reference: CORELIGHT - ftp

The following table lists the log fields of the ftp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_FTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
command (string), arg (string) network.ftp.command The network.ftp.command UDM field is set with command, arg log fields as "command arg".
data_channel.orig_h (string - addr) principal.ip
data_channel.passive (boolean - bool) about.labels [data_channel_passive]
data_channel.resp_h (string - addr) target.ip
data_channel.resp_p (integer - port) target.labels [data_channel_resp_p]
file_size (integer - count) target.file.size
fuid (string) about.labels [fuid]
mime_type (string) target.file.mime_type
password (string) extensions.auth.auth_details
reply_code (integer - count) about.labels [reply_code]
reply_msg (string) about.labels [reply_msg]
user (string) principal.user.user_display_name

Field mapping reference: CORELIGHT - generic_dns_tunnels

The following table lists the log fields of the generic_dns_tunnels log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
bytes (integer - int) about.labels [bytes]
capture_secs (number - interval) about.labels [capture_secs]
dns_client (string - addr) principal.ip
domain (string) network.dns_domain
domain (string) network.dns.questions.name

Field mapping reference: CORELIGHT - generic_icmp_tunnels

The following table lists the log fields of the generic_icmp_tunnels log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.ip_protocol The network.ip_protocol UDM field is set to ICMP.
bytes (integer - count) about.labels [bytes]
detection (string) security_result.detection_fields [detection]
id (integer - count) about.labels [id]
orig (string - addr) principal.ip
payload (string) about.labels [payload]
payload_len (integer - count) about.labels [payload_len]
resp (string - addr) target.ip
seq (integer - count) about.labels [seq]

Field mapping reference: CORELIGHT - icmp_specific_tunnels

The following table lists the log fields of the icmp_specific_tunnels log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.ip_protocol The network.ip_protocol UDM field is set to ICMP.
duration (number - interval) network.session_duration
icmp_id (integer - count) about.labels [icmp_id]
payload (string) about.labels [payload]
seq (integer - count) about.labels [seq]
start_time (time) about.labels [start_time]
tunnel (string) intermediary.labels [tunnel]

Field mapping reference: CORELIGHT - ipsec

The following table lists the log fields of the ipsec log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
certificates (array[string] - vector of string) about.labels [certificate]
doi (integer - count) about.labels [doi]
exchange_type (integer - count) about.labels [exchange_type]
flag_a (boolean - bool) about.labels [flag_a]
flag_c (boolean - bool) about.labels [flag_c]
flag_e (boolean - bool) about.labels [flag_e]
flag_i (boolean - bool) about.labels [flag_i]
flag_r (boolean - bool) about.labels [flag_r]
flag_v (boolean - bool) about.labels [flag_v]
hash (string) about.labels [hash]
initiator_spi (string) principal.labels [initiator_spi]
is_orig (boolean - bool) additional.fields [is_orig]
ke_dh_groups (array[integer] - vector of count) about.labels [ke_dh_group]
length (integer - count) about.labels [length]
maj_ver (integer - count) about.labels [maj_ver]
message_id (integer - count) about.labels [message_id]
min_ver (integer - count) about.labels [min_ver]
notify_messages (array[string] - vector of string) about.labels [notify_message]
proposals (array[integer] - vector of count) about.labels [proposal]
protocol_id (integer - count) about.labels [protocol_id]
responder_spi (string) target.labels [responder_spi]
situation (string) about.labels [situation]
transform_attributes (array[string] - vector of string) about.labels [transform_attribute]
transforms (array[string] - vector of string) about.labels [transform]
vendor_ids (array[string] - vector of string) about.labels [vendor_id]

Field mapping reference: CORELIGHT - profinet

The following table lists the log fields of the profinet log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
block_version (string) about.labels [block_version]
index (string) about.labels [index]
operation_type (string) about.labels [operation_type]
slot_number (integer - count) about.labels [slot_number]
subslot_number (integer - count) about.labels [subslot_number]

Field mapping reference: CORELIGHT - profinet_dce_rpc

The following table lists the log fields of the profinet_dce_rpc log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DCERPC.
activity_uuid (string) about.labels [activity_uuid]
interface_uuid (string) about.labels [interface_uuid]
object_uuid (string) about.labels [object_uuid]
operation (string) about.labels [operation]
packet_type (integer - count) about.labels [packet_type]
server_boot_time (integer - count) about.labels [server_boot_time]
version (integer - count) about.labels [version]

Field mapping reference: CORELIGHT - profinet_debug

The following table lists the log fields of the profinet_debug log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
raw_data (string) about.labels [raw_data]

Field mapping reference: CORELIGHT - rfb

The following table lists the log fields of the rfb log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
auth (boolean - bool) security_result.action If the auth log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
authentication_method (string) extension.auth.mechanism If the authentication_method log field value is equal to VNC, then the extension.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
authentication_method (string) extension.auth.auth_details
client_major_version (string) principal.labels [client_major_version]
client_minor_version (string) principal.labels [client_minor_version]
desktop_name (string) principal.labels [desktop_name]
height (integer - count) principal.labels [height]
server_major_version (string) target.labels [server_major_version]
server_minor_version (string) target.labels [server_minor_version]
share_flag (boolean - bool) about.labels [share_flag]
width (integer - count) principal.labels [width]

Field mapping reference: CORELIGHT - known_certs

The following table lists the log fields of the known_certs log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
entity.resource.resource_subtype The entity.resource.resource_subtype UDM field is set to CERTIFICATE.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
duration (number - interval) entity.labels [duration]
hash (string) entity.resource.attribute.labels [hash]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
issuer_subject (string) entity.resource.attribute.labels [issuer_subject]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
port (integer - port) entity.port
port_num (integer - port) entity.port
protocol (string - enum) entity.labels [protocol]
serial (string) entity.resource.attribute.labels [serial]
subject (string) entity.resource.attribute.labels [subject]
ts (time) metadata.interval.start_time

Field mapping reference: CORELIGHT - known_devices

The following table lists the log fields of the known_devices log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.asset.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
mac (string) entity.asset.mac
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
protocols (array[string] - set[string]) entity.labels [protocol]
ts (time) metadata.interval.start_time
ts (time) entity.asset.first_seen_time
vendor_mac (string) entity.asset.hardware.manufacturer

Field mapping reference: CORELIGHT - known_domains

The following table lists the log fields of the known_domains log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to DOMAIN_NAME.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
domain (string) entity.domain.name
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
protocols (array[string] - set[string]) entity.labels [protocol]
ts (time) metadata.interval.start_time
ts (time) entity.domain.first_seen_time

Field mapping reference: CORELIGHT - known_hosts

The following table lists the log fields of the known_hosts log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to IP_ADDRESS.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
conns_closed (integer - count) metadata.threat.detection_fields [conns_closed]
conns_opened (integer - count) metadata.threat.detection_fields [conns_opened]
conns_pending (integer - count) metadata.threat.detection_fields [conns_pending]
duration (number - interval) entity.labels [duration]
ep.cid (string) additional.fields [ep_cid]
ep.criticality (string) entity.security_result.detection_fields[ep_criticality]
ep.desc (string) metadata.description
ep.os_version (string) entity.platform_version
ep.source (string) additional.fields [ep_source]
ep.status (string) additional.fields [ep_status]
ep.uid (string) additional.fields [ep_uid]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
ts (time) metadata.interval.start_time

Field mapping reference: CORELIGHT - known_names

The following table lists the log fields of the known_names log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
hostname (string) entity.hostname
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
protocols (array[string] - set[string]) entity.labels [protocol]
ts (time) metadata.interval.start_time

Field mapping reference: CORELIGHT - known_remotes

The following table lists the log fields of the known_remotes log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to IP_ADDRESS.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
ts (time) metadata.interval.start_time

Field mapping reference: CORELIGHT - known_services

The following table lists the log fields of the known_services log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
app (array[string] - set[string]) entity.application The app log field is mapped to entity.application UDM field when index value in app is equal to 0.

For every other index value, entity.labels.key UDM field is set to app and app log field is mapped to the entity.labels.value.
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
num_conns_complete (integer - count) entity.security_result.detection_fields[num_conns_complete]
num_conns_pending (integer - int) entity.security_result.detection_fields[num_conns_pending]
port (integer - port) entity.port
port_num (integer - port) entity.port
protocol (string - enum) entity.labels [protocol]
service (array[string] - vector of string) entity.labels [service]
software (array[string] - set[string]) entity.asset.software.name
ts (time) metadata.interval.start_time

Field mapping reference: CORELIGHT - known_users

The following table lists the log fields of the known_users log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
duration (number - interval) entity.labels [duration]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_ip (string - addr) entity.ip
host_vlan (integer - int) additional.fields [host_vlan]
kuid (string) entity.labels [kuid]
last_active_interval (number - interval) entity.labels [last_active_interval]
last_active_session (string) entity.labels [last_active_session]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
protocol (string) entity.labels [protocol]
remote_inner_vlan (integer - int) additional.fields [remote_inner_vlan]
remote_ip (string - addr) entity.ip
remote_vlan (integer - int) additional.fields [remote_vlan]
ts (time) metadata.interval.start_time
user (string) entity.user.user_display_name

Field mapping reference: CORELIGHT - s7comm

The following table lists the log fields of the s7comm log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
data_info (array[string] - vector of string) about.labels [data_info]
error_class (string) additional.fields [error_class]
error_code (string) additional.fields [error_code]
function_code (string) additional.fields [function_code]
function_name (string) additional.fields [function_name]
is_orig (boolean - bool) additional.fields [is_orig]
item_count (integer - count) about.labels [item_count]
parameter (array[string] - vector of string) about.labels [parameter]
pdu_reference (integer - count) additional.fields [pdu_reference]
rosctr (string) about.labels [rosctr]
rosctr_code (integer - count) additional.fields [rosctr_code]
rosctr_name (string) additional.fields [rosctr_name]
subfunction_code (string) additional.fields [subfunction_code]
subfunction_name (string) additional.fields [subfunction_name]

Field mapping reference: CORELIGHT - smartpcap

The following table lists the log fields of the smartpcap log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Smartpcap.
logstr (string) metadata.description

Field mapping reference: CORELIGHT - snmp

The following table lists the log fields of the snmp log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to zeek.
community (string) about.labels [community]
display_string (string) about.labels [display_string]
duration (number - interval) network.session_duration
get_bulk_requests (integer - count) about.labels [get_bulk_requests]
get_requests (integer - count) about.labels [get_requests]
get_responses (integer - count) about.labels [get_responses]
set_requests (integer - count) about.labels [set_requests]
up_since (time) about.labels [up_since]
version (string) network.application_protocol_version

Field mapping reference: CORELIGHT - socks

The following table lists the log fields of the socks log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
bound_p (integer - port) intermediary.port
bound.host (string - addr) intermediary.ip
bound.name (string) intermediary.hostname
password (string) extensions.auth.auth_details
request_p (integer - port) target.labels [request_p]
request.host (string - addr) target.ip
request.name (string) target.hostname
status (string) about.labels [status]
user (string) principal.user.userid
version (integer - count) about.labels [version]

Field mapping reference: CORELIGHT - software

The following table lists the log fields of the software log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to zeek.
host (string - addr) target.asset.ip
host_p (integer - port) target.port
name (string) target.asset.software.name
software_type (string - enum) target.asset.software.description
unparsed_version (string) target.asset.attribute.labels [unparsed_version]
version.addl (string) target.asset.attribute.labels [version_addl]
version.major (integer - count) target.asset.software.version
version.minor (integer - count) target.asset.attribute.labels [version_minor]
version.minor2 (integer - count) target.asset.attribute.labels [version_minor2]
version.minor3 (integer - count) target.asset.attribute.labels [version_minor3]

Field mapping reference: CORELIGHT - specific_dns_tunnels

The following table lists the log fields of the specific_dns_tunnels log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
detection (string) security_result.detection_fields [detection]
dns_client (string - addr) principal.ip
program (string - enum) principal.application
query (string) network.dns.questions.name
resolver (string - addr) target.ip
session_id (integer - count) network.session_id
sods_id (integer - count) about.labels [sods_id]
trans_id (integer - count) network.dns.id

Field mapping reference: CORELIGHT - stepping

The following table lists the log fields of the stepping log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
client1_h (string - addr) principal.ip
client1_p (integer - port) principal.port
client2_h (string - addr) principal.ip
client2_p (integer - port) principal.labels [client2_p]
direct (boolean - bool) about.labels [direct]
dt (number - interval) about.labels [dt]
server1_h (string - addr) target.ip
server1_p (integer - port) target.port
server2_h (string - addr) target.labels [server2_h]
server2_p (integer - port) target.labels [server2_p]
uid1 (string) about.labels [uid1]
uid2 (string) about.labels [uid2]

Field mapping reference: CORELIGHT - stun

The following table lists the log fields of the stun log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
attr_types (array[string] - vector of string) about.labels.key
attr_vals (array[string] - vector of string) about.labels.value
class (string) about.labels [class]
is_orig (boolean - bool) about.labels [is_orig]
method (string) about.labels [method]
proto (string - enum) network.ip_protocol
trans_id (string) network.session_id

Field mapping reference: CORELIGHT - stun_nat

The following table lists the log fields of the stun_nat log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
is_orig (boolean - bool) about.labels [is_orig]
lan_addrs (array[string] - vector of addr) principal.ip
proto (string - enum) network.ip_protocol
wan_addrs (array[string] - vector of addr) principal.nat_ip
wan_ports (array[integer] - vector of count) principal.nat_port The wan_ports log field is mapped to principal.nat_port UDM field when index value in wan_ports is equal to 0.

For every other index value, principal.labels.key UDM field is set to wan_port and wan_ports log field is mapped to the principal.labels.value.

Field mapping reference: CORELIGHT - suricata_stats

The following table lists the log fields of the suricata_stats log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Suricata.
event_type(string) about.labels [event_type]
raw_mgmt about.labels [raw_mgmt]
stats.app_layer.expectations(integer) about.labels [stats_app_layer_expectations]
stats.app_layer.flow.dcerpc_tcp(integer) about.labels [stats_app_layer_flow_dcerpc_tcp]
stats.app_layer.flow.dcerpc_udp(integer) about.labels [stats_app_layer_flow_dcerpc_udp]
stats.app_layer.flow.dhcp(integer) about.labels [stats_app_layer_flow_dhcp]
stats.app_layer.flow.dns_tcp(integer) about.labels [stats_app_layer_flow_dns_tcp]
stats.app_layer.flow.dns_udp(integer) about.labels [stats_app_layer_flow_dns_udp]
stats.app_layer.flow.failed_tcp(integer) about.labels [stats_app_layer_flow_failed_tcp]
stats.app_layer.flow.failed_udp(integer) about.labels [stats_app_layer_flow_failed_udp]
stats.app_layer.flow.ftp-data(integer) about.labels [stats_app_layer_flow_ftp-data]
stats.app_layer.flow.ftp(integer) about.labels [stats_app_layer_flow_ftp]
stats.app_layer.flow.http(integer) about.labels [stats_app_layer_flow_http]
stats.app_layer.flow.ikev2(integer) about.labels [stats_app_layer_flow_ikev2]
stats.app_layer.flow.imap(integer) about.labels [stats_app_layer_flow_imap]
stats.app_layer.flow.krb5_tcp(integer) about.labels [stats_app_layer_flow_krb5_tcp]
stats.app_layer.flow.krb5_udp(integer) about.labels [stats_app_layer_flow_krb5_udp]
stats.app_layer.flow.nfs_tcp(integer) about.labels [stats_app_layer_flow_nfs_tcp]
stats.app_layer.flow.nfs_udp(integer) about.labels [stats_app_layer_flow_nfs_udp]
stats.app_layer.flow.ntp(integer) about.labels [stats_app_layer_flow_ntp]
stats.app_layer.flow.rdp(integer) about.labels [stats_app_layer_flow_rdp]
stats.app_layer.flow.rfb(integer) about.labels [stats_app_layer_flow_rfb]
stats.app_layer.flow.smb(integer) about.labels [stats_app_layer_flow_smb]
stats.app_layer.flow.smtp(integer) about.labels [stats_app_layer_flow_smtp]
stats.app_layer.flow.ssh(integer) about.labels [stats_app_layer_flow_ssh]
stats.app_layer.flow.tftp(integer) about.labels [stats_app_layer_flow_tftp]
stats.app_layer.flow.tls(integer) about.labels [stats_app_layer_flow_tls]
stats.app_layer.tx.dcerpc_tcp(integer) about.labels [stats_app_layer_tx_dcerpc_tcp]
stats.app_layer.tx.dcerpc_udp(integer) about.labels [stats_app_layer_tx_dcerpc_udp]
stats.app_layer.tx.dhcp(integer) about.labels [stats_app_layer_tx_dhcp]
stats.app_layer.tx.dns_tcp(integer) about.labels [stats_app_layer_tx_dns_tcp]
stats.app_layer.tx.dns_udp(integer) about.labels [stats_app_layer_tx_dns_udp]
stats.app_layer.tx.ftp-data(integer) about.labels [stats_app_layer_tx_ftp-data]
stats.app_layer.tx.ftp(integer) about.labels [stats_app_layer_tx_ftp]
stats.app_layer.tx.http(integer) about.labels [stats_app_layer_tx_http]
stats.app_layer.tx.ikev2(integer) about.labels [stats_app_layer_tx_ikev2]
stats.app_layer.tx.imap(integer) about.labels [stats_app_layer_tx_imap]
stats.app_layer.tx.krb5_tcp(integer) about.labels [stats_app_layer_tx_krb5_tcp]
stats.app_layer.tx.krb5_udp(integer) about.labels [stats_app_layer_tx_krb5_udp]
stats.app_layer.tx.nfs_tcp(integer) about.labels [stats_app_layer_tx_nfs_tcp]
stats.app_layer.tx.nfs_udp(integer) about.labels [stats_app_layer_tx_nfs_udp]
stats.app_layer.tx.ntp(integer) about.labels [stats_app_layer_tx_ntp]
stats.app_layer.tx.rdp(integer) about.labels [stats_app_layer_tx_rdp]
stats.app_layer.tx.rfb(integer) about.labels [stats_app_layer_tx_rfb]
stats.app_layer.tx.smb(integer) about.labels [stats_app_layer_tx_smb]
stats.app_layer.tx.smtp(integer) about.labels [stats_app_layer_tx_smtp]
stats.app_layer.tx.ssh(integer) about.labels [stats_app_layer_tx_ssh]
stats.app_layer.tx.tftp(integer) about.labels [stats_app_layer_tx_tftp]
stats.app_layer.tx.tls(integer) about.labels [stats_app_layer_tx_tls]
stats.decoder.avg_pkt_size(integer) about.labels [stats_decoder_avg_pkt_size]
stats.decoder.bytes(integer) about.labels [stats_decoder_bytes]
stats.decoder.chdlc(integer) about.labels [stats_decoder_chdlc]
stats.decoder.erspan(integer) about.labels [stats_decoder_erspan]
stats.decoder.ethernet(integer) about.labels [stats_decoder_ethernet]
stats.decoder.event.chdlc.pkt_too_small(integer) about.labels [stats_decoder_event_chdlc_pkt_too_small]
stats.decoder.event.dce.pkt_too_small(integer) about.labels [stats_decoder_event_dce_pkt_too_small]
stats.decoder.event.erspan.header_too_small(integer) about.labels [stats_decoder_event_erspan_header_too_small]
stats.decoder.event.erspan.too_many_vlan_layers(integer) about.labels [stats_decoder_event_erspan_too_many_vlan_layers]
stats.decoder.event.erspan.unsupported_version(integer) about.labels [stats_decoder_event_erspan_unsupported_version]
stats.decoder.event.ethernet.pkt_too_small(integer) about.labels [stats_decoder_event_ethernet_pkt_too_small]
stats.decoder.event.geneve.unknown_payload_type(integer) about.labels [stats_decoder_event_geneve_unknown_payload_type]
stats.decoder.event.gre.pkt_too_small(integer) about.labels [stats_decoder_event_gre_pkt_too_small]
stats.decoder.event.gre.version0_flags(integer) about.labels [stats_decoder_event_gre_version0_flags]
stats.decoder.event.gre.version0_hdr_too_big(integer) about.labels [stats_decoder_event_gre_version0_hdr_too_big]
stats.decoder.event.gre.version0_malformed_sre_hdr(integer) about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]
stats.decoder.event.gre.version0_recur(integer) about.labels [stats_decoder_event_gre_version0_recur]
stats.decoder.event.gre.version1_chksum(integer) about.labels [stats_decoder_event_gre_version1_chksum]
stats.decoder.event.gre.version1_flags(integer) about.labels [stats_decoder_event_gre_version1_flags]
stats.decoder.event.gre.version1_hdr_too_big(integer) about.labels [stats_decoder_event_gre_version1_hdr_too_big]
stats.decoder.event.gre.version1_malformed_sre_hdr(integer) about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]
stats.decoder.event.gre.version1_no_key(integer) about.labels [stats_decoder_event_gre_version1_no_key]
stats.decoder.event.gre.version1_recur(integer) about.labels [stats_decoder_event_gre_version1_recur]
stats.decoder.event.gre.version1_route(integer) about.labels [stats_decoder_event_gre_version1_route]
stats.decoder.event.gre.version1_ssr(integer) about.labels [stats_decoder_event_gre_version1_ssr]
stats.decoder.event.gre.version1_wrong_protocol(integer) about.labels [stats_decoder_event_gre_version1_wrong_protocol]
stats.decoder.event.gre.wrong_version(integer) about.labels [stats_decoder_event_gre_wrong_version]
stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer) about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]
stats.decoder.event.icmpv4.ipv4_unknown_ver(integer) about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]
stats.decoder.event.icmpv4.pkt_too_small(integer) about.labels [stats_decoder_event_icmpv4_pkt_too_small]
stats.decoder.event.icmpv4.unknown_code(integer) about.labels [stats_decoder_event_icmpv4_unknown_code]
stats.decoder.event.icmpv4.unknown_type(integer) about.labels [stats_decoder_event_icmpv4_unknown_type]
stats.decoder.event.icmpv6.experimentation_type(integer) about.labels [stats_decoder_event_icmpv6_experimentation_type]
stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer) about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]
stats.decoder.event.icmpv6.ipv6_unknown_version(integer) about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]
stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer) about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]
stats.decoder.event.icmpv6.pkt_too_small(integer) about.labels [stats_decoder_event_icmpv6_pkt_too_small]
stats.decoder.event.icmpv6.unassigned_type(integer) about.labels [stats_decoder_event_icmpv6_unassigned_type]
stats.decoder.event.icmpv6.unknown_code(integer) about.labels [stats_decoder_event_icmpv6_unknown_code]
stats.decoder.event.icmpv6.unknown_type(integer) about.labels [stats_decoder_event_icmpv6_unknown_type]
stats.decoder.event.ieee8021ah.header_too_small(integer) about.labels [stats_decoder_event_ieee8021ah_header_too_small]
stats.decoder.event.ipraw.invalid_ip_version(integer) about.labels [stats_decoder_event_ipraw_invalid_ip_version]
stats.decoder.event.ipv4.frag_ignored(integer) about.labels [stats_decoder_event_ipv4_frag_ignored]
stats.decoder.event.ipv4.frag_overlap(integer) about.labels [stats_decoder_event_ipv4_frag_overlap]
stats.decoder.event.ipv4.frag_pkt_too_large(integer) about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]
stats.decoder.event.ipv4.hlen_too_small(integer) about.labels [stats_decoder_event_ipv4_hlen_too_small]
stats.decoder.event.ipv4.icmpv6(integer) about.labels [stats_decoder_event_ipv4_icmpv6]
stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer) about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]
stats.decoder.event.ipv4.opt_duplicate(integer) about.labels [stats_decoder_event_ipv4_opt_duplicate]
stats.decoder.event.ipv4.opt_eol_required(integer) about.labels [stats_decoder_event_ipv4_opt_eol_required]
stats.decoder.event.ipv4.opt_invalid_len(integer) about.labels [stats_decoder_event_ipv4_opt_invalid_len]
stats.decoder.event.ipv4.opt_invalid(integer) about.labels [stats_decoder_event_ipv4_opt_invalid]
stats.decoder.event.ipv4.opt_malformed(integer) about.labels [stats_decoder_event_ipv4_opt_malformed]
stats.decoder.event.ipv4.opt_pad_required(integer) about.labels [stats_decoder_event_ipv4_opt_pad_required]
stats.decoder.event.ipv4.opt_unknown(integer) about.labels [stats_decoder_event_ipv4_opt_unknown]
stats.decoder.event.ipv4.pkt_too_small(integer) about.labels [stats_decoder_event_ipv4_pkt_too_small]
stats.decoder.event.ipv4.trunc_pkt(integer) about.labels [stats_decoder_event_ipv4_trunc_pkt]
stats.decoder.event.ipv4.wrong_ip_version(integer) about.labels [stats_decoder_event_ipv4_wrong_ip_version]
stats.decoder.event.ipv6.data_after_none_header(integer) about.labels [stats_decoder_event_ipv6_data_after_none_header]
stats.decoder.event.ipv6.dstopts_only_padding(integer) about.labels [stats_decoder_event_ipv6_dstopts_only_padding]
stats.decoder.event.ipv6.dstopts_unknown_opt(integer) about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]
stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer) about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]
stats.decoder.event.ipv6.exthdr_dupl_ah(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]
stats.decoder.event.ipv6.exthdr_dupl_dh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]
stats.decoder.event.ipv6.exthdr_dupl_eh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]
stats.decoder.event.ipv6.exthdr_dupl_fh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]
stats.decoder.event.ipv6.exthdr_dupl_hh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]
stats.decoder.event.ipv6.exthdr_dupl_rh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]
stats.decoder.event.ipv6.exthdr_invalid_optlen(integer) about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]
stats.decoder.event.ipv6.exthdr_useless_fh(integer) about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]
stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer) about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]
stats.decoder.event.ipv6.frag_ignored(integer) about.labels [stats_decoder_event_ipv6_frag_ignored]
stats.decoder.event.ipv6.frag_invalid_length(integer) about.labels [stats_decoder_event_ipv6_frag_invalid_length]
stats.decoder.event.ipv6.frag_overlap(integer) about.labels [stats_decoder_event_ipv6_frag_overlap]
stats.decoder.event.ipv6.frag_pkt_too_large(integer) about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]
stats.decoder.event.ipv6.hopopts_only_padding(integer) about.labels [stats_decoder_event_ipv6_hopopts_only_padding]
stats.decoder.event.ipv6.hopopts_unknown_opt(integer) about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]
stats.decoder.event.ipv6.icmpv4(integer) about.labels [stats_decoder_event_ipv6_icmpv4]
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer) about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer) about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer) about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer) about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]
stats.decoder.event.ipv6.pkt_too_small(integer) about.labels [stats_decoder_event_ipv6_pkt_too_small]
stats.decoder.event.ipv6.rh_type_0(integer) about.labels [stats_decoder_event_ipv6_rh_type_0]
stats.decoder.event.ipv6.trunc_exthdr(integer) about.labels [stats_decoder_event_ipv6_trunc_exthdr]
stats.decoder.event.ipv6.trunc_pkt(integer) about.labels [stats_decoder_event_ipv6_trunc_pkt]
stats.decoder.event.ipv6.unknown_next_header(integer) about.labels [stats_decoder_event_ipv6_unknown_next_header]
stats.decoder.event.ipv6.wrong_ip_version(integer) about.labels [stats_decoder_event_ipv6_wrong_ip_version]
stats.decoder.event.ipv6.zero_len_padn(integer) about.labels [stats_decoder_event_ipv6_zero_len_padn]
stats.decoder.event.ltnull.pkt_too_small(integer) about.labels [stats_decoder_event_ltnull_pkt_too_small]
stats.decoder.event.ltnull.unsupported_type(integer) about.labels [stats_decoder_event_ltnull_unsupported_type]
stats.decoder.event.mpls.bad_label_implicit_null(integer) about.labels [stats_decoder_event_mpls_bad_label_implicit_null]
stats.decoder.event.mpls.bad_label_reserved(integer) about.labels [stats_decoder_event_mpls_bad_label_reserved]
stats.decoder.event.mpls.bad_label_router_alert(integer) about.labels [stats_decoder_event_mpls_bad_label_router_alert]
stats.decoder.event.mpls.header_too_small(integer) about.labels [stats_decoder_event_mpls_header_too_small]
stats.decoder.event.mpls.pkt_too_small(integer) about.labels [stats_decoder_event_mpls_pkt_too_small]
stats.decoder.event.mpls.unknown_payload_type(integer) about.labels [stats_decoder_event_mpls_unknown_payload_type]
stats.decoder.event.ppp.ip4_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]
stats.decoder.event.ppp.ip6_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]
stats.decoder.event.ppp.pkt_too_small(integer) about.labels [stats_decoder_event_ppp_pkt_too_small]
stats.decoder.event.ppp.unsup_proto(integer) about.labels [stats_decoder_event_ppp_unsup_proto]
stats.decoder.event.ppp.vju_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_vju_pkt_too_small]
stats.decoder.event.ppp.wrong_type(integer) about.labels [stats_decoder_event_ppp_wrong_type]
stats.decoder.event.pppoe.malformed_tags(integer) about.labels [stats_decoder_event_pppoe_malformed_tags]
stats.decoder.event.pppoe.pkt_too_small(integer) about.labels [stats_decoder_event_pppoe_pkt_too_small]
stats.decoder.event.pppoe.wrong_code(integer) about.labels [stats_decoder_event_pppoe_wrong_code]
stats.decoder.event.sctp.pkt_too_small(integer) about.labels [stats_decoder_event_sctp_pkt_too_small]
stats.decoder.event.sll.pkt_too_small(integer) about.labels [stats_decoder_event_sll_pkt_too_small]
stats.decoder.event.tcp.hlen_too_small(integer) about.labels [stats_decoder_event_tcp_hlen_too_small]
stats.decoder.event.tcp.invalid_optlen(integer) about.labels [stats_decoder_event_tcp_invalid_optlen]
stats.decoder.event.tcp.opt_duplicate(integer) about.labels [stats_decoder_event_tcp_opt_duplicate]
stats.decoder.event.tcp.opt_invalid_len(integer) about.labels [stats_decoder_event_tcp_opt_invalid_len]
stats.decoder.event.tcp.pkt_too_small(integer) about.labels [stats_decoder_event_tcp_pkt_too_small]
stats.decoder.event.udp.hlen_invalid(integer) about.labels [stats_decoder_event_udp_hlen_invalid]
stats.decoder.event.udp.hlen_too_small(integer) about.labels [stats_decoder_event_udp_hlen_too_small]
stats.decoder.event.udp.len_invalid(integer) about.labels [stats_decoder_event_udp_len_invalid]
stats.decoder.event.udp.pkt_too_small(integer) about.labels [stats_decoder_event_udp_pkt_too_small]
stats.decoder.event.vlan.header_too_small(integer) about.labels [stats_decoder_event_vlan_header_too_small]
stats.decoder.event.vlan.too_many_layers(integer) about.labels [stats_decoder_event_vlan_too_many_layers]
stats.decoder.event.vlan.unknown_type(integer) about.labels [stats_decoder_event_vlan_unknown_type]
stats.decoder.event.vntag.header_too_small(integer) about.labels [stats_decoder_event_vntag_header_too_small]
stats.decoder.event.vntag.unknown_type(integer) about.labels [stats_decoder_event_vntag_unknown_type]
stats.decoder.event.vxlan.unknown_payload_type(integer) about.labels [stats_decoder_event_vxlan_unknown_payload_type]
stats.decoder.geneve(integer) about.labels [stats_decoder_geneve]
stats.decoder.gre(integer) about.labels [stats_decoder_gre]
stats.decoder.icmpv4(integer) about.labels [stats_decoder_icmpv4]
stats.decoder.icmpv6(integer) about.labels [stats_decoder_icmpv6]
stats.decoder.ieee8021ah(integer) about.labels [stats_decoder_ieee8021ah]
stats.decoder.invalid(integer) about.labels [stats_decoder_invalid]
stats.decoder.ipv4_in_ipv6(integer) about.labels [stats_decoder_ipv4_in_ipv6]
stats.decoder.ipv4(integer) about.labels [stats_decoder_ipv4]
stats.decoder.ipv6_in_ipv6(integer) about.labels [stats_decoder_ipv6_in_ipv6]
stats.decoder.ipv6(integer) about.labels [stats_decoder_ipv6]
stats.decoder.max_mac_addrs_dst(integer) about.labels [stats_decoder_max_mac_addrs_dst]
stats.decoder.max_mac_addrs_src(integer) about.labels [stats_decoder_max_mac_addrs_src]
stats.decoder.max_pkt_size(integer) about.labels [stats_decoder_max_pkt_size]
stats.decoder.mpls(integer) about.labels [stats_decoder_mpls]
stats.decoder.null(integer) about.labels [stats_decoder_null]
stats.decoder.pkts(integer) about.labels [stats_decoder_pkts]
stats.decoder.ppp(integer) about.labels [stats_decoder_ppp]
stats.decoder.pppoe(integer) about.labels [stats_decoder_pppoe]
stats.decoder.raw(integer) about.labels [stats_decoder_raw]
stats.decoder.sctp(integer) about.labels [stats_decoder_sctp]
stats.decoder.sll(integer) about.labels [stats_decoder_sll]
stats.decoder.tcp(integer) about.labels [stats_decoder_tcp]
stats.decoder.teredo(integer) about.labels [stats_decoder_teredo]
stats.decoder.too_many_layers(integer) about.labels [stats_decoder_too_many_layers]
stats.decoder.udp(integer) about.labels [stats_decoder_udp]
stats.decoder.vlan_qinq(integer) about.labels [stats_decoder_vlan_qinq]
stats.decoder.vlan(integer) about.labels [stats_decoder_vlan]
stats.decoder.vntag(integer) about.labels [stats_decoder_vntag]
stats.decoder.vxlan(integer) about.labels [stats_decoder_vxlan]
stats.defrag.ipv4.fragments(integer) about.labels [stats_defrag_ipv4_fragments]
stats.defrag.ipv4.reassembled(integer) about.labels [stats_defrag_ipv4_reassembled]
stats.defrag.ipv4.timeouts(integer) about.labels [stats_defrag_ipv4_timeouts]
stats.defrag.ipv6.fragments(integer) about.labels [stats_defrag_ipv6_fragments]
stats.defrag.ipv6.reassembled(integer) about.labels [stats_defrag_ipv6_reassembled]
stats.defrag.ipv6.timeouts(integer) about.labels [stats_defrag_ipv6_timeouts]
stats.defrag.max_frag_hits(integer) about.labels [stats_defrag_max_frag_hits]
stats.detect.alert_queue_overflow(integer) about.labels [stats_detect_alert_queue_overflow]
stats.detect.alert(integer) about.labels [stats_detect_alert]
stats.detect.alerts_suppressed(integer) about.labels [stats_detect_alerts_suppressed]
stats.detect.engines.id(array) about.labels [stats_detect_engines_id]
stats.detect.engines.last_reload(array) about.labels [stats_detect_engines_last_reload]
stats.detect.engines.rules_failed(array) about.labels [stats_detect_engines_rules_failed]
stats.detect.engines.rules_loaded(array) about.labels [stats_detect_engines_rules_loaded]
stats.flow_bypassed.bytes(integer) about.labels [stats_flow_bypassed_bytes]
stats.flow_bypassed.closed(integer) about.labels [stats_flow_bypassed_closed]
stats.flow_bypassed.local_bytes(integer) about.labels [stats_flow_bypassed_local_bytes]
stats.flow_bypassed.local_capture_bytes(integer) about.labels [stats_flow_bypassed_local_capture_bytes]
stats.flow_bypassed.local_capture_pkts(integer) about.labels [stats_flow_bypassed_local_capture_pkts]
stats.flow_bypassed.local_pkts(integer) about.labels [stats_flow_bypassed_local_pkts]
stats.flow_bypassed.pkts(integer) about.labels [stats_flow_bypassed_pkts]
stats.flow.emerg_mode_entered(integer) about.labels [stats_flow_emerg_mode_entered]
stats.flow.emerg_mode_over(integer) about.labels [stats_flow_emerg_mode_over]
stats.flow.get_used_eval_busy(integer) about.labels [stats_flow_get_used_eval_busy]
stats.flow.get_used_eval_reject(integer) about.labels [stats_flow_get_used_eval_reject]
stats.flow.get_used_eval(integer) about.labels [stats_flow_get_used_eval]
stats.flow.get_used_failed(integer) about.labels [stats_flow_get_used_failed]
stats.flow.get_used(integer) about.labels [stats_flow_get_used]
stats.flow.icmpv4(integer) about.labels [stats_flow_icmpv4]
stats.flow.icmpv6(integer) about.labels [stats_flow_icmpv6]
stats.flow.memcap(integer) about.labels [stats_flow_memcap]
stats.flow.memuse(integer) about.labels [stats_flow_memuse]
stats.flow.mgr.bypassed_pruned(integer) about.labels [stats_flow_mgr_bypassed_pruned]
stats.flow.mgr.closed_pruned(integer) about.labels [stats_flow_mgr_closed_pruned]
stats.flow.mgr.est_pruned(integer) about.labels [stats_flow_mgr_est_pruned]
stats.flow.mgr.flows_checked(integer) about.labels [stats_flow_mgr_flows_checked]
stats.flow.mgr.flows_evicted_needs_work(integer) about.labels [stats_flow_mgr_flows_evicted_needs_work]
stats.flow.mgr.flows_evicted(integer) about.labels [stats_flow_mgr_flows_evicted]
stats.flow.mgr.flows_notimeout(integer) about.labels [stats_flow_mgr_flows_notimeout]
stats.flow.mgr.flows_timeout_inuse(integer) about.labels [stats_flow_mgr_flows_timeout_inuse]
stats.flow.mgr.flows_timeout(integer) about.labels [stats_flow_mgr_flows_timeout]
stats.flow.mgr.full_hash_pass(integer) about.labels [stats_flow_mgr_full_hash_pass]
stats.flow.mgr.new_pruned(integer) about.labels [stats_flow_mgr_new_pruned]
stats.flow.mgr.rows_maxlen(integer) about.labels [stats_flow_mgr_rows_maxlen]
stats.flow.spare(integer) about.labels [stats_flow_spare]
stats.flow.tcp_reuse(integer) about.labels [stats_flow_tcp_reuse]
stats.flow.tcp(integer) about.labels [stats_flow_tcp]
stats.flow.udp(integer) about.labels [stats_flow_udp]
stats.flow.wrk.flows_evicted_needs_work(integer) about.labels [stats_flow_wrk_flows_evicted_needs_work]
stats.flow.wrk.flows_evicted_pkt_inject(integer) about.labels [stats_flow_wrk_flows_evicted_pkt_inject]
stats.flow.wrk.flows_evicted(integer) about.labels [stats_flow_wrk_flows_evicted]
stats.flow.wrk.flows_injected(integer) about.labels [stats_flow_wrk_flows_injected]
stats.flow.wrk.spare_sync_avg(integer) about.labels [stats_flow_wrk_spare_sync_avg]
stats.flow.wrk.spare_sync_empty(integer) about.labels [stats_flow_wrk_spare_sync_empty]
stats.flow.wrk.spare_sync_incomplete(integer) about.labels [stats_flow_wrk_spare_sync_incomplete]
stats.flow.wrk.spare_sync(integer) about.labels [stats_flow_wrk_spare_sync]
stats.ftp.memcap(integer) about.labels [stats_ftp_memcap]
stats.ftp.memuse(integer) about.labels [stats_ftp_memuse]
stats.http.memcap(integer) about.labels [stats_http_memcap]
stats.http.memuse(integer) about.labels [stats_http_memuse]
stats.napa_dispatch_drop.byte(integer) about.labels [stats_napa_dispatch_drop_byte]
stats.napa_dispatch_drop.pkts(integer) about.labels [stats_napa_dispatch_drop_pkts]
stats.napa_dispatch_host.byte(integer) about.labels [stats_napa_dispatch_host_byte]
stats.napa_dispatch_host.pkts(integer) about.labels [stats_napa_dispatch_host_pkts]
stats.napa_total.byte(integer) about.labels [stats_napa_total_byte]
stats.napa_total.overflow_drop_byte(integer) about.labels [stats_napa_total_overflow_drop_byte]
stats.napa_total.overflow_drop_pkts(integer) about.labels [stats_napa_total_overflow_drop_pkts]
stats.napa_total.pkts(integer) about.labels [stats_napa_total_pkts]
stats.tcp.insert_data_normal_fail(integer) about.labels [stats_tcp_insert_data_normal_fail]
stats.tcp.insert_data_overlap_fail(integer) about.labels [stats_tcp_insert_data_overlap_fail]
stats.tcp.insert_list_fail(integer) about.labels [stats_tcp_insert_list_fail]
stats.tcp.invalid_checksum(integer) about.labels [stats_tcp_invalid_checksum]
stats.tcp.memuse(integer) about.labels [stats_tcp_memuse]
stats.tcp.midstream_pickups(integer) about.labels [stats_tcp_midstream_pickups]
stats.tcp.no_flow(integer) about.labels [stats_tcp_no_flow]
stats.tcp.overlap_diff_data(integer) about.labels [stats_tcp_overlap_diff_data]
stats.tcp.overlap(integer) about.labels [stats_tcp_overlap]
stats.tcp.pkt_on_wrong_thread(integer) about.labels [stats_tcp_pkt_on_wrong_thread]
stats.tcp.pseudo_failed(integer) about.labels [stats_tcp_pseudo_failed]
stats.tcp.pseudo(integer) about.labels [stats_tcp_pseudo]
stats.tcp.reassembly_gap(integer) about.labels [stats_tcp_reassembly_gap]
stats.tcp.reassembly_memuse(integer) about.labels [stats_tcp_reassembly_memuse]
stats.tcp.rst(integer) about.labels [stats_tcp_rst]
stats.tcp.segment_memcap_drop(integer) about.labels [stats_tcp_segment_memcap_drop]
stats.tcp.sessions(integer) about.labels [stats_tcp_sessions]
stats.tcp.ssn_memcap_drop(integer) about.labels [stats_tcp_ssn_memcap_drop]
stats.tcp.stream_depth_reached(integer) about.labels [stats_tcp_stream_depth_reached]
stats.tcp.syn(integer) about.labels [stats_tcp_syn]
stats.tcp.synack(integer) about.labels [stats_tcp_synack]
stats.uptime(integer) about.labels [stats_uptime]
timestamp(time) metadata.event_timestamp

Field mapping reference: CORELIGHT - logschema

The following table lists the log fields of the logschema log type and their corresponding UDM fields.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
avro(string) about.labels [avro]
name(string) about.labels [name]
schema(string) about.labels [schema]
text(string) about.labels [text]

What's next

Need more help? Get answers from Community members and Google SecOps professionals.