Corelight 센서 로그 수집
이 문서에서는 Corelight 센서 및 Google Security Operations 전달자를 구성하여 Corelight 센서 로그를 수집하는 방법을 설명합니다. 이 문서에는 Corelight 센서에서 생성되는 지원되는 로그 유형과 지원되는 Corelight 버전도 나와 있습니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
다음 배포 아키텍처 다이어그램은 Google Security Operations로 로그를 보내도록 Corelight 센서를 구성하는 방법을 보여줍니다. 각 고객 배포는 이 표현과 다를 수 있고 더 복잡할 수 있습니다.
이 아키텍처 다이어그램은 다음 구성요소를 보여줍니다.
Corelight 센서: Corelight 센서를 실행하는 시스템입니다.
Corelight 센서 내보내기: Corelight 센서 내보내기는 센서에서 로그 데이터를 수집하여 Google Security Operations 전달자에게 전달합니다.
Google Security Operations 전달자: Google Security Operations 전달자는 syslog를 지원하는 고객의 네트워크에 배포된 경량형 소프트웨어 구성요소입니다. Google Security Operations 전달자는 로그를 Google Security Operations로 전달합니다.
Google Security Operations: Google Security Operations는 Corelight 센서의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 CORELIGHT
수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
- Corelight 센서의 버전을 확인합니다. Corelight Google SecOps 파서는 버전 27.4 이하용으로 설계되었습니다. 이후 버전의 Corelight 센서에는 파서가 인식하지 못하는 추가 로그가 있을 수 있으며, 이러한 로그는 필드 파싱이 제한되거나 받지 못할 수 있습니다. 하지만 로그 콘텐츠는 Google SecOps에서 원시 로그 형식으로 계속 사용할 수 있습니다.
- 배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
지원되는 Corelight 로그 유형
Corelight 파서는 Corelight 센서에서 생성된 다음 로그 유형을 지원합니다.
Log Type
- conn
- conn_long
- conn_red
- dce_rpc
- dns
- dns_red
- files
- files_red
- http
- http2
- http_red
- intel
- irc
- notice
- rdp
- sip
- smb_files
- smb_mapping
- smtp
- smtp_links
- ssh
- ssl
- ssl_red
- suricata_corelight
- bacnet
- cip
- corelight_burst
- corelight_overall_capture_loss
- corelight_profiling
- datared
- dga
- dhcp
- dnp3
- dpd
- encrypted_dns
- enip
- enip_debug
- enip_list_identity
- etc_viz
- ftp
- generic_dns_tunnels
- generic_icmp_tunnels
- icmp_specific_tunnels
- ipsec
- iso_cotp
- kerberos
- known_certs
- known_devices
- known_domains
- known_hosts
- known_names
- known_remotes
- known_services
- known_users
- ldap
- ldap_search
- local_subnets
- local_subnets_dj
- local_subnets_graphs
- log4shell
- modbus
- mqtt_connect
- mqtt_publish
- mqtt_subscribe
- mysql
- napatech_shunting
- ntlm
- ntp
- pe
- profinet
- profinet_dce_rpc
- profinet_debug
- radius
- reporter
- rfb
- s7comm
- smartpcap
- snmp
- socks
- software
- specific_dns_tunnels
- stepping
- stun
- stun_nat
- suricata_eve
- suricata_stats
- syslog
- tds
- tds_rpc
- tds_sql_batch
- traceroute
- tunnel
- unknown-smartpcap
- vpn
- weird
- weird_red
- wireguard
- x509
- x509_red
Google Security Operations 전달자 구성
Google Security Operations 전달자를 구성하려면 다음을 수행합니다.
Google Security Operations 전달자를 설정합니다. Linux에서 전달자 설치 및 구성을 참조하세요.
Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다.
collectors: - syslog: common: enabled: true data_type: CORELIGHT data_hint: batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: <Chronicle forwarder listening IP:Port> tcp_buffer_size: 524288 udp_address: <Chronicle forwarder listening IP:Port> connection_timeout_sec: 60
Corelight 센서 내보내기 도구 구성
- Corelight Sensor에 관리자로 로그인합니다.
- Export 탭을 선택합니다.
- EXPORT TO SYSLOG 옵션을 찾아 사용 설정합니다.
EXPORT TO SYSLOG에서 다음 필드를 구성합니다.
- SYSLOG SERVER: Google Security Operations 전달자 syslog 리스너의 IP 주소와 포트를 지정합니다.
- Advanced Settings > SYSLOG FORMAT으로 이동하고 설정을 Legacy로 변경합니다.
Apply Changes를 클릭합니다.
필드 매핑 참조
이 섹션에서는 Google Security Operations 파서에서 Corelight 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
필드 매핑 참조: CORELIGHT - 공통 필드
다음 표에는 CORELIGHT
로그의 공통 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Corelight . |
|
_path (string) |
metadata.product_event_type |
|
_system_name (string) |
observer.hostname |
|
ts (time) |
metadata.event_timestamp |
|
uid (string) |
about.labels [uid] |
|
id.orig_h (string - addr) |
principal.ip |
|
id.orig_p (integer - port) |
principal.port |
|
id.resp_h (string - addr) |
target.ip |
|
id.resp_p (integer - port) |
target.port |
필드 매핑 참조: CORELIGHT - conn, conn_red, conn_long
다음 표에는 conn, conn_red, conn_long
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
service (string) |
network.application_protocol |
|
duration (number - interval) |
network.session_duration |
|
orig_bytes (integer - count) |
network.sent_bytes |
|
resp_bytes (integer - count) |
network.received_bytes |
|
conn_state (string) |
metadata.description |
If the conn_state log field value is equal to S0 , then the metadata.description UDM field is set to S0: Connection attempt seen, no reply .Else, if the conn_state log field value is equal to S1 , then the metadata.description UDM field is set to S1: Connection established, not terminated .Else, if the conn_state log field value is equal to S2 , then the metadata.description UDM field is set to S2: Connection established and close attempt by originator seen (but no reply from responder) .Else, if the conn_state log field value is equal to S3 , then the metadata.description UDM field is set to S3: Connection established and close attempt by responder seen (but no reply from originator) .Else, if the conn_state log field value is equal to SF , then the metadata.description UDM field is set to SF: Normal SYN/FIN completion .Else, if the conn_state log field value is equal to REJ , then the metadata.description UDM field is set to REJ: Connection attempt rejected .Else, if the conn_state log field value is equal to RSTO , then the metadata.description UDM field is set to RSTO: Connection established, originator aborted (sent a RST) .Else, if the conn_state log field value is equal to RSTOS0 , then the metadata.description UDM field is set to RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder .Else, if the conn_state log field value is equal to RSTOSH , then the metadata.description UDM field is set to RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator .Else, if the conn_state log field value is equal to RSTR , then the metadata.description UDM field is set to RSTR: Established, responder aborted .Else, if the conn_state log field value is equal to SH , then the metadata.description UDM field is set to SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open) .Else, if the conn_state log field value is equal to SHR , then the metadata.description UDM field is set to SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator .Else, if the conn_state log field value is equal to OTH , then the metadata.description UDM field is set to OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed) . |
local_orig (boolean - bool) |
about.labels [local_orig] |
|
local_resp (boolean - bool) |
about.labels [local_resp] |
|
missed_bytes (integer - count) |
about.labels [missed_bytes] |
|
history (string) |
about.labels [history] |
|
orig_pkts (integer - count) |
network.sent_packets |
|
orig_ip_bytes (integer - count) |
principal.labels [orig_ip_bytes] |
|
resp_pkts (integer - count) |
network.received_packets |
|
resp_ip_bytes (integer - count) |
target.labels [resp_ip_bytes] |
|
tunnel_parents (array[string] - set[string]) |
intermediary.labels [tunnel_parent] |
|
orig_cc (string) |
principal.ip_geo_artifact.location.country_or_region |
|
resp_cc (string) |
target.ip_geo_artifact.location.country_or_region |
|
suri_ids (array[string] - set[string]) |
security_result.rule_id |
|
spcap.url (string) |
security_result.url_back_to_product |
|
spcap.rule (integer - count) |
security_result.rule_labels [spcap_rule] |
|
spcap.trigger (string) |
security_result.detection_fields [spcap_trigger] |
|
app (array[string] - vector of string) |
about.application |
|
corelight_shunted (boolean - bool) |
about.labels [corelight_shunted] |
|
orig_shunted_pkts (integer - count) |
principal.labels [orig_shunted_pkts] |
|
orig_shunted_bytes (integer - count) |
principal.labels [orig_shunted_bytes] |
|
resp_shunted_pkts (integer - count) |
target.labels [resp_shunted_pkts] |
|
resp_shunted_bytes (integer - count) |
target.labels [resp_shunted_bytes] |
|
orig_l2_addr (string) |
principal.mac |
|
resp_l2_addr (string) |
target.mac |
|
id_orig_h_n.src (string) |
principal.labels [id_orig_h_n_src] |
|
id_orig_h_n.vals (array[string] - set[string]) |
principal.labels [id_orig_h_n_val] |
|
id_resp_h_n.src (string) |
target.labels [id_resp_h_n_src] |
|
id_resp_h_n.vals (array[string] - set[string]) |
target.labels [id_resp_h_n_val] |
|
vlan (integer - int) |
intermediary.labels [vlan] |
|
inner_vlan (integer - int) |
intermediary.labels [inner_vlan] |
|
community_id (string) |
network.community_id |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
필드 매핑 참조: CORELIGHT - dce_rpc
다음 표에는 dce_rpc
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
rtt (number - interval) |
network.session_duration |
|
named_pipe (string) |
intermediary.resource.name |
|
intermediary.resource.resource_type |
If the named_pipe log field value is not empty, then the intermediary.resource.resource_type UDM field is set to PIPE . |
|
endpoint (string) |
target.labels [endpoint] |
|
operation (string) |
target.labels [operation] |
|
network.application_protocol |
The network.application_protocol UDM field is set to DCERPC . |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
|
operation, endpoint, named_pipe (string) |
metadata.description |
The metadata.description UDM field is set with operation , endpoint , named_pipe log fields as "operation operation on endpoint using named pipe named_pipe ". |
network.ip_protocol |
The network.ip_protocol UDM field is set to TCP . |
필드 매핑 참조: CORELIGHT - dns, dns_red
다음 표에는 dns, dns_red
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS . |
|
proto (string - enum) |
network.ip_protocol |
|
trans_id (integer - count) |
network.dns.id |
|
rtt (number - interval) |
network.session_duration |
|
query (string) |
network.dns.questions.name |
|
qclass (integer - count) |
network.dns.questions.class |
|
qclass_name (string) |
about.labels [qclass_name] |
|
qtype (integer - count) |
network.dns.questions.type |
|
qtype_name (string) |
about.labels [qtype_name] |
|
rcode (integer - count) |
network.dns.response_code |
|
rcode (integer - count) |
network.dns.response |
If the rcode log field value is not empty, then the network.dns.response UDM field is set to true . |
rcode_name (string) |
about.labels [rcode_name] |
|
AA (boolean - bool) |
network.dns.authoritative |
|
TC (boolean - bool) |
network.dns.truncated |
|
RD (boolean - bool) |
network.dns.recursion_desired |
|
RA (boolean - bool) |
network.dns.recursion_available |
|
Z (integer - count) |
about.labels [Z] |
|
answers (array[string] - vector of string) |
network.dns.answers.name |
|
TTLs (array[number] - vector of interval) |
network.dns.answers.ttl |
|
rejected (boolean - bool) |
about.labels [rejected] |
|
is_trusted_domain (string) |
about.labels [is_trusted_domain] |
|
icann_host_subdomain (string) |
about.labels [icann_host_subdomain] |
|
icann_domain (string) |
network.dns_domain |
|
icann_tld (string) |
about.labels [icann_tld] |
|
num (integer - count) |
security_result.detection_fields [num] |
필드 매핑 참조: CORELIGHT - http, http_red, http2
다음 표에는 http, http_red, http2
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_HTTP . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
trans_depth (integer - count) |
about.labels [trans_depth] |
|
method (string) |
network.http.method |
|
host (string) |
target.hostname |
|
uri (string) |
target.url |
|
referrer (string) |
network.http.referral_url |
|
version (string) |
network.application_protocol_version |
|
user_agent (string) |
network.http.user_agent |
|
origin (string) |
principal.hostname |
|
request_body_len (integer - count) |
network.sent_bytes |
|
response_body_len (integer - count) |
network.received_bytes |
|
status_code (integer - count) |
network.http.response_code |
|
status_msg (string) |
about.labels [status_msg] |
|
info_code (integer - count) |
about.labels [info_code] |
|
info_msg (string) |
about.labels [info_msg] |
|
tags (array[string] - set[enum]) |
about.labels [tags] |
|
username (string) |
principal.user.user_display_name |
|
password (string) |
extensions.auth.auth_details |
|
proxied (array[string] - set[string]) |
intermediary.hostname |
|
orig_fuids (array[string] - vector of string) |
about.labels [orig_fuid] |
|
orig_filenames (array[string] - vector of string) |
src.file.names |
The orig_filenames log field is mapped to src.file.names UDM field when index value in orig_filenames is equal to 0 . For every other index value, orig_filenames log field is mapped to the about.file.names .
|
orig_mime_types (array[string] - vector of string) |
src.file.mime_type |
The orig_mime_types log field is mapped to src.file.mime_type UDM field when index value in orig_mime_types is equal to 0 . For every other index value, orig_mime_types log field is mapped to the about.file.mime_type .
|
resp_fuids (array[string] - vector of string) |
about.labels [resp_fuid] |
|
resp_filenames (array[string] - vector of string) |
target.file.names |
The resp_filenames log field is mapped to target.file.names UDM field when index value in resp_filenames is equal to 0 . For every other index value, resp_filenames log field is mapped to the about.file.names .
|
resp_mime_types (array[string] - vector of string) |
target.file.mime_type |
The resp_mime_types log field is mapped to target.file.mime_type UDM field when index value in resp_mime_types is equal to 0 . For every other index value, resp_mime_types log field is mapped to the about.file.mime_type .
|
post_body (string) |
about.labels [post_body] |
|
stream_id (integer - count) |
about.labels [stream_id] |
|
encoding (string) |
about.labels [encoding] |
|
push (boolean - bool) |
about.labels [push] |
필드 매핑 참조: CORELIGHT - smtp_links
다음 표에는 smtp_links
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_SMTP . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SMTP . |
|
fuid (string) |
about.labels [fuid] |
|
link (string) |
about.url |
|
domain (string) |
about.domain.name |
필드 매핑 참조: CORELIGHT - irc
다음 표에는 irc
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
nick (string) |
principal.user.user_display_name |
|
user (string) |
principal.user.userid |
If the user log field value is less than or equal to 255, then the user log field is mapped to the principal.user.userid UDM field.Else, the user log field is mapped to the about.labels UDM field. |
command, value, addl |
principal.process.command_line |
|
dcc_file_name (string) |
src.file.names |
|
dcc_file_size (integer - count) |
src.file.size |
|
dcc_mime_type (string) |
src.file.mime_type |
|
fuid (string) |
about.labels [fuid] |
필드 매핑 참조: CORELIGHT - files, files_red
다음 표에는 files, files_red
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
fuid (string) |
about.labels [fuid] |
|
tx_hosts (array[string] - set[addr]) |
principal.ip |
|
rx_hosts (array[string] - set[addr]) |
target.ip |
|
conn_uids (array[string] - set[string]) |
about.labels [conn_uid] |
|
source (string) |
about.labels [source] |
|
depth (integer - count) |
about.labels [depth] |
|
analyzers (array[string] - set[string]) |
about.labels [analyzer] |
|
mime_type (string) |
about.file.mime_type |
|
filename (string) |
about.file.names |
|
duration (number - interval) |
about.labels [duration] |
|
local_orig (boolean - bool) |
about.labels [local_orig] |
|
is_orig (boolean - bool) |
about.labels [is_orig] |
|
seen_bytes (integer - count) |
about.file.size |
|
total_bytes (integer - count) |
about.labels [total_bytes] |
|
missing_bytes (integer - count) |
about.labels [missing_bytes] |
|
overflow_bytes (integer - count) |
about.labels [overflow_bytes] |
|
timedout (boolean - bool) |
about.labels [timedout] |
|
parent_fuid (string) |
about.labels [parent_fuid] |
|
md5 (string) |
about.file.md5 |
|
sha1 (string) |
about.file.sha1 |
|
sha256 (string) |
about.file.sha256 |
|
md5 (string) |
network.tls.client.certificate.md5 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files , then the network.tls.client.certificate.md5 UDM field is set to md5 . |
sha1 (string) |
network.tls.client.certificate.sha1 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files , then the network.tls.client.certificate.sha1 UDM field is set to sha1 . |
sha256 (string) |
network.tls.client.certificate.sha256 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files , then the network.tls.client.certificate.sha256 UDM field is set to sha256 . |
md5 (string) |
network.tls.server.certificate.md5 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files , then the network.tls.server.certificate.md5 UDM field is set to md5 . |
sha1 (string) |
network.tls.server.certificate.sha1 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files , then the network.tls.server.certificate.sha1 UDM field is set to sha1 . |
sha256 (string) |
network.tls.server.certificate.sha256 |
If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files , then the network.tls.server.certificate.sha256 UDM field is set to sha256 . |
extracted (array[string] - set[string]) |
about.file.names |
|
extracted_cutoff (boolean - bool) |
about.labels [extracted_cutoff] |
|
extracted_size (integer - count) |
about.labels [extracted_size] |
|
num (integer - count) |
about.labels [num] |
필드 매핑 참조: CORELIGHT - notice
다음 표에는 notice
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
fuid (string) |
about.labels [fuid] |
|
file_mime_type (string) |
target.file.mime_type |
|
file_desc (string) |
about.labels [file_desc] |
|
proto (string - enum) |
network.ip_protocol |
|
note (string - enum) |
security_result.description |
|
msg (string) |
metadata.description |
|
sub (string) |
about.labels [sub] |
|
src (string - addr) |
principal.ip |
|
dst (string - addr) |
target.ip |
|
p (integer - port) |
about.port |
|
n (integer - count) |
about.labels [n] |
|
peer_descr (string) |
about.labels [peer_descr] |
|
security_result.action |
The security_result.action UDM field is set to ALLOW . |
|
actions (array[string] - set[enum]) |
security_result.action_details |
|
suppress_for (number - interval) |
about.labels [suppress_for] |
|
remote_location.country_code (string) |
about.location.country_or_region |
The about.location.country_or_region UDM field is set with remote_location.country_code , remote_location.region log fields as "remote_location.country_code : remote_location.region ". |
remote_location.region (string) |
about.location.country_or_region |
The about.location.country_or_region UDM field is set with remote_location.country_code , remote_location.region log fields as "remote_location.country_code : remote_location.region ". |
remote_location.city (string) |
about.location.city |
|
remote_location.latitude (number - double) |
about.location.region_coordinates.latitude |
|
remote_location.longitude (number - double) |
about.location.region_coordinates.longitude |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
필드 매핑 참조: CORELIGHT - smb_files
다음 표에는 smb_files
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
If the action log field value is equal to SMB::FILE_READ , then the metadata.event_type UDM field is set to FILE_READ .Else, if the action log field value is equal to SMB::FILE_WRITE , then the metadata.event_type UDM field is set to FILE_MODIFICATION .Else, if the action log field value is equal to SMB::FILE_OPEN , then the metadata.event_type UDM field is set to FILE_OPEN .Else, if the action log field value is equal to SMB::FILE_CLOSE , then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED .Else, if the action log field value is equal to SMB::FILE_DELETE , then the metadata.event_type UDM field is set to FILE_DELETION .Else, if the action log field value is equal to SMB::FILE_RENAME , then the metadata.event_type UDM field is set to FILE_MOVE .Else, if the action log field value is equal to SMB::FILE_SET_ATTRIBUTE , then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED .Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SMB . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to TCP . |
|
action, name |
metadata.description |
The metadata.description UDM field is set with action , name log fields as "action: action on: name ". |
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
|
security_result.action |
The security_result.action UDM field is set to ALLOW . |
|
fuid (string) |
about.labels [fuid] |
|
action (string - enum) |
target.labels [action] |
|
path (string) |
target.file.full_path |
|
name (string) |
target.file.names |
|
size (integer - count) |
target.file.size |
|
prev_name (string) |
src.file.names |
|
times.modified (time) |
target.file.last_modification_time |
|
times.accessed (time) |
target.file.last_seen_time |
|
times.created (time) |
target.file.first_seen_time |
|
times.changed (time) |
target.labels [times_changed] |
|
data_offset_req (integer - count) |
target.labels [data_offset_req] |
|
data_len_req (integer - count) |
target.labels [data_len_req] |
|
data_len_rsp (integer - count) |
target.labels [data_len_rsp] |
필드 매핑 참조: CORELIGHT - smb_mapping
다음 표에는 smb_mapping
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SMB . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to TCP . |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
|
security_result.action |
The security_result.action UDM field is set to ALLOW . |
|
path (string) |
target.resource.attribute.labels [path] |
|
service (string) |
target.application |
|
native_file_system (string) |
target.resource.attribute.labels [native_file_system] |
|
share_type (string) |
target.resource.resource_type |
If the share_type log field value is equal to DISK , then the target.resource.resource_type UDM field is set to STORAGE_OBJECT .Else, if the share_type log field value is equal to PIPE , then the target.resource.resource_type UDM field is set to PIPE .Else, the target.resource.resource_type UDM field is set to UNSPECIFIED . |
share_type (string) |
target.resource.resource_subtype |
필드 매핑 참조: CORELIGHT - ssl, ssl_red
다음 표에는 ssl, ssl_red
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to HTTPS . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to TCP . |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
|
security_result.action |
The security_result.action UDM field is set to ALLOW . |
|
version (string) |
network.tls.version |
|
cipher (string) |
network.tls.cipher |
|
curve (string) |
network.tls.curve |
|
server_name (string) |
network.tls.client.server_name |
|
resumed (boolean - bool) |
network.tls.resumed |
|
last_alert (string) |
security_result.description |
|
next_protocol (string) |
network.tls.next_protocol |
|
established (boolean - bool) |
network.tls.established |
|
ssl_history (string) |
about.labels [ssl_history] |
|
cert_chain_fps (array[string] - vector of string) |
target.labels [cert_chain_fps] |
|
client_cert_chain_fps (array[string] - vector of string) |
principal.labels [client_cert_chain_fps] |
|
sni_matches_cert (boolean - bool) |
about.labels [sni_matches_cert] |
|
validation_status (string) |
security_result.detection_fields [validation_status] |
|
ja3 (string) |
network.tls.client.ja3 |
|
ja3s (string) |
network.tls.server.ja3s |
필드 매핑 참조: CORELIGHT - rdp
다음 표에는 rdp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
cookie (string) |
about.labels [cookie] |
|
result (string) |
about.labels [result] |
|
security_protocol (string) |
target.labels [security_protocol] |
|
client_channels (array[string] - vector of string) |
intermediary.labels [client_channels] |
|
keyboard_layout (string) |
principal.labels [keyboard_layout] |
|
client_build (string) |
principal.labels [client_build] |
|
client_name (string) |
principal.hostname |
|
client_dig_product_id (string) |
principal.labels [client_dig_product_id ] |
|
desktop_width (integer - count) |
principal.labels [desktop_width] |
|
desktop_height (integer - count) |
principal.labels [desktop_height] |
|
requested_color_depth (string) |
principal.labels [requested_color_depth] |
|
cert_type (string) |
about.labels [cert_type] |
|
cert_count (integer - count) |
about.labels [cert_count] |
|
cert_permanent (boolean - bool) |
about.labels [cert_permanent ] |
|
encryption_level (string) |
about.labels [encryption_level] |
|
encryption_method (string) |
about.labels [encryption_method] |
|
auth_success (boolean - bool) |
about.labels [auth_success] |
|
channels_joined (integer - int) |
intermediary.labels [channels_joined] |
|
inferences (array[string] - set[string]) |
about.labels [inferences] |
|
rdpeudp_uid (string) |
about.labels [rdpeudp_uid] |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to TCP . |
|
rdfp_string (string) |
principal.labels [rdfp_string] |
|
rdfp_hash (string) |
principal.labels [rdfp_hash] |
|
result, security_protocol |
security_result.description |
The security_result.description UDM field is set with result , security_protocol log fields as "result connection with security protocol security_protocol ". |
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
필드 매핑 참조: CORELIGHT - sip
다음 표에는 sip
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SIP . |
|
trans_depth (integer - count) |
about.labels [trans_depth] |
|
method (string) |
about.labels [method] |
|
uri (string) |
target.url |
|
date (string) |
about.labels [date] |
|
request_from (string) |
principal.labels [request_from] |
|
request_to (string) |
target.labels [request_to] |
|
response_from |
principal.labels [response_from] |
|
response_to (string) |
target.labels [response_to] |
|
reply_to (string) |
about.labels [reply_to] |
|
call_id (string) |
network.session_id |
|
seq (string) |
about.labels [seq] |
|
subject (string) |
about.labels [subject] |
|
request_path (array[string] - vector of string) |
about.labels [request_path] |
|
response_path (array[string] - vector of string) |
about.labels [response_path] |
|
user_agent (string) |
about.labels [user_agent] |
|
status_code (integer - count) |
about.labels [status_code] |
|
status_msg (string) |
security_result.description |
|
warning (string) |
security_result.summary |
|
request_body_len (integer - count) |
network.sent_bytes |
|
response_body_len (integer - count) |
network.received_bytes |
|
content_type (string) |
about.labels [content_type] |
필드 매핑 참조: CORELIGHT - intel
다음 표에는 intel
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_NETWORK . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
seen.indicator_type (string - enum) |
entity.metadata.entity_type |
If the indicator.type log field value is equal to Intel::ADDR , then the metadata.entity_type UDM field is set to IP_ADDRESS .Else, if the indicator.type log field value is equal to Intel::SUBNET or Intel::SOFTWARE or Intel::CERT_HASH or Intel::PUBKEY_HASH , then the metadata.entity_type UDM field is set to RESOURCE .Else, if the indicator.type log field value is equal to Intel::URL , then the metadata.entity_type UDM field is set to URL .Else, if the indicator.type log field value is equal to the Intel::EMAIL or Intel::USER_NAME , then the metadata.entity_type UDM field is set to USER .Else, if the indicator.type log field value is equal to Intel::DOMAIN , then the metadata.entity_type UDM field is set to DOMAIN_NAME .Else, if the indicator.type log field value is equal to the Intel::FILE_HASH or Intel::FILE_NAME , then the metadata.entity_type UDM field is set to FILE .Else, the metadata.entity_type UDM field is set to RESOURCE . |
seen.indicator (string) |
entity.ip |
If the indicator.type log field value is equal to Intel::ADDR , then the seen.indicator log field is mapped to the entity.ip UDM field. |
seen.indicator (string) |
entity.url |
If the indicator.type log field value is equal to Intel::URL , then the seen.indicator log field is mapped to the entity.url UDM field. |
seen.indicator (string) |
entity.domain.name |
If the indicator.type log field value is equal to Intel::DOMAIN , then the seen.indicator log field is mapped to the entity.domain.name UDM field. |
seen.indicator (string) |
entity.user.email_address |
If the indicator.type log field value is equal to Intel::USER_NAME or Intel::EMAIL , then the seen.indicator log field is mapped to the entity.user.email_address UDM field. |
seen.indicator (string) |
entity.file.names |
If the indicator.type log field value is equal to Intel::FILE_HASH or Intel::FILE_NAME , then the seen.indicator log field is mapped to the entity.file.full_path UDM field. |
seen.indicator (string) |
entity.resource.name |
If the metadata.entity_type log field value is equal to RESOURCE , then the seen.indicatior log field is mapped to the entity.resource.name UDM field. |
entity.resource.resource_type |
If the indicator.type log field value is equal to Intel::SUBNET , then the entity.resource.resource_name UDM field is set to VPC_NETWORK . |
|
seen.indicator_type (string - enum) |
entity.resource.resource_sub_type |
If the metadata.entity_type log field value is equal to RESOURCE , then the seen.indicatior_type log field is mapped to the entity.resource.resource_sub_type UDM field. |
seen.where (string - enum) |
entity.metadata.source_labels [seen_where] |
|
matched (array[string] - set[enum]) |
entity.labels [matched] |
|
sources (array[string] - set[string]) |
entity.metadata.source_labels [source] |
|
fuid (string) |
about.labels [fuid] |
|
file_mime_type (string) |
entity.file.mime_type |
|
file_desc (string) |
metadata.threat.detection_fields [file_desc] |
|
desc (array[string] - set[string]) |
ioc.description |
The desc log field is mapped to ioc.description UDM field when index value in desc is equal to 0 .
For every other index value, entity.labels.key UDM field is set to desc and desc log field is mapped to the entity.labels.value . |
url (array[string] - set[string]) |
metadata.threat.url_back_to_product |
|
confidence (array[number] - set[double]) |
ioc.confidence_score |
The confidence log field is mapped to ioc.confidence_score UDM field when index value in confidence is equal to 0 .
For every other index value, entity.labels.key UDM field is set to confidence and confidence log field is mapped to the entity.labels.value . |
firstseen (array[string] - set[string]) |
ioc.active_timerange.start |
The firstseen log field is mapped to ioc.active_timerange.start UDM field when index value in firstseen is equal to 0 .
For every other index value, entity.labels.key UDM field is set to firstseen and firstseen log field is mapped to the entity.labels.value . |
lastseen (array[string] - set[string]) |
ioc.active_timerange.end |
The lastseen log field is mapped to ioc.active_timerange.end UDM field when index value in lastseen is equal to 0 .
For every other index value, entity.labels.key UDM field is set to lastseen and lastseen log field is mapped to the entity.labels.value . |
associated (array[string] - set[string]) |
entity.labels [associated] |
|
category (array[string] - set[string]) |
ioc.categorization |
The category log field is mapped to ioc.categorization UDM field when index value in category is equal to 0 .
For every other index value, entity.labels.key UDM field is set to category and category log field is mapped to the entity.labels.value . |
campaigns (array[string] - set[string]) |
entity.labels [campaign] |
|
reports (array[string] - set[string]) |
entity.labels [report] |
필드 매핑 참조: CORELIGHT - smtp
다음 표에는 smtp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_SMTP . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SMTP . |
|
trans_depth (integer - count) |
about.labels [trans_depth] |
|
helo (string) |
target.domain.name |
|
mailfrom (string) |
network.smtp.mail_from |
|
rcptto (array[string] - set[string]) |
network.smtp.rcpt_to |
|
date (string) |
about.labels [date] |
|
from (string) |
network.email.from |
|
to (array[string] - set[string]) |
network.email.to |
|
cc (array[string] - set[string]) |
network.email.cc |
|
reply_to (string) |
network.email.reply_to |
|
msg_id (string) |
network.email.mail_id |
|
in_reply_to (string) |
about.labels [in_reply_to] |
|
subject (string) |
network.email.subject |
|
x_originating_ip (string - addr) |
principal.ip |
|
first_received (string) |
about.labels [first_received] |
|
second_received (string) |
about.labels [second_received] |
|
last_reply (string) |
network.smtp.server_response |
|
path (array[string] - vector of addr) |
intermediary.ip |
|
user_agent (string) |
about.labels [user_agent] |
|
tls (boolean - bool) |
network.smtp.is_tls |
|
fuids (array[string] - vector of string) |
about.labels [fuid] |
|
is_webmail (boolean - bool) |
network.smtp.is_webmail |
|
urls (array[string] - set[string]) |
about.url |
|
domains (array[string] - set[string]) |
about.domain.name |
필드 매핑 참조: CORELIGHT - ssh
다음 표에는 ssh
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to SSH . |
|
version (integer - count) |
network.application_protocol_version |
The network.application_protocol_version UDM field is set with version log field as "SSH version ". |
auth_success (boolean - bool) |
security_result.action_details |
|
auth_success (boolean - bool) |
security_result.action |
If the auth_success log field value is not equal to true , then the security_result.action UDM field is set to ALLOW .Else, the security_result.action UDM field is set to BLOCK . |
auth_attempts (integer - count) |
extensions.auth.auth_details |
The extensions.auth.auth_details UDM field is set with auth_attempts log field as "auth_attempts: auth_attempts ". |
direction (string - enum) |
network.direction |
If the direction log field value is equal to INBOUND , then the network.direction UDM field is set to INBOUND .Else, if the direction log field value is equal to OUTBOUND , then the network.direction UDM field is set to OUTBOUND . |
client (string) |
principal.application |
|
server (string) |
target.application |
|
cipher_alg (string) |
network.tls.cipher |
|
mac_alg (string) |
security_result.detection_fields [mac_alg] |
|
compression_alg (string) |
security_result.detection_fields [compression_alg] |
|
kex_alg (string) |
security_result.detection_fields [kex_alg] |
|
host_key_alg (string) |
security_result.detection_fields [host_key_alg] |
|
host_key (string) |
security_result.detection_fields [host_key] |
|
remote_location.country_code (string) |
target.location.country_or_region |
|
remote_location.region (string) |
target.location.country_or_region |
|
remote_location.city (string) |
target.location.city |
|
remote_location.latitude (number - double) |
target.location.region_coordinates.latitude |
|
remote_location.longitude (number - double) |
target.location.region_coordinates.longitude |
|
hasshVersion (string) |
about.labels [hassh_version] |
|
hassh (string) |
principal.labels [hassh] |
|
hasshServer (string) |
target.labels [hassh_server] |
|
cshka (string) |
about.labels [cshka] |
|
hasshAlgorithms (string) |
about.labels [hassh_algorithms] |
|
sshka (string) |
about.labels [sshka] |
|
hasshServerAlgorithms (string) |
about.labels [hassh_server_algorithms] |
|
inferences (array[string] - set[string]) |
security_result.summary, security_result.description |
If the inferences log field value is equal to ABP , then the security_result.summary UDM field is set to Client Authentication Bypass and the security_result.description UDM field is set to A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after enctyption begins .If the inferences log field value is equal to AFR , then the security_result.summary UDM field is set to SSH Agent Forwarding Requested and the security_result.description UDM field is set to Agent Forwarding is requested by tge Client .If the inferences log field value is equal to APWA , then the security_result.summary UDM field is set to Automated Password Authentication and the security_result.description UDM field is set to The client authenticated with an automated password tool (like sshpass) .If the inferences log field value is equal to AUTO , then the security_result.summary UDM field is set to Automated Interaction and the security_result.description UDM field is set to The client is a script automated utility and not driven by a user .If the inferences log field value is equal to BAN , then the security_result.summary UDM field is set to Server Banner and the security_result.description UDM field is set to The server sent the client a pre-authentication banner, likely for legal reasons .If the inferences log field value is equal to BF , then the security_result.summary UDM field is set to Client Brute Force Guessing and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold .If the inferences log field value is equal to BFS , then the security_result.summary UDM field is set to Client Brute Force Success and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold .If the inferences log field value is equal to CTS , then the security_result.summary UDM field is set to Client Trusted Server and the security_result.description UDM field is set to The client already has an entry in its known_hosts file for this server .If the inferences log field value is equal to CUS , then the security_result.summary UDM field is set to Client Untrusted Server and the security_result.description UDM field is set to The client did not have an entry in its known_hosts file for this server .If the inferences log field value is equal to IPWA , then the security_result.summary UDM field is set to Interactive Password Authentication and the security_result.description UDM field is set to The client interactively typed their password to authenticate .If the inferences log field value is equal to KS , then the security_result.summary UDM field is set to Keystrokes and the security_result.description UDM field is set to An interactive session occurred in which the client set user-driven keystrokes to the server .If the inferences log field value is equal to LFD , then the security_result.summary UDM field is set to Large Client File Donwload and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client .If the inferences log field value is equal to LFU , then the security_result.summary UDM field is set to Large Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets .If the inferences log field value is equal to MFA , then the security_result.summary UDM field is set to Multifactor Authentication and the security_result.description UDM field is set to The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it .If the inferences log field value is equal to NA , then the security_result.summary UDM field is set to None Authentication and the security_result.description UDM field is set to The client successfully authenticated using the None method .If the inferences log field value is equal to NRC , then the security_result.summary UDM field is set to No Remote Command and the security_result.description UDM field is set to The -N flag was used in SSH authentication .If the inferences log field value is equal to PKA , then the security_result.summary UDM field is set to Public Key Authentication and the security_result.description UDM field is set to The client automatically authenticated using pubkey authentication .If the inferences log field value is equal to RSI , then the security_result.summary UDM field is set to Reverse SSH Initiated and the security_result.description UDM field is set to The Reverse session is initiated from the server back to the client .If the inferences log field value is equal to RSIA , then the security_result.summary UDM field is set to Reverse SSH Initiated Automated and the security_result.description UDM field is set to The inititation of the Reverse session happened very early in the packet stream, indicating automation .If the inferences log field value is equal to RSK , then the security_result.summary UDM field is set to Reverse SSH Keystrokes and the security_result.description UDM field is set to Keystrokes are detected within the Reverse tunnel .If the inferences log field value is equal to RSL , then the security_result.summary UDM field is set to Reverse SSH Logged In and the security_result.description UDM field is set to The Reverse Tunnel login has succeeded .If the inferences log field value is equal to RSP , then the security_result.summary UDM field is set to Reverse SSH Providioned and the security_result.description UDM field is set to The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time .If the inferences log field value is equal to SA , then the security_result.summary UDM field is set to Authentication Scanning and the security_result.description UDM field is set to The client scanned authentication method with the server and then disconnected .If the inferences log field value is equal to SC , then the security_result.summary UDM field is set to Capabilities Scanning and the security_result.description UDM field is set to The client exchanged capabilities with the server and then disconnected .If the inferences log field value is equal to SFD , then the security_result.summary UDM field is set to Small Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client .If the inferences log field value is equal to SFU , then the security_result.summary UDM field is set to Small Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server .If the inferences log field value is equal to SP , then the security_result.summary UDM field is set to Other Scanning and the security_result.description UDM field is set to A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner .If the inferences log field value is equal to SV , then the security_result.summary UDM field is set to Version Scanning and the security_result.description UDM field is set to A client exchanged version strings with the server and than disconnected .If the inferences log field value is equal to UA , then the security_result.summary UDM field is set to Unknown Authentication and the security_result.description UDM field is set to The authentication method is not determinated or is unknown . |
필드 매핑 참조: CORELIGHT - suricata_corelight
다음 표에는 suricata_corelight
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_NETWORK . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Suricata . |
|
id.vlan (integer - count) |
intermediary.labels [id_vlan] |
|
id.vlan_inner (integer - count) |
intermediary.labels [id_vlan_inner] |
|
icmp_type (integer - count) |
about.labels [icmp_type] |
|
icmp_code (integer - count) |
about.labels [icmp_code] |
|
suri_id (string) |
metadata.product_log_id |
|
service (string) |
network.application_protocol |
|
flow_id (integer - count) |
network.session_id |
|
tx_id (integer - count) |
about.labels [tx_id] |
|
pcap_cnt (integer - count) |
about.labels [pcap_cnt] |
|
alert.action (string) |
security_result.action_details |
|
alert.gid (integer - count) |
security_result.detection_fields [alert_gid] |
|
alert.signature_id (integer - count) |
security_result.rule_id |
|
alert.rev (integer - count) |
security_result.detection_fields [alert_rev] |
|
alert.signature (string) |
security_result.summary |
|
alert.signature (string) |
security_result.rule_name |
|
alert.category (string) |
security_result.category_details |
|
alert.severity (integer - count) |
security_result.severity_details |
|
alert.metadata (array[string] - vector of string) |
security_result.detection_fields [alert_metadata] |
|
community_id (string) |
network.community_id |
|
payload (string) |
about.labels [payload] |
|
payload (string) |
about.labels [payload_decoded] |
|
packet (string) |
about.labels [packet] |
|
packet (string) |
about.labels [packet_decoded] |
|
metadata (array[string] - vector of string) |
security_result.detection_fields [metadata] |
|
orig_cve (string) |
extensions.vulns.vulnerabilities.cve_id |
|
resp_cve (string) |
extensions.vulns.vulnerabilities.cve_id |
|
idm.is_alert |
The idm.is_alert UDM field is set to true . |
|
idm.is_significant |
The idm.is_significant UDM field is set to true . |
|
security_result.severity |
The security_result.severity UDM field is set to INFORMATIONAL . |
필드 매핑 참조: CORELIGHT - bacnet
다음 표에는 bacnet
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
bvlc_function (string) |
about.labels [bvlc_function] |
|
bvlc_len (integer - count) |
about.labels [bvlc_len] |
|
apdu_type (string) |
about.labels [apdu_type] |
|
service_choice (string) |
about.labels [service_choice] |
|
data (array[string] - vector of string) |
about.labels [data] |
필드 매핑 참조: CORELIGHT - cip
다음 표에는 cip
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
service (string) |
about.labels [service] |
|
status (string) |
about.labels [status] |
|
tags (string) |
about.labels [tag] |
필드 매핑 참조: CORELIGHT - corelight_buster
다음 표에는 corelight_burst
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_NETWORK . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
orig_size (integer - count) |
network.sent_bytes |
|
resp_size (integer - count) |
network.received_bytes |
|
mbps (number - double) |
about.labels [mbps] |
|
age_of_conn (number - interval) |
about.labels [age_of_conn] |
필드 매핑 참조: CORELIGHT - corelight_overall_capture_loss
다음 표에는 corelight_overall_capture_loss
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
gaps (number - double) |
security_result.detection_fields [gaps] |
|
acks (number - double) |
security_result.detection_fields [acks] |
|
percent_lost (number - double) |
security_result.detection_fields [percent_lost] |
|
metadata.description |
The metadata.description UDM field is set with _system_name , percent_lost , ts. log fields as "node _system_name experienced percent_lost % packet loss at ts. ". |
필드 매핑 참조: CORELIGHT - corelight_profiling
다음 표에는 corelight_profiling
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_NETWORK . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
node (string) |
principal.hostname |
|
prof.core_stack (string) |
about.labels [prof_core_stack] |
|
prof.script_stack (string) |
about.labels [prof_script_stack] |
|
prof.sched_wait_ns (integer - count) |
about.labels [prof_sched_wait_ns] |
필드 매핑 참조: CORELIGHT - datared
다음 표에는 datared
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
conn_red (integer - count) |
about.labels [conn_red] |
|
conn_total (integer - count) |
about.labels [conn_total] |
|
dns_red (integer - count) |
about.labels [dns_red] |
|
dns_total (integer - count) |
about.labels [dns_total] |
|
dns_coal_miss (integer - count) |
about.labels [dns_coal_miss] |
|
files_red (integer - count) |
about.labels [files_red] |
|
files_total (integer - count) |
about.labels [files_total] |
|
files_coal_miss (integer - count) |
about.labels [files_coal_miss] |
|
http_red (integer - count) |
about.labels [http_red] |
|
http_total (integer - count) |
about.labels [http_total] |
|
ssl_red (integer - count) |
about.labels [ssl_red] |
|
ssl_total (integer - count) |
about.labels [ssl_total] |
|
ssl_coal_miss (integer - count) |
about.labels [ssl_coal_miss] |
|
weird_red (integer - count) |
about.labels [weird_red] |
|
weird_total (integer - count) |
about.labels [weird_total] |
|
x509_red (integer - count) |
about.labels [x509_red] |
|
x509_total (integer - count) |
about.labels [x509_total] |
|
x509_coal_miss (integer - count) |
about.labels [x509_coal_miss] |
필드 매핑 참조: CORELIGHT - dhcp
다음 표에는 dhcp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DHCP . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DHCP . |
|
uids (array[string] - set[string]) |
about.labels [uid] |
|
client_addr (string - addr) |
network.dhcp.ciaddr |
|
server_addr (string - addr) |
network.dhcp.siaddr |
|
mac (string) |
network.dhcp.chaddr |
|
host_name (string) |
network.dhcp.client_hostname |
|
client_fqdn (string) |
principal.domain.name |
|
domain (string) |
target.domain.name |
|
requested_addr (string - addr) |
network.dhcp.requested_address |
|
assigned_addr (string - addr) |
network.dhcp.yiaddr |
|
lease_time (number - interval) |
network.dhcp.lease_time_seconds |
|
client_message (string) |
security_result.description |
|
server_message (string) |
security_result.description |
|
msg_types (array[string] - vector of string) |
network.dhcp.type |
The msg_types log field is mapped to network.dhcp.type UDM field when index value in msg_types is equal to 0 .
For every other index value, about.labels.key UDM field is set to msg_types and msg_types log field is mapped to the about.labels.value . |
duration (number - interval) |
about.labels [duration] |
필드 매핑 참조: CORELIGHT - dga
다음 표에는 dga
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS . |
|
query (string) |
network.dns.questions.name |
|
family (string) |
about.labels [family] |
|
qtype_name (string) |
about.labels [qtype_name] |
|
rcode (integer - count) |
network.dns.response_code |
|
is_collision_heavy (boolean - bool) |
security_result.detection_fields [is_collision_heavy] |
|
ruse (boolean - bool) |
about.labels [ruse] |
필드 매핑 참조: CORELIGHT - dnp3
다음 표에는 dnp3
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
fc_request (string) |
about.labels [fc_request] |
|
fc_reply (string) |
about.labels [fc_reply] |
|
iin (integer - count) |
about.labels [iin] |
필드 매핑 참조: CORELIGHT - iso_cotp
다음 표에는 iso_cotp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
pdu_type (string) |
about.labels [pdu_type] |
필드 매핑 참조: CORELIGHT - kerberos
다음 표에는 kerberos
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to KRB5 . |
|
request_type (string) |
principal.application |
|
client (string) |
principal.hostname |
|
service (string) |
target.application |
|
success (boolean - bool) |
security_result.action |
If the success log field value is equal to true , then the security_result.action UDM field is set to ALLOW .Else, the security_result.action UDM field is set to FAIL . |
error_msg (string) |
security_result.action_details |
|
from (time) |
about.labels [from] |
|
till (time) |
about.labels [till] |
|
cipher (string) |
about.labels [cipher] |
|
forwardable (boolean - bool) |
about.labels [forwardable] |
|
renewable (boolean - bool) |
about.labels [renewable] |
|
client_cert_subject (string) |
about.labels [client_cert_subject] |
|
client_cert_fuid (string) |
about.labels [client_cert_fuid] |
|
server_cert_subject (string) |
about.labels [server_cert_subject] |
|
server_cert_fuid (string) |
about.labels [server_cert_fuid] |
필드 매핑 참조: CORELIGHT - ldap
다음 표에는 ldap
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to LDAP . |
|
proto (string) |
about.labels [proto] |
|
message_id (integer - int) |
about.labels [message_id] |
|
version (integer - int) |
network.application_protocol_version |
|
opcode (array[string] - set[string]) |
security_result.detection_fields [opcode] |
|
result (array[string] - set[string]) |
security_result.detection_fields [result] |
|
diagnostic_message (array[string] - vector of string) |
security_result.description |
|
object (array[string] - vector of string) |
about.labels [object] |
|
argument (array[string] - vector of string) |
about.labels [argument] |
필드 매핑 참조: CORELIGHT - ldap_search
다음 표에는 ldap_search
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to LDAP . |
|
proto (string) |
about.labels [proto] |
|
message_id (integer - int) |
about.labels [message_id] |
|
scope (array[string] - set[string]) |
about.labels [scope] |
|
deref (array[string] - set[string]) |
about.labels [deref] |
|
base_object (array[string] - vector of string) |
about.labels [base_object] |
|
result_count (integer - count) |
security_result.detection_fields [result_count] |
|
result (array[string] - set[string]) |
security_result.detection_fields [result] |
|
diagnostic_message (array[string] - vector of string) |
security_result.description |
|
filter (string) |
about.labels [filter] |
|
attributes (array[string] - vector of string) |
about.labels [attributes] |
필드 매핑 참조: CORELIGHT - local_subnets
다음 표에는 local_subnets
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
round (integer - count) |
about.labels [round] |
|
ip_version (integer - count) |
about.labels [ip_version] |
|
subnets (array[string] - set[subnet]) |
about.labels [subnet] |
|
component_ids (array[integer] - set[count]) |
about.labels [component_id] |
|
size_of_component (integer - count) |
about.labels [size_of_component] |
|
bipartite (boolean - bool) |
about.labels [bipartite] |
|
inferred_site (boolean - bool) |
about.labels [inferred_site] |
|
other_ips (array[string] - set[addr]) |
about.ip |
필드 매핑 참조: CORELIGHT - local_subnets_dj
다음 표에는 local_subnets_dj
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
ip_version (integer - count) |
about.labels [ip_version] |
|
v (string - addr) |
about.ip |
|
side (string) |
about.labels [side] |
필드 매핑 참조: CORELIGHT - local_subnets_graphs
다음 표에는 local_subnets_graphs
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
ip_version (integer - count) |
about.labels [ip_version] |
|
v1 (string - addr) |
about.ip |
|
v2 (string - addr) |
about.ip |
필드 매핑 참조: CORELIGHT - syslog
다음 표에는 syslog
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
|
proto (string - enum) |
network.ip_protocol |
|
facility (string) |
about.labels [facility] |
|
severity (string) |
about.labels [severity] |
|
message (string) |
metadata.description |
필드 매핑 참조: CORELIGHT - tds
다음 표에는 tds
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
command (string) |
principal.process.command_line |
필드 매핑 참조: CORELIGHT - tds_rpc
다음 표에는 tds_rpc
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
procedure_name (string) |
about.labels [procedure_name] |
|
parameters (array[string] - vector of string) |
about.labels [parameter] |
필드 매핑 참조: CORELIGHT - tds_sql_batch
다음 표에는 tds_sql_batch
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DATABASE . |
|
header_type (string) |
target.resource.attribute.labels [header_type] |
|
query (string) |
target.resource.attribute.labels [query] |
필드 매핑 참조: CORELIGHT - traceroute
다음 표에는 traceroute
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
src (string - addr) |
principal.ip |
|
dst (string - addr) |
target.ip |
|
proto (string) |
network.ip_protocol |
필드 매핑 참조: CORELIGHT - tunnel
다음 표에는 tunnel
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
tunnel_type (string - enum) |
intermediary.labels [tunnel_type] |
|
action (string - enum) |
security_result.action_details |
|
security_result.description |
The security_result.description UDM field is set with action , tunnel_type log fields as "action action on tunnel type tunnel_type ". |
필드 매핑 참조: CORELIGHT - weird, weird_red
다음 표에는 weird, weird_red
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
name (string) |
about.labels [name] |
|
addl (string) |
about.labels [addl] |
|
notice (boolean - bool) |
about.labels [notice] |
|
source (string) |
about.labels [source] |
|
peer (string) |
about.labels [peer] |
필드 매핑 참조: CORELOW - wireguard
다음 표에는 wireguard
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
established (boolean - bool) |
about.labels [established] |
|
initiations (integer - count) |
about.labels [initiations] |
|
responses (integer - count) |
about.labels [responses] |
필드 매핑 참조: CORELIGHT - vpn
다음 표에는 vpn
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
vpn_type (string - enum) |
about.labels [vpn_type] |
|
service (string) |
target.application |
|
inferences (array[string] - set[string]) |
about.labels [inference] |
|
server_name (string) |
network.tls.client.server_name |
|
client_info (string) |
principal.labels [client_info] |
|
duration (number - interval) |
network.session_duration |
|
orig_bytes (integer - count) |
network.sent_bytes |
|
resp_bytes (integer - count) |
network.received_bytes |
|
orig_cc (string) |
principal.location.country_or_region |
|
orig_region (string) |
principal.location.country_or_region |
|
orig_city (string) |
principal.location.city |
|
resp_cc (string) |
target.location.country_or_region |
|
resp_region (string) |
target.location.country_or_region |
|
resp_city (string) |
target.location.city |
|
subject (string) |
network.tls.client.certificate.subject |
|
issuer (string) |
network.tls.client.certificate.issuer |
|
ja3 (string) |
network.tls.client.ja3 |
|
ja3s (string) |
network.tls.server.ja3s |
필드 매핑 참조: CORELIGHT - x509, x509_red
다음 표에는 x509, x509_red
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
fingerprint (string) |
about.labels [fingerprint] |
|
certificate.version (integer - count) |
network.tls.server.certificate.version |
|
certificate.serial (string) |
network.tls.server.certificate.serial |
|
certificate.subject (string) |
network.tls.server.certificate.subject |
|
certificate.issuer (string) |
network.tls.server.certificate.issuer |
|
certificate.not_valid_before (time) |
network.tls.server.certificate.not_before |
|
certificate.not_valid_after (time) |
network.tls.server.certificate.not_after |
|
certificate.key_alg (string) |
about.labels [certificate_key_alg] |
|
certificate.sig_alg (string) |
about.labels [certificate_sig_alg] |
|
certificate.key_type (string) |
about.labels [certificate_key_type] |
|
certificate.key_length (integer - count) |
about.labels [certificate_key_length] |
|
certificate.exponent (string) |
about.labels [certificate_exponent] |
|
certificate.curve (string) |
network.tls.curve |
|
san.dns (array[string] - vector of string) |
about.labels [san_dns] |
|
san.uri (array[string] - vector of string) |
about.url |
|
san.email (array[string] - vector of string) |
about.labels [san_email] |
|
san.ip (array[string] - vector of addr) |
about.ip |
|
basic_constraints.ca (boolean - bool) |
about.labels [basic_constraints_ca] |
|
basic_constraints.path_len (integer - count) |
about.labels [basic_constraints_path_len] |
|
host_cert (boolean - bool) |
about.labels [host_cert] |
|
client_cert (boolean - bool) |
about.labels [client_cert] |
필드 매핑 참조: CORELIGHT - unknown-smartpcap
다음 표에는 unknown-smartpcap
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Smartpcap . |
|
tid (string) |
about.labels [tid] |
|
pkts (integer - count) |
about.labels [pkts] |
|
url (string) |
security_result.url_back_to_product |
필드 매핑 참조: CORELIGHT - mysql
다음 표에는 mysql
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
cmd (string) |
target.resource.attribute.labels [cmd] |
|
arg (string) |
principal.process.command_line |
|
success (boolean - bool) |
target.resource.attribute.labels [success] |
|
rows (integer - count) |
target.resource.attribute.labels [rows] |
|
response (string) |
target.resource.attribute.labels [response] |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DATABASE . |
필드 매핑 참조: CORELIGHT - napatech_shunting
다음 표에는 napatech_shunting
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
peer (string) |
about.labels [peer] |
|
terminated_flows (integer - count) |
about.labels [terminated_flows] |
|
shunted_flows (integer - count) |
security_result.detection_fields [shunted_flows] |
필드 매핑 참조: CORELIGHT - ntlm
다음 표에는 ntlm
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
username (string) |
target.user.userid |
|
hostname (string) |
principal.hostname |
|
domainname (string) |
principal.domain.name |
|
server_nb_computer_name (string) |
target.hostname |
|
server_dns_computer_name (string) |
target.domain.name |
|
server_tree_name (string) |
target.labels [server_tree_name] |
|
success (boolean - bool) |
extensions.auth.auth_details |
If the success log field value is equal to true , then the extensions.auth.auth_details UDM field is set to Authentication successful .Else, the extensions.auth.auth_details UDM field is set to Authentication failed . |
필드 매핑 참조: CORELIGHT - pe
다음 표에는 pe
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
id (string) |
about.labels [id] |
|
machine (string) |
target.labels [machine] |
|
compile_ts (time) |
about.labels [compile_ts] |
|
os (string) |
target.platform |
If the os log field value is equal to windows , then the target.platform UDM field is set to WINDOWS .Else, if is equal to linux , then the target.platform UDM field is set to LINUX .Else, if the os log field value is equal to mac or the |
subsystem (string) |
target.application |
|
is_exe (boolean - bool) |
about.file.file_type |
If the is_exe log field value is equal to true , then the about.file.file_type UDM field is set to FILE_TYPE_PE_EXE . |
is_64bit (boolean - bool) |
about.labels [is_64bit] |
|
uses_aslr (boolean - bool) |
about.labels [uses_aslr] |
|
uses_dep (boolean - bool) |
about.labels [uses_dep] |
|
uses_code_integrity (boolean - bool) |
about.labels [uses_code_integrity] |
|
uses_seh (boolean - bool) |
about.labels [uses_seh ] |
|
has_import_table (boolean - bool) |
about.labels [has_import_table] |
|
has_export_table (boolean - bool) |
about.labels [has_export_table] |
|
has_cert_table (boolean - bool) |
about.labels [has_cert_table] |
|
has_debug_data (boolean - bool) |
about.labels [has_debug_data] |
|
section_names (array[string] - vector of string) |
about.labels [section_names] |
필드 매핑 참조: CORELIGHT - ntp
다음 표에는 ntp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to NTP . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to UDP . |
|
version (integer - count) |
network.application_protocol_version |
|
mode (integer - count) |
about.labels [mode] |
|
stratum (integer - count) |
about.labels [stratum] |
|
poll (number - interval) |
about.labels [poll] |
|
precision (number - interval) |
about.labels [precision] |
|
root_delay (number - interval) |
about.labels [root_delay] |
|
root_disp (number - interval) |
about.labels [root_disp] |
|
ref_id (string) |
target.ip |
If the ref_id log field value is matched with regex of IP, then the ref_id log field is mapped to the target.ip UDM field.
Else, the ref_id log field is mapped to the target.labels UDM field. |
ref_id (string) |
target.labels [ref_id] |
If the ref_id log field value is matched with regex of IP, then the ref_id log field is mapped to the target.ip UDM field.
Else, the ref_id log field is mapped to the target.labels UDM field. |
ref_time (time) |
about.labels [ref_time] |
|
org_time (time) |
about.labels [org_time] |
|
rec_time (time) |
about.labels [rec_time] |
|
xmt_time (time) |
about.labels [rec_time] |
|
num_exts (integer - count) |
about.labels [num_exts] |
필드 매핑 참조: CORELIGHT - radius
다음 표에는 radius
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to USER_LOGIN . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
username (string) |
target.user.userid |
|
mac (string) |
principal.mac |
|
framed_addr (string - addr) |
intermediary.ip |
|
tunnel_client (string) |
intermediary.ip |
If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field. |
tunnel_client (string) |
intermediary.domain.name |
If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field. |
connect_info (string) |
about.labels [connect_info] |
|
reply_msg (string) |
about.labels [reply_msg] |
|
result (string) |
extensions.auth.auth_details |
|
ttl (number - interval) |
network.session_duration |
필드 매핑 참조: CORELIGHT - reporter
다음 표에는 reporter
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
level (string - enum) |
security_result.severity |
If the level log field value is equal to CRITICAL or ERROR or HIGH or INFORMATIONAL or LOW or MEDIUM , then the level log field is mapped to the security_result.severity UDM field. |
level (string - enum) |
security_result.severity_details |
|
message (string) |
security_result.description |
|
location (string) |
about.labels [location] |
필드 매핑 참조: CORELIGHT - log4shell
다음 표에는 log4shell
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to SCAN_HOST . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
extensions.vulns.vulnerabilities.cve_id |
The extensions.vulns.vulnerabilities.cve_id UDM field is set to CVE-2021-44228 . |
|
http_uri (string) |
about.labels [http_uri] |
|
uri (string) |
target.url |
|
stem (string) |
target.labels [stem] |
|
target_host (string) |
target.hostname |
|
target_port (string) |
target.port |
|
method (string) |
network.http.method |
|
is_orig (boolean - bool) |
about.labels [is_orig] |
|
name (string) |
about.labels.key |
|
value (string) |
about.labels.value |
|
matched_name (boolean - bool) |
about.labels [matched_name] |
|
matched_value (boolean - bool) |
about.labels [matched_value] |
필드 매핑 참조: CORELIGHT - modbus
다음 표에는 modbus
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to MODBUS . |
|
func (string) |
about.labels [func] |
|
exception (string) |
security_result.description |
필드 매핑 참조: CORELIGHT - mqtt_connect
다음 표에는 mqtt_connect
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to MQTT . |
|
proto_name (string) |
about.labels [proto_name] |
|
proto_version (string) |
network.application_protocol_version |
|
client_id (string) |
principal.labels [client_id] |
|
connect_status (string) |
security_result.description |
|
will_topic (string) |
about.labels [will_topic] |
|
will_payload (string) |
about.labels [will_payload] |
필드 매핑 참조: CORELIGHT - mqtt_publish
다음 표에는 mqtt_publish
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to MQTT . |
|
from_client (boolean - bool) |
about.labels [from_client] |
|
retain (boolean - bool) |
target.labels [retain] |
|
qos (string) |
about.labels [qos] |
|
status (string) |
security_result.description |
|
topic (string) |
about.labels [topic] |
|
payload (string) |
about.labels [payload] |
|
payload_len (integer - count) |
about.labels [payload_len] |
필드 매핑 참조: CORELIGHT - mqtt_subscribe
다음 표에는 mqtt_subscribe
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to MQTT . |
|
action (string - enum) |
security_result.action_details |
|
topics (array[string] - vector of string) |
about.labels [topics] |
|
qos_levels (array[integer] - vector of count) |
about.labels [qos_levels] |
|
granted_qos_level (integer - count) |
about.labels [granted_qos_level] |
|
ack (boolean - bool) |
security_result.detection_fields [ack] |
필드 매핑 참조: CORELIGHT - dpd
다음 표에는 dpd
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
analyzer (string) |
about.labels [analyzer] |
|
failure_reason (string) |
about.labels [failure_reason] |
필드 매핑 참조: CORELIGHT - encrypted_dns
다음 표에는 encrypted_dns
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS . |
|
resp_h (string - addr) |
target.ip |
|
cert.cn (string) |
about.labels [cert_cn] |
|
cert.sans (array[string] - set[string]) |
about.labels [cert_sans] |
|
sni (string) |
network.tls.client.server_name |
|
match (string) |
about.labels [match] |
필드 매핑 참조: CORELIGHT - enip
다음 표에는 enip
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
command (string) |
principal.process.command_line |
|
length (integer - count) |
about.labels [length] |
|
session_handle (string) |
network.session_id |
|
status (string) |
about.labels [status] |
|
sender_context (string) |
about.labels [sender_context] |
|
options (string) |
about.labels [options] |
필드 매핑 참조: CORELIGHT - enip_debug
다음 표에는 enip_debug
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to STATUS_UPDATE . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
raw_data (string) |
about.labels [raw_data] |
필드 매핑 참조: CORELIGHT - enip_list_identity
다음 표에는 enip_list_identity
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
device_type (string) |
target.asset.attribute.labels [device_type] |
|
vendor (string) |
target.asset.hardware.manufacturer |
|
product_name (string) |
target.asset.attribute.labels [product_name] |
|
serial_number (string) |
target.asset.asset_id |
The target.asset.asset_id UDM field is set with serial_number log fields as "CORELIGHT: serial_number ". |
product_code (integer - count) |
target.asset.attribute.labels [product_code] |
|
revision (number - double) |
target.asset.attribute.labels [revision] |
|
status (string) |
about.labels [status] |
|
state (string) |
target.asset.attribute.labels [state] |
|
device_ip (string - addr) |
target.asset.ip |
필드 매핑 참조: CORELIGHT - etc_viz
다음 표에는 etc_viz
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
server_a (string - addr) |
target.ip |
|
server_p (integer - port) |
target.port |
|
service (array[string] - set[string]) |
target.application |
The service log field is mapped to target.application UDM field when index value in service is equal to 0 .
For every other index value, target.labels.key UDM field is set to service and service log field is mapped to the target.labels.value . |
viz_stat (string) |
about.labels [viz_stat] |
|
c2s_viz.size (integer - count) |
about.labels [c2s_viz_size] |
|
c2s_viz.enc_dev (number - double) |
about.labels [c2s_viz_enc_dev] |
|
c2s_viz.enc_frac (number - double) |
about.labels [c2s_viz_enc_frac] |
|
c2s_viz.pdu1_enc (boolean - bool) |
about.labels [c2s_viz_pdu1_enc] |
|
c2s_viz.clr_frac (number - double) |
about.labels [c2s_viz_clr_frac] |
|
c2s_viz.clr_ex (string) |
about.labels [c2s_viz_clr_ex] |
|
s2c_viz.size (integer - count) |
about.labels [s2c_viz_size] |
|
s2c_viz.enc_dev (number - double) |
about.labels [s2c_viz_enc_dev] |
|
s2c_viz.enc_frac (number - double) |
about.labels [s2c_viz_enc_frac] |
|
s2c_viz.pdu1_enc (boolean - bool) |
about.labels [s2c_viz_pdu1_enc] |
|
s2c_viz.clr_frac (number - double) |
about.labels [s2c_viz_clr_frac] |
|
s2c_viz.clr_ex (string) |
about.labels [s2c_viz_clr_ex] |
필드 매핑 참조: CORELIGHT - ftp
다음 표에는 ftp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_FTP . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
user (string) |
principal.user.user_display_name |
|
password (string) |
extensions.auth.auth_details |
|
command (string), arg (string) |
network.ftp.command |
The network.ftp.command UDM field is set with command , arg log fields as "command arg ". |
mime_type (string) |
target.file.mime_type |
|
file_size (integer - count) |
target.file.size |
|
reply_code (integer - count) |
about.labels [reply_code] |
|
reply_msg (string) |
about.labels [reply_msg] |
|
data_channel.passive (boolean - bool) |
about.labels [data_channel_passive] |
|
data_channel.orig_h (string - addr) |
principal.ip |
|
data_channel.resp_h (string - addr) |
target.ip |
|
data_channel.resp_p (integer - port) |
target.labels [data_channel_resp_p] |
|
fuid (string) |
about.labels [fuid] |
필드 매핑 참조: CORELIGHT - generic_dns_tunnels
다음 표에는 generic_dns_tunnels
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS . |
|
dns_client (string - addr) |
principal.ip |
|
domain (string) |
network.dns_domain |
|
domain (string) |
network.dns.questions.name |
|
bytes (integer - int) |
about.labels [bytes] |
|
capture_secs (number - interval) |
about.labels [capture_secs] |
필드 매핑 참조: CORELIGHT - generic_icmp_tunnels
다음 표에는 generic_icmp_tunnels
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to ICMP . |
|
detection (string) |
security_result.detection_fields [detection] |
|
orig (string - addr) |
principal.ip |
|
resp (string - addr) |
target.ip |
|
id (integer - count) |
about.labels [id] |
|
seq (integer - count) |
about.labels [seq] |
|
bytes (integer - count) |
about.labels [bytes] |
|
payload_len (integer - count) |
about.labels [payload_len] |
|
payload (string) |
about.labels [payload] |
필드 매핑 참조: CORELIGHT - icmp_specific_tunnels
다음 표에는 icmp_specific_tunnels
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.ip_protocol |
The network.ip_protocol UDM field is set to ICMP . |
|
start_time (time) |
about.labels [start_time] |
|
duration (number - interval) |
network.session_duration |
|
tunnel (string) |
intermediary.labels [tunnel] |
|
seq (integer - count) |
about.labels [seq] |
|
icmp_id (integer - count) |
about.labels [icmp_id] |
|
payload (string) |
about.labels [payload] |
필드 매핑 참조: CORELIGHT - ipsec
다음 표에는 ipsec
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
initiator_spi (string) |
principal.labels [initiator_spi] |
|
responder_spi (string) |
target.labels [responder_spi] |
|
maj_ver (integer - count) |
about.labels [maj_ver] |
|
min_ver (integer - count) |
about.labels [min_ver] |
|
exchange_type (integer - count) |
about.labels [exchange_type] |
|
flag_e (boolean - bool) |
about.labels [flag_e] |
|
flag_c (boolean - bool) |
about.labels [flag_c] |
|
flag_a (boolean - bool) |
about.labels [flag_a] |
|
flag_i (boolean - bool) |
about.labels [flag_i] |
|
flag_v (boolean - bool) |
about.labels [flag_v] |
|
flag_r (boolean - bool) |
about.labels [flag_r] |
|
message_id (integer - count) |
about.labels [message_id] |
|
vendor_ids (array[string] - vector of string) |
about.labels [vendor_id] |
|
notify_messages (array[string] - vector of string) |
about.labels [notify_message] |
|
transforms (array[string] - vector of string) |
about.labels [transform] |
|
ke_dh_groups (array[integer] - vector of count) |
about.labels [ke_dh_group] |
|
proposals (array[integer] - vector of count) |
about.labels [proposal] |
|
protocol_id (integer - count) |
about.labels [protocol_id] |
|
certificates (array[string] - vector of string) |
about.labels [certificate] |
|
transform_attributes (array[string] - vector of string) |
about.labels [transform_attribute] |
|
length (integer - count) |
about.labels [length] |
|
hash (string) |
about.labels [hash] |
|
doi (integer - count) |
about.labels [doi] |
|
situation (string) |
about.labels [situation] |
필드 매핑 참조: CORELIGHT - profinet
다음 표에는 profinet
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
operation_type (string) |
about.labels [operation_type] |
|
block_version (string) |
about.labels [block_version] |
|
slot_number (integer - count) |
about.labels [slot_number] |
|
subslot_number (integer - count) |
about.labels [subslot_number] |
|
index (string) |
about.labels [index] |
필드 매핑 참조: CORELIGHT - profinet_dce_rpc
다음 표에는 profinet_dce_rpc
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DCERPC . |
|
version (integer - count) |
about.labels [version] |
|
packet_type (integer - count) |
about.labels [packet_type] |
|
object_uuid (string) |
about.labels [object_uuid] |
|
interface_uuid (string) |
about.labels [interface_uuid] |
|
activity_uuid (string) |
about.labels [activity_uuid] |
|
server_boot_time (integer - count) |
about.labels [server_boot_time] |
|
operation (string) |
about.labels [operation] |
필드 매핑 참조: CORELIGHT - profinet_debug
다음 표에는 profinet_debug
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
raw_data (string) |
about.labels [raw_data] |
필드 매핑 참조: CORELIGHT - rfb
다음 표에는 rfb
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
client_major_version (string) |
principal.labels [client_major_version] |
|
client_minor_version (string) |
principal.labels [client_minor_version] |
|
server_major_version (string) |
target.labels [server_major_version] |
|
server_minor_version (string) |
target.labels [server_minor_version] |
|
authentication_method (string) |
extension.auth.mechanism |
If the authentication_method log field value is equal to VNC , then the extension.auth.mechanism UDM field is set to REMOTE_INTERACTIVE .Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER . |
authentication_method (string) |
extension.auth.auth_details |
|
auth (boolean - bool) |
security_result.action |
If the auth log field value is equal to true , then the security_result.action UDM field is set to ALLOW .Else, the security_result.action UDM field is set to FAIL . |
share_flag (boolean - bool) |
about.labels [share_flag] |
|
desktop_name (string) |
principal.labels [desktop_name] |
|
width (integer - count) |
principal.labels [width] |
|
height (integer - count) |
principal.labels [height] |
필드 매핑 참조: CORELIGHT - known_certs
다음 표에는 known_certs
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE . |
|
entity.resource.resource_subtype |
The entity.resource.resource_subtype UDM field is set to CERTIFICATE . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
hash (string) |
entity.resource.attribute.labels [hash] |
|
port (integer - port) |
entity.port |
|
protocol (string - enum) |
entity.labels [protocol] |
|
serial (string) |
entity.resource.attribute.labels [serial] |
|
subject (string) |
entity.resource.attribute.labels [subject] |
|
issuer_subject (string) |
entity.resource.attribute.labels [issuer_subject] |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_devices
다음 표에는 known_devices
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE . |
|
ts (time) |
metadata.interval.start_time |
|
ts (time) |
entity.asset.first_seen_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.asset.ip |
|
mac (string) |
entity.asset.mac |
|
vendor_mac (string) |
entity.asset.hardware.manufacturer |
|
protocols (array[string] - set[string]) |
entity.labels [protocol] |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_domains
다음 표에는 known_domains
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to DOMAIN_NAME . |
|
ts (time) |
metadata.interval.start_time |
|
ts (time) |
entity.domain.first_seen_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
domain (string) |
entity.domain.name |
|
protocols (array[string] - set[string]) |
entity.labels [protocol] |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_hosts
다음 표에는 known_hosts
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to IP_ADDRESS . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
conns_opened (integer - count) |
metadata.threat.detection_fields [conns_opened] |
|
conns_closed (integer - count) |
metadata.threat.detection_fields [conns_closed] |
|
conns_pending (integer - count) |
metadata.threat.detection_fields [conns_pending] |
|
long_conns (integer - count) |
metadata.threat.detection_fields [long_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_names
다음 표에는 known_names
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
hostname (string) |
entity.hostname |
|
protocols (array[string] - set[string]) |
entity.labels [protocol] |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_remotes
다음 표에는 known_remotes
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to IP_ADDRESS . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
필드 매핑 참조: CORELIGHT - known_services
다음 표에는 known_services
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
port (integer - port) |
entity.port |
|
protocol (string - enum) |
entity.labels [protocol] |
|
service (array[string] - vector of string) |
entity.labels [service] |
|
software (array[string] - set[string]) |
entity.asset.software.name |
|
app (array[string] - set[string]) |
entity.application |
The app log field is mapped to entity.application UDM field when index value in app is equal to 0 .
For every other index value, entity.labels.key UDM field is set to app and app log field is mapped to the entity.labels.value . |
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - known_users
다음 표에는 known_users
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
metadata.entity_type |
The metadata.entity_type UDM field is set to RESOURCE . |
|
ts (time) |
metadata.interval.start_time |
|
duration (number - interval) |
entity.labels [duration] |
|
kuid (string) |
entity.labels [kuid] |
|
host_ip (string - addr) |
entity.ip |
|
remote_ip (string - addr) |
entity.ip |
|
user (string) |
entity.user.user_display_name |
|
protocol (string) |
entity.labels [protocol] |
|
num_conns (integer - count) |
metadata.threat.detection_fields [num_conns] |
|
annotations (array[string] - vector of string) |
metadata.threat.detection_fields [annotations] |
|
last_active_session (string) |
entity.labels [last_active_session] |
|
last_active_interval (number - interval) |
entity.labels [last_active_interval] |
필드 매핑 참조: CORELIGHT - s7comm
다음 표에는 s7comm
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Zeek . |
|
rosctr (string) |
about.labels [rosctr] |
|
parameter (array[string] - vector of string) |
about.labels [parameter] |
|
item_count (integer - count) |
about.labels [item_count] |
|
data_info (array[string] - vector of string) |
about.labels [data_info] |
필드 매핑 참조: CORELIGHT - smartpcap
다음 표에는 smartpcap
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Smartpcap . |
|
logstr (string) |
metadata.description |
필드 매핑 참조: CORELIGHT - snmp
다음 표에는 snmp
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
duration (number - interval) |
network.session_duration |
|
version (string) |
network.application_protocol_version |
|
community (string) |
about.labels [community] |
|
get_requests (integer - count) |
about.labels [get_requests] |
|
get_bulk_requests (integer - count) |
about.labels [get_bulk_requests] |
|
get_responses (integer - count) |
about.labels [get_responses] |
|
set_requests (integer - count) |
about.labels [set_requests] |
|
display_string (string) |
about.labels [display_string] |
|
up_since (time) |
about.labels [up_since] |
필드 매핑 참조: CORELIGHT - socks
다음 표에는 socks
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
version (integer - count) |
about.labels [version] |
|
user (string) |
principal.user.userid |
|
password (string) |
extensions.auth.auth_details |
|
status (string) |
about.labels [status] |
|
request.host (string - addr) |
target.ip |
|
request.name (string) |
target.hostname |
|
request_p (integer - port) |
target.labels [request_p] |
|
bound.host (string - addr) |
intermediary.ip |
|
bound.name (string) |
intermediary.hostname |
|
bound_p (integer - port) |
intermediary.port |
필드 매핑 참조: CORELIGHT - software
다음 표에는 software
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
host (string - addr) |
target.asset.ip |
|
host_p (integer - port) |
target.port |
|
software_type (string - enum) |
target.asset.software.description |
|
name (string) |
target.asset.software.name |
|
version.major (integer - count) |
target.asset.software.version |
|
version.minor (integer - count) |
target.asset.attribute.labels [version_minor] |
|
version.minor2 (integer - count) |
target.asset.attribute.labels [version_minor2] |
|
version.minor3 (integer - count) |
target.asset.attribute.labels [version_minor3] |
|
version.addl (string) |
target.asset.attribute.labels [version_addl] |
|
unparsed_version (string) |
target.asset.attribute.labels [unparsed_version] |
필드 매핑 참조: CORELIGHT - specific_dns_tunnels
다음 표에는 specific_dns_tunnels
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_DNS . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
network.application_protocol |
The network.application_protocol UDM field is set to DNS . |
|
trans_id (integer - count) |
network.dns.id |
|
dns_client (string - addr) |
principal.ip |
|
resolver (string - addr) |
target.ip |
|
query (string) |
network.dns.questions.name |
|
program (string - enum) |
principal.application |
|
session_id (integer - count) |
network.session_id |
|
detection (string) |
security_result.detection_fields [detection] |
|
sods_id (integer - count) |
about.labels [sods_id] |
필드 매핑 참조: CORELIGHT - stepping
다음 표에는 stepping
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
dt (number - interval) |
about.labels [dt] |
|
uid1 (string) |
about.labels [uid1] |
|
uid2 (string) |
about.labels [uid2] |
|
direct (boolean - bool) |
about.labels [direct] |
|
client1_h (string - addr) |
principal.ip |
|
client1_p (integer - port) |
principal.port |
|
server1_h (string - addr) |
target.ip |
|
server1_p (integer - port) |
target.port |
|
client2_h (string - addr) |
principal.ip |
|
client2_p (integer - port) |
principal.labels [client2_p] |
|
server2_h (string - addr) |
target.labels [server2_h] |
|
server2_p (integer - port) |
target.labels [server2_p] |
필드 매핑 참조: CORELIGHT - stun
다음 표에는 stun
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
is_orig (boolean - bool) |
about.labels [is_orig] |
|
trans_id (string) |
network.session_id |
|
method (string) |
about.labels [method] |
|
class (string) |
about.labels [class] |
|
attr_types (array[string] - vector of string) |
about.labels.key |
|
attr_vals (array[string] - vector of string) |
about.labels.value |
필드 매핑 참조: CORELIGHT - stun_nat
다음 표에는 stun_nat
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION . |
|
metadata.product_name |
The metadata.product_name UDM field is set to zeek . |
|
proto (string - enum) |
network.ip_protocol |
|
is_orig (boolean - bool) |
about.labels [is_orig] |
|
wan_addrs (array[string] - vector of addr) |
principal.nat_ip |
|
wan_ports (array[integer] - vector of count) |
principal.nat_port |
The wan_ports log field is mapped to principal.nat_port UDM field when index value in wan_ports is equal to 0 . For every other index value, principal.labels.key UDM field is set to wan_port and wan_ports log field is mapped to the principal.labels.value .
|
lan_addrs (array[string] - vector of addr) |
principal.ip |
필드 매핑 참조: CORELIGHT - suricata_stats
다음 표에는 suricata_stats
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
metadata.product_name |
The metadata.product_name UDM field is set to Suricata . |
|
raw_mgmt |
about.labels [raw_mgmt] |
|
timestamp(time) |
metadata.event_timestamp |
|
event_type(string) |
about.labels [event_type] |
|
stats.uptime(integer) |
about.labels [stats_uptime] |
|
stats.napa_total.pkts(integer) |
about.labels [stats_napa_total_pkts] |
|
stats.napa_total.byte(integer) |
about.labels [stats_napa_total_byte] |
|
stats.napa_total.overflow_drop_pkts(integer) |
about.labels [stats_napa_total_overflow_drop_pkts] |
|
stats.napa_total.overflow_drop_byte(integer) |
about.labels [stats_napa_total_overflow_drop_byte] |
|
stats.napa_dispatch_host.pkts(integer) |
about.labels [stats_napa_dispatch_host_pkts] |
|
stats.napa_dispatch_host.byte(integer) |
about.labels [stats_napa_dispatch_host_byte] |
|
stats.napa_dispatch_drop.pkts(integer) |
about.labels [stats_napa_dispatch_drop_pkts] |
|
stats.napa_dispatch_drop.byte(integer) |
about.labels [stats_napa_dispatch_drop_byte] |
|
stats.decoder.pkts(integer) |
about.labels [stats_decoder_pkts] |
|
stats.decoder.bytes(integer) |
about.labels [stats_decoder_bytes] |
|
stats.decoder.invalid(integer) |
about.labels [stats_decoder_invalid] |
|
stats.decoder.ipv4(integer) |
about.labels [stats_decoder_ipv4] |
|
stats.decoder.ipv6(integer) |
about.labels [stats_decoder_ipv6] |
|
stats.decoder.ethernet(integer) |
about.labels [stats_decoder_ethernet] |
|
stats.decoder.chdlc(integer) |
about.labels [stats_decoder_chdlc] |
|
stats.decoder.raw(integer) |
about.labels [stats_decoder_raw] |
|
stats.decoder.null(integer) |
about.labels [stats_decoder_null] |
|
stats.decoder.sll(integer) |
about.labels [stats_decoder_sll] |
|
stats.decoder.tcp(integer) |
about.labels [stats_decoder_tcp] |
|
stats.decoder.udp(integer) |
about.labels [stats_decoder_udp] |
|
stats.decoder.sctp(integer) |
about.labels [stats_decoder_sctp] |
|
stats.decoder.icmpv4(integer) |
about.labels [stats_decoder_icmpv4] |
|
stats.decoder.icmpv6(integer) |
about.labels [stats_decoder_icmpv6] |
|
stats.decoder.ppp(integer) |
about.labels [stats_decoder_ppp] |
|
stats.decoder.pppoe(integer) |
about.labels [stats_decoder_pppoe] |
|
stats.decoder.geneve(integer) |
about.labels [stats_decoder_geneve] |
|
stats.decoder.gre(integer) |
about.labels [stats_decoder_gre] |
|
stats.decoder.vlan(integer) |
about.labels [stats_decoder_vlan] |
|
stats.decoder.vlan_qinq(integer) |
about.labels [stats_decoder_vlan_qinq] |
|
stats.decoder.vxlan(integer) |
about.labels [stats_decoder_vxlan] |
|
stats.decoder.vntag(integer) |
about.labels [stats_decoder_vntag] |
|
stats.decoder.ieee8021ah(integer) |
about.labels [stats_decoder_ieee8021ah] |
|
stats.decoder.teredo(integer) |
about.labels [stats_decoder_teredo] |
|
stats.decoder.ipv4_in_ipv6(integer) |
about.labels [stats_decoder_ipv4_in_ipv6] |
|
stats.decoder.ipv6_in_ipv6(integer) |
about.labels [stats_decoder_ipv6_in_ipv6] |
|
stats.decoder.mpls(integer) |
about.labels [stats_decoder_mpls] |
|
stats.decoder.avg_pkt_size(integer) |
about.labels [stats_decoder_avg_pkt_size] |
|
stats.decoder.max_pkt_size(integer) |
about.labels [stats_decoder_max_pkt_size] |
|
stats.decoder.max_mac_addrs_src(integer) |
about.labels [stats_decoder_max_mac_addrs_src] |
|
stats.decoder.max_mac_addrs_dst(integer) |
about.labels [stats_decoder_max_mac_addrs_dst] |
|
stats.decoder.erspan(integer) |
about.labels [stats_decoder_erspan] |
|
stats.decoder.event.ipv4.pkt_too_small(integer) |
about.labels [stats_decoder_event_ipv4_pkt_too_small] |
|
stats.decoder.event.ipv4.hlen_too_small(integer) |
about.labels [stats_decoder_event_ipv4_hlen_too_small] |
|
stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer) |
about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen] |
|
stats.decoder.event.ipv4.trunc_pkt(integer) |
about.labels [stats_decoder_event_ipv4_trunc_pkt] |
|
stats.decoder.event.ipv4.opt_invalid(integer) |
about.labels [stats_decoder_event_ipv4_opt_invalid] |
|
stats.decoder.event.ipv4.opt_invalid_len(integer) |
about.labels [stats_decoder_event_ipv4_opt_invalid_len] |
|
stats.decoder.event.ipv4.opt_malformed(integer) |
about.labels [stats_decoder_event_ipv4_opt_malformed] |
|
stats.decoder.event.ipv4.opt_pad_required(integer) |
about.labels [stats_decoder_event_ipv4_opt_pad_required] |
|
stats.decoder.event.ipv4.opt_eol_required(integer) |
about.labels [stats_decoder_event_ipv4_opt_eol_required] |
|
stats.decoder.event.ipv4.opt_duplicate(integer) |
about.labels [stats_decoder_event_ipv4_opt_duplicate] |
|
stats.decoder.event.ipv4.opt_unknown(integer) |
about.labels [stats_decoder_event_ipv4_opt_unknown] |
|
stats.decoder.event.ipv4.wrong_ip_version(integer) |
about.labels [stats_decoder_event_ipv4_wrong_ip_version] |
|
stats.decoder.event.ipv4.icmpv6(integer) |
about.labels [stats_decoder_event_ipv4_icmpv6] |
|
stats.decoder.event.ipv4.frag_pkt_too_large(integer) |
about.labels [stats_decoder_event_ipv4_frag_pkt_too_large] |
|
stats.decoder.event.ipv4.frag_overlap(integer) |
about.labels [stats_decoder_event_ipv4_frag_overlap] |
|
stats.decoder.event.ipv4.frag_ignored(integer) |
about.labels [stats_decoder_event_ipv4_frag_ignored] |
|
stats.decoder.event.icmpv4.pkt_too_small(integer) |
about.labels [stats_decoder_event_icmpv4_pkt_too_small] |
|
stats.decoder.event.icmpv4.unknown_type(integer) |
about.labels [stats_decoder_event_icmpv4_unknown_type] |
|
stats.decoder.event.icmpv4.unknown_code(integer) |
about.labels [stats_decoder_event_icmpv4_unknown_code] |
|
stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer) |
about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt] |
|
stats.decoder.event.icmpv4.ipv4_unknown_ver(integer) |
about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver] |
|
stats.decoder.event.icmpv6.unknown_type(integer) |
about.labels [stats_decoder_event_icmpv6_unknown_type] |
|
stats.decoder.event.icmpv6.unknown_code(integer) |
about.labels [stats_decoder_event_icmpv6_unknown_code] |
|
stats.decoder.event.icmpv6.pkt_too_small(integer) |
about.labels [stats_decoder_event_icmpv6_pkt_too_small] |
|
stats.decoder.event.icmpv6.ipv6_unknown_version(integer) |
about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version] |
|
stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer) |
about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt] |
|
stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer) |
about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl] |
|
stats.decoder.event.icmpv6.unassigned_type(integer) |
about.labels [stats_decoder_event_icmpv6_unassigned_type] |
|
stats.decoder.event.icmpv6.experimentation_type(integer) |
about.labels [stats_decoder_event_icmpv6_experimentation_type] |
|
stats.decoder.event.ipv6.pkt_too_small(integer) |
about.labels [stats_decoder_event_ipv6_pkt_too_small] |
|
stats.decoder.event.ipv6.trunc_pkt(integer) |
about.labels [stats_decoder_event_ipv6_trunc_pkt] |
|
stats.decoder.event.ipv6.trunc_exthdr(integer) |
about.labels [stats_decoder_event_ipv6_trunc_exthdr] |
|
stats.decoder.event.ipv6.exthdr_dupl_fh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh] |
|
stats.decoder.event.ipv6.exthdr_useless_fh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_useless_fh] |
|
stats.decoder.event.ipv6.exthdr_dupl_rh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh] |
|
stats.decoder.event.ipv6.exthdr_dupl_hh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh] |
|
stats.decoder.event.ipv6.exthdr_dupl_dh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh] |
|
stats.decoder.event.ipv6.exthdr_dupl_ah(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah] |
|
stats.decoder.event.ipv6.exthdr_dupl_eh(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh] |
|
stats.decoder.event.ipv6.exthdr_invalid_optlen(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen] |
|
stats.decoder.event.ipv6.wrong_ip_version(integer) |
about.labels [stats_decoder_event_ipv6_wrong_ip_version] |
|
stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer) |
about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null] |
|
stats.decoder.event.ipv6.hopopts_unknown_opt(integer) |
about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt] |
|
stats.decoder.event.ipv6.hopopts_only_padding(integer) |
about.labels [stats_decoder_event_ipv6_hopopts_only_padding] |
|
stats.decoder.event.ipv6.dstopts_unknown_opt(integer) |
about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt] |
|
stats.decoder.event.ipv6.dstopts_only_padding(integer) |
about.labels [stats_decoder_event_ipv6_dstopts_only_padding] |
|
stats.decoder.event.ipv6.rh_type_0(integer) |
about.labels [stats_decoder_event_ipv6_rh_type_0] |
|
stats.decoder.event.ipv6.zero_len_padn(integer) |
about.labels [stats_decoder_event_ipv6_zero_len_padn] |
|
stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer) |
about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field] |
|
stats.decoder.event.ipv6.data_after_none_header(integer) |
about.labels [stats_decoder_event_ipv6_data_after_none_header] |
|
stats.decoder.event.ipv6.unknown_next_header(integer) |
about.labels [stats_decoder_event_ipv6_unknown_next_header] |
|
stats.decoder.event.ipv6.icmpv4(integer) |
about.labels [stats_decoder_event_ipv6_icmpv4] |
|
stats.decoder.event.ipv6.frag_pkt_too_large(integer) |
about.labels [stats_decoder_event_ipv6_frag_pkt_too_large] |
|
stats.decoder.event.ipv6.frag_overlap(integer) |
about.labels [stats_decoder_event_ipv6_frag_overlap] |
|
stats.decoder.event.ipv6.frag_invalid_length(integer) |
about.labels [stats_decoder_event_ipv6_frag_invalid_length] |
|
stats.decoder.event.ipv6.frag_ignored(integer) |
about.labels [stats_decoder_event_ipv6_frag_ignored] |
|
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer) |
about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small] |
|
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer) |
about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version] |
|
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer) |
about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small] |
|
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer) |
about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version] |
|
stats.decoder.event.tcp.pkt_too_small(integer) |
about.labels [stats_decoder_event_tcp_pkt_too_small] |
|
stats.decoder.event.tcp.hlen_too_small(integer) |
about.labels [stats_decoder_event_tcp_hlen_too_small] |
|
stats.decoder.event.tcp.invalid_optlen(integer) |
about.labels [stats_decoder_event_tcp_invalid_optlen] |
|
stats.decoder.event.tcp.opt_invalid_len(integer) |
about.labels [stats_decoder_event_tcp_opt_invalid_len] |
|
stats.decoder.event.tcp.opt_duplicate(integer) |
about.labels [stats_decoder_event_tcp_opt_duplicate] |
|
stats.decoder.event.udp.pkt_too_small(integer) |
about.labels [stats_decoder_event_udp_pkt_too_small] |
|
stats.decoder.event.udp.hlen_too_small(integer) |
about.labels [stats_decoder_event_udp_hlen_too_small] |
|
stats.decoder.event.udp.hlen_invalid(integer) |
about.labels [stats_decoder_event_udp_hlen_invalid] |
|
stats.decoder.event.udp.len_invalid(integer) |
about.labels [stats_decoder_event_udp_len_invalid] |
|
stats.decoder.event.sll.pkt_too_small(integer) |
about.labels [stats_decoder_event_sll_pkt_too_small] |
|
stats.decoder.event.ethernet.pkt_too_small(integer) |
about.labels [stats_decoder_event_ethernet_pkt_too_small] |
|
stats.decoder.event.ppp.pkt_too_small(integer) |
about.labels [stats_decoder_event_ppp_pkt_too_small] |
|
stats.decoder.event.ppp.vju_pkt_too_small(integer) |
about.labels [stats_decoder_event_ppp_vju_pkt_too_small] |
|
stats.decoder.event.ppp.ip4_pkt_too_small(integer) |
about.labels [stats_decoder_event_ppp_ip4_pkt_too_small] |
|
stats.decoder.event.ppp.ip6_pkt_too_small(integer) |
about.labels [stats_decoder_event_ppp_ip6_pkt_too_small] |
|
stats.decoder.event.ppp.wrong_type(integer) |
about.labels [stats_decoder_event_ppp_wrong_type] |
|
stats.decoder.event.ppp.unsup_proto(integer) |
about.labels [stats_decoder_event_ppp_unsup_proto] |
|
stats.decoder.event.pppoe.pkt_too_small(integer) |
about.labels [stats_decoder_event_pppoe_pkt_too_small] |
|
stats.decoder.event.pppoe.wrong_code(integer) |
about.labels [stats_decoder_event_pppoe_wrong_code] |
|
stats.decoder.event.pppoe.malformed_tags(integer) |
about.labels [stats_decoder_event_pppoe_malformed_tags] |
|
stats.decoder.event.gre.pkt_too_small(integer) |
about.labels [stats_decoder_event_gre_pkt_too_small] |
|
stats.decoder.event.gre.wrong_version(integer) |
about.labels [stats_decoder_event_gre_wrong_version] |
|
stats.decoder.event.gre.version0_recur(integer) |
about.labels [stats_decoder_event_gre_version0_recur] |
|
stats.decoder.event.gre.version0_flags(integer) |
about.labels [stats_decoder_event_gre_version0_flags] |
|
stats.decoder.event.gre.version0_hdr_too_big(integer) |
about.labels [stats_decoder_event_gre_version0_hdr_too_big] |
|
stats.decoder.event.gre.version0_malformed_sre_hdr(integer) |
about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr] |
|
stats.decoder.event.gre.version1_chksum(integer) |
about.labels [stats_decoder_event_gre_version1_chksum] |
|
stats.decoder.event.gre.version1_route(integer) |
about.labels [stats_decoder_event_gre_version1_route] |
|
stats.decoder.event.gre.version1_ssr(integer) |
about.labels [stats_decoder_event_gre_version1_ssr] |
|
stats.decoder.event.gre.version1_recur(integer) |
about.labels [stats_decoder_event_gre_version1_recur] |
|
stats.decoder.event.gre.version1_flags(integer) |
about.labels [stats_decoder_event_gre_version1_flags] |
|
stats.decoder.event.gre.version1_no_key(integer) |
about.labels [stats_decoder_event_gre_version1_no_key] |
|
stats.decoder.event.gre.version1_wrong_protocol(integer) |
about.labels [stats_decoder_event_gre_version1_wrong_protocol] |
|
stats.decoder.event.gre.version1_malformed_sre_hdr(integer) |
about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr] |
|
stats.decoder.event.gre.version1_hdr_too_big(integer) |
about.labels [stats_decoder_event_gre_version1_hdr_too_big] |
|
stats.decoder.event.vlan.header_too_small(integer) |
about.labels [stats_decoder_event_vlan_header_too_small] |
|
stats.decoder.event.vlan.unknown_type(integer) |
about.labels [stats_decoder_event_vlan_unknown_type] |
|
stats.decoder.event.vlan.too_many_layers(integer) |
about.labels [stats_decoder_event_vlan_too_many_layers] |
|
stats.decoder.event.ieee8021ah.header_too_small(integer) |
about.labels [stats_decoder_event_ieee8021ah_header_too_small] |
|
stats.decoder.event.vntag.header_too_small(integer) |
about.labels [stats_decoder_event_vntag_header_too_small] |
|
stats.decoder.event.vntag.unknown_type(integer) |
about.labels [stats_decoder_event_vntag_unknown_type] |
|
stats.decoder.event.ipraw.invalid_ip_version(integer) |
about.labels [stats_decoder_event_ipraw_invalid_ip_version] |
|
stats.decoder.event.ltnull.pkt_too_small(integer) |
about.labels [stats_decoder_event_ltnull_pkt_too_small] |
|
stats.decoder.event.ltnull.unsupported_type(integer) |
about.labels [stats_decoder_event_ltnull_unsupported_type] |
|
stats.decoder.event.sctp.pkt_too_small(integer) |
about.labels [stats_decoder_event_sctp_pkt_too_small] |
|
stats.decoder.event.mpls.header_too_small(integer) |
about.labels [stats_decoder_event_mpls_header_too_small] |
|
stats.decoder.event.mpls.pkt_too_small(integer) |
about.labels [stats_decoder_event_mpls_pkt_too_small] |
|
stats.decoder.event.mpls.bad_label_router_alert(integer) |
about.labels [stats_decoder_event_mpls_bad_label_router_alert] |
|
stats.decoder.event.mpls.bad_label_implicit_null(integer) |
about.labels [stats_decoder_event_mpls_bad_label_implicit_null] |
|
stats.decoder.event.mpls.bad_label_reserved(integer) |
about.labels [stats_decoder_event_mpls_bad_label_reserved] |
|
stats.decoder.event.mpls.unknown_payload_type(integer) |
about.labels [stats_decoder_event_mpls_unknown_payload_type] |
|
stats.decoder.event.vxlan.unknown_payload_type(integer) |
about.labels [stats_decoder_event_vxlan_unknown_payload_type] |
|
stats.decoder.event.geneve.unknown_payload_type(integer) |
about.labels [stats_decoder_event_geneve_unknown_payload_type] |
|
stats.decoder.event.erspan.header_too_small(integer) |
about.labels [stats_decoder_event_erspan_header_too_small] |
|
stats.decoder.event.erspan.unsupported_version(integer) |
about.labels [stats_decoder_event_erspan_unsupported_version] |
|
stats.decoder.event.erspan.too_many_vlan_layers(integer) |
about.labels [stats_decoder_event_erspan_too_many_vlan_layers] |
|
stats.decoder.event.dce.pkt_too_small(integer) |
about.labels [stats_decoder_event_dce_pkt_too_small] |
|
stats.decoder.event.chdlc.pkt_too_small(integer) |
about.labels [stats_decoder_event_chdlc_pkt_too_small] |
|
stats.decoder.too_many_layers(integer) |
about.labels [stats_decoder_too_many_layers] |
|
stats.flow.memcap(integer) |
about.labels [stats_flow_memcap] |
|
stats.flow.tcp(integer) |
about.labels [stats_flow_tcp] |
|
stats.flow.udp(integer) |
about.labels [stats_flow_udp] |
|
stats.flow.icmpv4(integer) |
about.labels [stats_flow_icmpv4] |
|
stats.flow.icmpv6(integer) |
about.labels [stats_flow_icmpv6] |
|
stats.flow.tcp_reuse(integer) |
about.labels [stats_flow_tcp_reuse] |
|
stats.flow.get_used(integer) |
about.labels [stats_flow_get_used] |
|
stats.flow.get_used_eval(integer) |
about.labels [stats_flow_get_used_eval] |
|
stats.flow.get_used_eval_reject(integer) |
about.labels [stats_flow_get_used_eval_reject] |
|
stats.flow.get_used_eval_busy(integer) |
about.labels [stats_flow_get_used_eval_busy] |
|
stats.flow.get_used_failed(integer) |
about.labels [stats_flow_get_used_failed] |
|
stats.flow.wrk.spare_sync_avg(integer) |
about.labels [stats_flow_wrk_spare_sync_avg] |
|
stats.flow.wrk.spare_sync(integer) |
about.labels [stats_flow_wrk_spare_sync] |
|
stats.flow.wrk.spare_sync_incomplete(integer) |
about.labels [stats_flow_wrk_spare_sync_incomplete] |
|
stats.flow.wrk.spare_sync_empty(integer) |
about.labels [stats_flow_wrk_spare_sync_empty] |
|
stats.flow.wrk.flows_evicted_needs_work(integer) |
about.labels [stats_flow_wrk_flows_evicted_needs_work] |
|
stats.flow.wrk.flows_evicted_pkt_inject(integer) |
about.labels [stats_flow_wrk_flows_evicted_pkt_inject] |
|
stats.flow.wrk.flows_evicted(integer) |
about.labels [stats_flow_wrk_flows_evicted] |
|
stats.flow.wrk.flows_injected(integer) |
about.labels [stats_flow_wrk_flows_injected] |
|
stats.flow.mgr.full_hash_pass(integer) |
about.labels [stats_flow_mgr_full_hash_pass] |
|
stats.flow.mgr.closed_pruned(integer) |
about.labels [stats_flow_mgr_closed_pruned] |
|
stats.flow.mgr.new_pruned(integer) |
about.labels [stats_flow_mgr_new_pruned] |
|
stats.flow.mgr.est_pruned(integer) |
about.labels [stats_flow_mgr_est_pruned] |
|
stats.flow.mgr.bypassed_pruned(integer) |
about.labels [stats_flow_mgr_bypassed_pruned] |
|
stats.flow.mgr.rows_maxlen(integer) |
about.labels [stats_flow_mgr_rows_maxlen] |
|
stats.flow.mgr.flows_checked(integer) |
about.labels [stats_flow_mgr_flows_checked] |
|
stats.flow.mgr.flows_notimeout(integer) |
about.labels [stats_flow_mgr_flows_notimeout] |
|
stats.flow.mgr.flows_timeout(integer) |
about.labels [stats_flow_mgr_flows_timeout] |
|
stats.flow.mgr.flows_timeout_inuse(integer) |
about.labels [stats_flow_mgr_flows_timeout_inuse] |
|
stats.flow.mgr.flows_evicted(integer) |
about.labels [stats_flow_mgr_flows_evicted] |
|
stats.flow.mgr.flows_evicted_needs_work(integer) |
about.labels [stats_flow_mgr_flows_evicted_needs_work] |
|
stats.flow.spare(integer) |
about.labels [stats_flow_spare] |
|
stats.flow.emerg_mode_entered(integer) |
about.labels [stats_flow_emerg_mode_entered] |
|
stats.flow.emerg_mode_over(integer) |
about.labels [stats_flow_emerg_mode_over] |
|
stats.flow.memuse(integer) |
about.labels [stats_flow_memuse] |
|
stats.defrag.ipv4.fragments(integer) |
about.labels [stats_defrag_ipv4_fragments] |
|
stats.defrag.ipv4.reassembled(integer) |
about.labels [stats_defrag_ipv4_reassembled] |
|
stats.defrag.ipv4.timeouts(integer) |
about.labels [stats_defrag_ipv4_timeouts] |
|
stats.defrag.ipv6.fragments(integer) |
about.labels [stats_defrag_ipv6_fragments] |
|
stats.defrag.ipv6.reassembled(integer) |
about.labels [stats_defrag_ipv6_reassembled] |
|
stats.defrag.ipv6.timeouts(integer) |
about.labels [stats_defrag_ipv6_timeouts] |
|
stats.defrag.max_frag_hits(integer) |
about.labels [stats_defrag_max_frag_hits] |
|
stats.flow_bypassed.local_pkts(integer) |
about.labels [stats_flow_bypassed_local_pkts] |
|
stats.flow_bypassed.local_bytes(integer) |
about.labels [stats_flow_bypassed_local_bytes] |
|
stats.flow_bypassed.local_capture_pkts(integer) |
about.labels [stats_flow_bypassed_local_capture_pkts] |
|
stats.flow_bypassed.local_capture_bytes(integer) |
about.labels [stats_flow_bypassed_local_capture_bytes] |
|
stats.flow_bypassed.closed(integer) |
about.labels [stats_flow_bypassed_closed] |
|
stats.flow_bypassed.pkts(integer) |
about.labels [stats_flow_bypassed_pkts] |
|
stats.flow_bypassed.bytes(integer) |
about.labels [stats_flow_bypassed_bytes] |
|
stats.tcp.sessions(integer) |
about.labels [stats_tcp_sessions] |
|
stats.tcp.ssn_memcap_drop(integer) |
about.labels [stats_tcp_ssn_memcap_drop] |
|
stats.tcp.pseudo(integer) |
about.labels [stats_tcp_pseudo] |
|
stats.tcp.pseudo_failed(integer) |
about.labels [stats_tcp_pseudo_failed] |
|
stats.tcp.invalid_checksum(integer) |
about.labels [stats_tcp_invalid_checksum] |
|
stats.tcp.no_flow(integer) |
about.labels [stats_tcp_no_flow] |
|
stats.tcp.syn(integer) |
about.labels [stats_tcp_syn] |
|
stats.tcp.synack(integer) |
about.labels [stats_tcp_synack] |
|
stats.tcp.rst(integer) |
about.labels [stats_tcp_rst] |
|
stats.tcp.midstream_pickups(integer) |
about.labels [stats_tcp_midstream_pickups] |
|
stats.tcp.pkt_on_wrong_thread(integer) |
about.labels [stats_tcp_pkt_on_wrong_thread] |
|
stats.tcp.segment_memcap_drop(integer) |
about.labels [stats_tcp_segment_memcap_drop] |
|
stats.tcp.stream_depth_reached(integer) |
about.labels [stats_tcp_stream_depth_reached] |
|
stats.tcp.reassembly_gap(integer) |
about.labels [stats_tcp_reassembly_gap] |
|
stats.tcp.overlap(integer) |
about.labels [stats_tcp_overlap] |
|
stats.tcp.overlap_diff_data(integer) |
about.labels [stats_tcp_overlap_diff_data] |
|
stats.tcp.insert_data_normal_fail(integer) |
about.labels [stats_tcp_insert_data_normal_fail] |
|
stats.tcp.insert_data_overlap_fail(integer) |
about.labels [stats_tcp_insert_data_overlap_fail] |
|
stats.tcp.insert_list_fail(integer) |
about.labels [stats_tcp_insert_list_fail] |
|
stats.tcp.memuse(integer) |
about.labels [stats_tcp_memuse] |
|
stats.tcp.reassembly_memuse(integer) |
about.labels [stats_tcp_reassembly_memuse] |
|
stats.detect.engines.id(array) |
about.labels [stats_detect_engines_id] |
|
stats.detect.engines.last_reload(array) |
about.labels [stats_detect_engines_last_reload] |
|
stats.detect.engines.rules_loaded(array) |
about.labels [stats_detect_engines_rules_loaded] |
|
stats.detect.engines.rules_failed(array) |
about.labels [stats_detect_engines_rules_failed] |
|
stats.detect.alert(integer) |
about.labels [stats_detect_alert] |
|
stats.detect.alert_queue_overflow(integer) |
about.labels [stats_detect_alert_queue_overflow] |
|
stats.detect.alerts_suppressed(integer) |
about.labels [stats_detect_alerts_suppressed] |
|
stats.app_layer.flow.http(integer) |
about.labels [stats_app_layer_flow_http] |
|
stats.app_layer.flow.ftp(integer) |
about.labels [stats_app_layer_flow_ftp] |
|
stats.app_layer.flow.smtp(integer) |
about.labels [stats_app_layer_flow_smtp] |
|
stats.app_layer.flow.tls(integer) |
about.labels [stats_app_layer_flow_tls] |
|
stats.app_layer.flow.ssh(integer) |
about.labels [stats_app_layer_flow_ssh] |
|
stats.app_layer.flow.imap(integer) |
about.labels [stats_app_layer_flow_imap] |
|
stats.app_layer.flow.smb(integer) |
about.labels [stats_app_layer_flow_smb] |
|
stats.app_layer.flow.dcerpc_tcp(integer) |
about.labels [stats_app_layer_flow_dcerpc_tcp] |
|
stats.app_layer.flow.dns_tcp(integer) |
about.labels [stats_app_layer_flow_dns_tcp] |
|
stats.app_layer.flow.nfs_tcp(integer) |
about.labels [stats_app_layer_flow_nfs_tcp] |
|
stats.app_layer.flow.ntp(integer) |
about.labels [stats_app_layer_flow_ntp] |
|
stats.app_layer.flow.ftp-data(integer) |
about.labels [stats_app_layer_flow_ftp-data] |
|
stats.app_layer.flow.tftp(integer) |
about.labels [stats_app_layer_flow_tftp] |
|
stats.app_layer.flow.ikev2(integer) |
about.labels [stats_app_layer_flow_ikev2] |
|
stats.app_layer.flow.krb5_tcp(integer) |
about.labels [stats_app_layer_flow_krb5_tcp] |
|
stats.app_layer.flow.dhcp(integer) |
about.labels [stats_app_layer_flow_dhcp] |
|
stats.app_layer.flow.rfb(integer) |
about.labels [stats_app_layer_flow_rfb] |
|
stats.app_layer.flow.rdp(integer) |
about.labels [stats_app_layer_flow_rdp] |
|
stats.app_layer.flow.failed_tcp(integer) |
about.labels [stats_app_layer_flow_failed_tcp] |
|
stats.app_layer.flow.dcerpc_udp(integer) |
about.labels [stats_app_layer_flow_dcerpc_udp] |
|
stats.app_layer.flow.dns_udp(integer) |
about.labels [stats_app_layer_flow_dns_udp] |
|
stats.app_layer.flow.nfs_udp(integer) |
about.labels [stats_app_layer_flow_nfs_udp] |
|
stats.app_layer.flow.krb5_udp(integer) |
about.labels [stats_app_layer_flow_krb5_udp] |
|
stats.app_layer.flow.failed_udp(integer) |
about.labels [stats_app_layer_flow_failed_udp] |
|
stats.app_layer.tx.http(integer) |
about.labels [stats_app_layer_tx_http] |
|
stats.app_layer.tx.ftp(integer) |
about.labels [stats_app_layer_tx_ftp] |
|
stats.app_layer.tx.smtp(integer) |
about.labels [stats_app_layer_tx_smtp] |
|
stats.app_layer.tx.tls(integer) |
about.labels [stats_app_layer_tx_tls] |
|
stats.app_layer.tx.ssh(integer) |
about.labels [stats_app_layer_tx_ssh] |
|
stats.app_layer.tx.imap(integer) |
about.labels [stats_app_layer_tx_imap] |
|
stats.app_layer.tx.smb(integer) |
about.labels [stats_app_layer_tx_smb] |
|
stats.app_layer.tx.dcerpc_tcp(integer) |
about.labels [stats_app_layer_tx_dcerpc_tcp] |
|
stats.app_layer.tx.dns_tcp(integer) |
about.labels [stats_app_layer_tx_dns_tcp] |
|
stats.app_layer.tx.nfs_tcp(integer) |
about.labels [stats_app_layer_tx_nfs_tcp] |
|
stats.app_layer.tx.ntp(integer) |
about.labels [stats_app_layer_tx_ntp] |
|
stats.app_layer.tx.ftp-data(integer) |
about.labels [stats_app_layer_tx_ftp-data] |
|
stats.app_layer.tx.tftp(integer) |
about.labels [stats_app_layer_tx_tftp] |
|
stats.app_layer.tx.ikev2(integer) |
about.labels [stats_app_layer_tx_ikev2] |
|
stats.app_layer.tx.krb5_tcp(integer) |
about.labels [stats_app_layer_tx_krb5_tcp] |
|
stats.app_layer.tx.dhcp(integer) |
about.labels [stats_app_layer_tx_dhcp] |
|
stats.app_layer.tx.rfb(integer) |
about.labels [stats_app_layer_tx_rfb] |
|
stats.app_layer.tx.rdp(integer) |
about.labels [stats_app_layer_tx_rdp] |
|
stats.app_layer.tx.dcerpc_udp(integer) |
about.labels [stats_app_layer_tx_dcerpc_udp] |
|
stats.app_layer.tx.dns_udp(integer) |
about.labels [stats_app_layer_tx_dns_udp] |
|
stats.app_layer.tx.nfs_udp(integer) |
about.labels [stats_app_layer_tx_nfs_udp] |
|
stats.app_layer.tx.krb5_udp(integer) |
about.labels [stats_app_layer_tx_krb5_udp] |
|
stats.app_layer.expectations(integer) |
about.labels [stats_app_layer_expectations] |
|
stats.http.memuse(integer) |
about.labels [stats_http_memuse] |
|
stats.http.memcap(integer) |
about.labels [stats_http_memcap] |
|
stats.ftp.memuse(integer) |
about.labels [stats_ftp_memuse] |
|
stats.ftp.memcap(integer) |
about.labels [stats_ftp_memcap] |
필드 매핑 참조: CORELIGHT - logschema
다음 표에는 logschema
로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field | UDM mapping | Logic |
---|---|---|
metadata.event_type |
The metadata.event_type UDM field is set to GENERIC_EVENT . |
|
name(string) |
about.labels [name] |
|
text(string) |
about.labels [text] |
|
schema(string) |
about.labels [schema] |
|
avro(string) |
about.labels [avro] |