Corelight-Sensor-Logs erfassen

Unterstützt in:

In diesem Dokument wird beschrieben, wie Sie Corelight-Sensor-Logs erfassen, indem Sie den Corelight-Sensor und einen Google Security Operations-Weiterleiter konfigurieren. In diesem Dokument sind auch die vom Corelight-Sensor generierten unterstützten Protokolltypen und die unterstützten Corelight-Versionen aufgeführt.

Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.

Hinweise

  • Prüfen Sie die Version des Corelight-Sensors. Der Corelight Google SecOps-Parser wurde für Version 27.12 und niedriger entwickelt. Höhere Versionen des Corelight-Sensors enthalten möglicherweise zusätzliche Protokolle, die vom Parser nicht erkannt werden. Diese Protokolle werden möglicherweise nur eingeschränkt oder gar nicht geparst. Der Inhalt der Protokolle ist jedoch weiterhin im Rohprotokollformat in Google SecOps verfügbar.
  • Alle Systeme in der Bereitstellungsarchitektur müssen mit der Zeitzone UTC konfiguriert sein.
  • Sie benötigen die Anmeldedaten für die Corelight-Dokumentation.

Bereitstellungs- und Protokollaufnahmemethoden

Das folgende Diagramm der Bereitstellungsarchitektur zeigt, wie ein Corelight-Sensor eingerichtet wird, um Protokolle mit zwei verschiedenen Datenaufnahmearchitekturen an Google Security Operations zu senden. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein.

Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel CORELIGHT.

Logs mit Corelight-Exporten in Google SecOps aufnehmen

Bereitstellungsarchitektur

Das Architekturdiagramm zeigt die folgenden Komponenten:

  • Corelight-Sensor: Das System, auf dem der Corelight-Sensor ausgeführt wird.

  • Corelight-Sensor-Exporteure: Der Corelight-Sensor-Exporteur erfasst Protokolldaten vom Sensor und leitet sie an Google Security Operations weiter.

  • Google Security Operations: Google Security Operations speichert und analysiert die Protokolle des Corelight-Sensors.

Corelight-Protokoll-Exporter für Google SecOps konfigurieren

  1. Melden Sie sich als Administrator im Corelight-Sensor an.

  2. Wählen Sie den Tab Exporteure (dynamisch) und dann Google SecOps aus.

  3. Konfigurieren Sie die folgenden Eingabeparameter:

    • Name des Exporteurs: der Name des Exporteurs.
    • Google SecOps-Kundennummer: Die Kundennummer von Google SecOps.
    • Google SecOps-Namespace: Der eindeutige Namespace, der mit Google SecOps verknüpft ist und zum Organisieren und Verwalten von Daten verwendet wird.
    • Google SecOps-Labels: Eine Reihe von Schlüssel/Wert-Paaren, die die Labels darstellen.
    • Region: Die Region, in der Google SecOps bereitgestellt wird.
    • Anmeldedaten: Die Authentifizierungsdetails, die für eine sichere Verbindung und den Export von Daten zu Google SecOps erforderlich sind.
    • Proxy-URL: Die URL des Proxyservers, über den der Traffic zwischen dem Exporteur und Google SecOps weitergeleitet wird.
    • Logtypfilter: Hier können Sie angeben, ob bestimmte Logtypen ein- oder ausgeschlossen werden sollen.
    • Zeek-Protokolle: Wählen Sie aus, welche Protokolltypen ein- oder ausgeschlossen werden sollen, indem Sie alle entsprechenden Optionen auswählen.

  4. Klicken Sie auf Fertig.

Logs mit einem Weiterleiter in Google SecOps aufnehmen

Bereitstellungsarchitektur

Das Architekturdiagramm zeigt die folgenden Komponenten:

  • Corelight-Sensor: Das System, auf dem der Corelight-Sensor ausgeführt wird.

  • Corelight-Sensor-Exporteur: Der Corelight-Sensor-Exporteur erfasst Protokolldaten vom Sensor und leitet sie an den Google Security Operations-Weiterleiter weiter.

  • Google Security Operations-Weiterleitung: Der Google Security Operations-Weiterleitungsdienst ist eine schlanke Softwarekomponente, die im Netzwerk des Kunden bereitgestellt wird und syslog unterstützt. Der Google Security Operations-Weiterleiter leitet die Protokolle an Google Security Operations weiter.

  • Google Security Operations: Google Security Operations speichert und analysiert die Protokolle des Corelight-Sensors.

Google Security Operations-Weiterleitung konfigurieren

So konfigurieren Sie den Google Security Operations-Weiterleiter:

  1. Richten Sie einen Google Security Operations-Weiterleiter ein. Weitere Informationen finden Sie unter Weiterleitung unter Linux installieren und konfigurieren.

  2. Konfigurieren Sie den Google Security Operations-Weiterleiter so, dass Protokolle an Google Security Operations gesendet werden.

      collectors:
    - syslog:
        common:
          enabled: true
          data_type:  CORELIGHT
          data_hint:
          batch_n_seconds: 10
          batch_n_bytes: 1048576
        tcp_address: <Chronicle forwarder listening IP:Port>
        tcp_buffer_size: 524288
        udp_address: <Chronicle forwarder listening IP:Port>
        connection_timeout_sec: 60

Corelight-Sensor-Exporter konfigurieren

  1. Melden Sie sich als Administrator im Corelight-Sensor an.
  2. Wählen Sie den Tab Export aus.
  3. Suchen Sie nach der Option EXPORT TO SYSLOG (IN SYSLOG EXPORTIEREN) und aktivieren Sie sie.
  4. Konfigurieren Sie unter EXPORT TO SYSLOG (IN SYSLOG EXPORTIEREN) die folgenden Felder:
    • SYSLOG SERVER: Geben Sie die IP-Adresse und den Port des Syslog-Listeners des Google Security Operations-Weiterleiters an.
    • Gehen Sie zu Erweiterte Einstellungen > SYSLOG-FORMAT und ändern Sie die Einstellung zu Legacy.
  5. Klicken Sie auf Änderungen übernehmen.

Unterstützte Corelight-Protokolltypen

Der Corelight-Parser unterstützt die folgenden Logtypen, die vom Corelight-Sensor generiert werden.

Log Type

  • conn
  • conn_long
  • conn_red
  • dce_rpc
  • dns
  • dns_red
  • files
  • files_red
  • http
  • http2
  • http_red
  • intel
  • irc
  • notice
  • rdp
  • sip
  • smb_files
  • smb_mapping
  • smtp
  • smtp_links
  • ssh
  • ssl
  • ssl_red
  • suricata_corelight
  • bacnet
  • cip
  • corelight_burst
  • corelight_overall_capture_loss
  • corelight_profiling
  • datared
  • dga
  • dhcp
  • dnp3
  • dpd
  • encrypted_dns
  • enip
  • enip_debug
  • enip_list_identity
  • etc_viz
  • ftp
  • generic_dns_tunnels
  • generic_icmp_tunnels
  • icmp_specific_tunnels
  • ipsec
  • iso_cotp
  • kerberos
  • known_certs
  • known_devices
  • known_domains
  • known_hosts
  • known_names
  • known_remotes
  • known_services
  • known_users
  • ldap
  • ldap_search
  • local_subnets
  • local_subnets_dj
  • local_subnets_graphs
  • log4shell
  • modbus
  • mqtt_connect
  • mqtt_publish
  • mqtt_subscribe
  • mysql
  • napatech_shunting
  • ntlm
  • ntp
  • pe
  • profinet
  • profinet_dce_rpc
  • profinet_debug
  • radius
  • reporter
  • rfb
  • s7comm
  • smartpcap
  • snmp
  • socks
  • software
  • specific_dns_tunnels
  • stepping
  • stun
  • stun_nat
  • suricata_eve
  • suricata_stats
  • syslog
  • tds
  • tds_rpc
  • tds_sql_batch
  • traceroute
  • tunnel
  • unknown-smartpcap
  • vpn
  • weird
  • weird_red
  • wireguard
  • x509
  • x509_red

Referenz für die Feldzuordnung

In diesem Abschnitt wird beschrieben, wie der Google Security Operations-Parser Corelight-Felder den Feldern des einheitlichen Datenmodells (Unified Data Model, UDM) von Google Security Operations zuordnet.

Referenz zur Feldzuordnung: CORELIGHT – Gemeinsame Felder

In der folgenden Tabelle sind häufige Felder des CORELIGHT-Logs und die entsprechenden UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.vendor_name The metadata.vendor_name UDM field is set to Corelight.
_path (string) metadata.product_event_type
_system_name (string) observer.hostname
ts (time) metadata.event_timestamp
uid (string) about.labels [uid]
id.orig_h (string - addr) principal.ip
id.orig_p (integer - port) principal.port
id.resp_h (string - addr) target.ip
id.resp_p (integer - port) target.port
_write_ts metadata.collected_timestamp
id.vlan (integer - int) additional.fields [id_vlan]
id.vlan_inner (integer - int) additional.fields [id_vlan_inner]
id.orig_ep_cid (string) additional.fields [id_orig_ep_cid]
id.orig_ep_source (string) additional.fields [id_orig_ep_source]
id.orig_ep_status (string) additional.fields [id_orig_ep_status]
id.orig_ep_uid (string) additional.fields [id_orig_ep_uid]
id.resp_ep_cid (string) additional.fields [id_resp_ep_cid]
id.resp_ep_source (string) additional.fields [id_resp_ep_source]
id.resp_ep_status (string) additional.fields [id_resp_ep_status]
id.resp_ep_uid (string) additional.fields [id_resp_ep_uid]

Referenz für die Feldzuordnung: CORELIGHT – conn, conn_red, conn_long

In der folgenden Tabelle sind die Protokollfelder des conn, conn_red, conn_long-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
proto (string - enum) network.ip_protocol
service (string) network.application_protocol
duration (number - interval) network.session_duration
orig_bytes (integer - count) network.sent_bytes
resp_bytes (integer - count) network.received_bytes
conn_state (string) metadata.description If the conn_state log field value is equal to S0, then the metadata.description UDM field is set to S0: Connection attempt seen, no reply.

Else, if the conn_state log field value is equal to S1, then the metadata.description UDM field is set to S1: Connection established, not terminated.

Else, if the conn_state log field value is equal to S2, then the metadata.description UDM field is set to S2: Connection established and close attempt by originator seen (but no reply from responder).

Else, if the conn_state log field value is equal to S3, then the metadata.description UDM field is set to S3: Connection established and close attempt by responder seen (but no reply from originator).

Else, if the conn_state log field value is equal to SF, then the metadata.description UDM field is set to SF: Normal SYN/FIN completion.

Else, if the conn_state log field value is equal to REJ, then the metadata.description UDM field is set to REJ: Connection attempt rejected.

Else, if the conn_state log field value is equal to RSTO, then the metadata.description UDM field is set to RSTO: Connection established, originator aborted (sent a RST).

Else, if the conn_state log field value is equal to RSTOS0, then the metadata.description UDM field is set to RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

Else, if the conn_state log field value is equal to RSTOSH, then the metadata.description UDM field is set to RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

Else, if the conn_state log field value is equal to RSTR, then the metadata.description UDM field is set to RSTR: Established, responder aborted.

Else, if the conn_state log field value is equal to SH, then the metadata.description UDM field is set to SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

Else, if the conn_state log field value is equal to SHR, then the metadata.description UDM field is set to SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

Else, if the conn_state log field value is equal to OTH, then the metadata.description UDM field is set to OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed).
local_orig (boolean - bool) about.labels [local_orig]
local_resp (boolean - bool) about.labels [local_resp]
missed_bytes (integer - count) about.labels [missed_bytes]
history (string) about.labels [history]
orig_pkts (integer - count) network.sent_packets
orig_ip_bytes (integer - count) principal.labels [orig_ip_bytes]
resp_pkts (integer - count) network.received_packets
resp_ip_bytes (integer - count) target.labels [resp_ip_bytes]
tunnel_parents (array[string] - set[string]) intermediary.labels [tunnel_parent]
orig_cc (string) principal.ip_geo_artifact.location.country_or_region
resp_cc (string) target.ip_geo_artifact.location.country_or_region
suri_ids (array[string] - set[string]) security_result.rule_id
spcap.url (string) security_result.url_back_to_product
spcap.rule (integer - count) security_result.rule_labels [spcap_rule]
spcap.trigger (string) security_result.detection_fields [spcap_trigger]
app (array[string] - vector of string) about.application
corelight_shunted (boolean - bool) about.labels [corelight_shunted]
orig_shunted_pkts (integer - count) principal.labels [orig_shunted_pkts]
orig_shunted_bytes (integer - count) principal.labels [orig_shunted_bytes]
resp_shunted_pkts (integer - count) target.labels [resp_shunted_pkts]
resp_shunted_bytes (integer - count) target.labels [resp_shunted_bytes]
orig_l2_addr (string) principal.mac
resp_l2_addr (string) target.mac
id_orig_h_n.src (string) principal.labels [id_orig_h_n_src]
id_orig_h_n.vals (array[string] - set[string]) principal.labels [id_orig_h_n_val]
id_resp_h_n.src (string) target.labels [id_resp_h_n_src]
id_resp_h_n.vals (array[string] - set[string]) target.labels [id_resp_h_n_val]
vlan (integer - int) intermediary.labels [vlan]
inner_vlan (integer - int) intermediary.labels [inner_vlan]
community_id (string) network.community_id
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
service (string) about.labels [service]
orig_ep_cid (string) additional.fields [orig_ep_cid]
orig_ep_source (string) additional.fields [orig_ep_source]
orig_ep_status (string) additional.fields [orig_ep_status]
orig_ep_uid (string) additional.fields [orig_ep_uid]
resp_ep_cid (string) additional.fields [resp_ep_cid]
resp_ep_source (string) additional.fields [resp_ep_source]
resp_ep_status (string) additional.fields [resp_ep_status]
resp_ep_uid (string) additional.fields [resp_ep_uid]

Referenz für die Feldzuordnung: CORELIGHT – dce_rpc

In der folgenden Tabelle sind die Protokollfelder des dce_rpc-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
rtt (number - interval) network.session_duration
named_pipe (string) intermediary.resource.name
intermediary.resource.resource_type If the named_pipe log field value is not empty, then the intermediary.resource.resource_type UDM field is set to PIPE.
endpoint (string) target.labels [endpoint]
operation (string) target.labels [operation]
network.application_protocol The network.application_protocol UDM field is set to DCERPC.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
operation, endpoint, named_pipe (string) metadata.description The metadata.description UDM field is set with operation, endpoint, named_pipe log fields as "operation operation on endpoint using named pipe named_pipe".
network.ip_protocol The network.ip_protocol UDM field is set to TCP.

Referenz für die Feldzuordnung: CORELIGHT – dns, dns_red

In der folgenden Tabelle sind die Protokollfelder des dns, dns_red-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
network.application_protocol The network.application_protocol UDM field is set to DNS.
proto (string - enum) network.ip_protocol
trans_id (integer - count) network.dns.id
rtt (number - interval) network.session_duration
query (string) network.dns.questions.name
qclass (integer - count) network.dns.questions.class
qclass_name (string) about.labels [qclass_name]
qtype (integer - count) network.dns.questions.type
qtype_name (string) about.labels [qtype_name]
rcode (integer - count) network.dns.response_code
rcode (integer - count) network.dns.response If the rcode log field value is not empty, then the network.dns.response UDM field is set to true.
rcode_name (string) about.labels [rcode_name]
AA (boolean - bool) network.dns.authoritative
TC (boolean - bool) network.dns.truncated
RD (boolean - bool) network.dns.recursion_desired
RA (boolean - bool) network.dns.recursion_available
Z (integer - count) about.labels [Z]
answers (array[string] - vector of string) network.dns.answers.name
TTLs (array[number] - vector of interval) network.dns.answers.ttl
rejected (boolean - bool) about.labels [rejected]
is_trusted_domain (string) about.labels [is_trusted_domain]
icann_host_subdomain (string) about.labels [icann_host_subdomain]
icann_domain (string) network.dns_domain
icann_tld (string) about.labels [icann_tld]
num (integer - count) security_result.detection_fields [num]

Referenz für die Feldzuordnung: CORELIGHT – http, http_red, http2

In der folgenden Tabelle sind die Protokollfelder des http, http_red, http2-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_HTTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
trans_depth (integer - count) about.labels [trans_depth]
method (string) network.http.method
host (string) target.hostname
uri (string) target.url
referrer (string) network.http.referral_url
version (string) network.application_protocol_version
user_agent (string) network.http.user_agent
origin (string) principal.hostname
request_body_len (integer - count) network.sent_bytes
response_body_len (integer - count) network.received_bytes
status_code (integer - count) network.http.response_code
status_msg (string) about.labels [status_msg]
info_code (integer - count) about.labels [info_code]
info_msg (string) about.labels [info_msg]
tags (array[string] - set[enum]) about.labels [tags]
username (string) principal.user.user_display_name
password (string) extensions.auth.auth_details
proxied (array[string] - set[string]) intermediary.hostname
orig_fuids (array[string] - vector of string) about.labels [orig_fuid]
orig_filenames (array[string] - vector of string) src.file.names The orig_filenames log field is mapped to src.file.names UDM field when index value in orig_filenames is equal to 0.

For every other index value, orig_filenames log field is mapped to the about.file.names.
orig_mime_types (array[string] - vector of string) src.file.mime_type The orig_mime_types log field is mapped to src.file.mime_type UDM field when index value in orig_mime_types is equal to 0.

For every other index value, orig_mime_types log field is mapped to the about.file.mime_type.
resp_fuids (array[string] - vector of string) about.labels [resp_fuid]
resp_filenames (array[string] - vector of string) target.file.names The resp_filenames log field is mapped to target.file.names UDM field when index value in resp_filenames is equal to 0.

For every other index value, resp_filenames log field is mapped to the about.file.names.
resp_mime_types (array[string] - vector of string) target.file.mime_type The resp_mime_types log field is mapped to target.file.mime_type UDM field when index value in resp_mime_types is equal to 0.

For every other index value, resp_mime_types log field is mapped to the about.file.mime_type.
post_body (string) about.labels [post_body]
stream_id (integer - count) about.labels [stream_id]
encoding (string) about.labels [encoding]
push (boolean - bool) about.labels [push]

Referenz für die Feldzuordnung: CORELIGHT – smtp_links

In der folgenden Tabelle sind die Protokollfelder des smtp_links-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMTP.
fuid (string) about.labels [fuid]
link (string) about.url
domain (string) about.domain.name

Referenz für die Feldzuordnung: CORELIGHT – irc

In der folgenden Tabelle sind die Protokollfelder des irc-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
nick (string) principal.user.user_display_name
user (string) principal.user.userid If the user log field value is less than or equal to 255, then the user log field is mapped to the principal.user.userid UDM field.

Else, the user log field is mapped to the about.labels UDM field.
command, value, addl principal.process.command_line
dcc_file_name (string) src.file.names
dcc_file_size (integer - count) src.file.size
dcc_mime_type (string) src.file.mime_type
fuid (string) about.labels [fuid]

Referenz für die Feldzuordnung: CORELIGHT – files, files_red

In der folgenden Tabelle sind die Protokollfelder des files, files_red-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
fuid (string) about.labels [fuid]
tx_hosts (array[string] - set[addr]) principal.ip
rx_hosts (array[string] - set[addr]) target.ip
conn_uids (array[string] - set[string]) about.labels [conn_uid]
source (string) about.labels [source]
depth (integer - count) about.labels [depth]
analyzers (array[string] - set[string]) about.labels [analyzer]
mime_type (string) about.file.mime_type
filename (string) about.file.names
duration (number - interval) about.labels [duration]
local_orig (boolean - bool) about.labels [local_orig]
is_orig (boolean - bool) about.labels [is_orig]
seen_bytes (integer - count) about.file.size
total_bytes (integer - count) about.labels [total_bytes]
missing_bytes (integer - count) about.labels [missing_bytes]
overflow_bytes (integer - count) about.labels [overflow_bytes]
timedout (boolean - bool) about.labels [timedout]
parent_fuid (string) about.labels [parent_fuid]
md5 (string) about.file.md5
sha1 (string) about.file.sha1
sha256 (string) about.file.sha256
md5 (string) network.tls.client.certificate.md5 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.md5 UDM field is set to md5.
sha1 (string) network.tls.client.certificate.sha1 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha1 UDM field is set to sha1.
sha256 (string) network.tls.client.certificate.sha256 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha256 UDM field is set to sha256.
md5 (string) network.tls.server.certificate.md5 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.md5 UDM field is set to md5.
sha1 (string) network.tls.server.certificate.sha1 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha1 UDM field is set to sha1.
sha256 (string) network.tls.server.certificate.sha256 If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha256 UDM field is set to sha256.
extracted (array[string] - set[string]) about.file.names
extracted_cutoff (boolean - bool) about.labels [extracted_cutoff]
extracted_size (integer - count) about.labels [extracted_size]
num (integer - count) about.labels [num]
vlan (integer - int) additional.fields [vlan]
vlan_inner (integer - int) additional.fields [vlan_inner]

Referenz für die Feldzuordnung: CORELIGHT – Hinweis

In der folgenden Tabelle sind die Protokollfelder des notice-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
fuid (string) about.labels [fuid]
file_mime_type (string) target.file.mime_type
file_desc (string) about.labels [file_desc]
proto (string - enum) network.ip_protocol
note (string - enum) security_result.description
msg (string) metadata.description
sub (string) about.labels [sub]
src (string - addr) principal.ip
dst (string - addr) target.ip
p (integer - port) about.port
n (integer - count) about.labels [n]
peer_descr (string) about.labels [peer_descr]
security_result.action The security_result.action UDM field is set to ALLOW.
actions (array[string] - set[enum]) security_result.action_details
suppress_for (number - interval) about.labels [suppress_for]
remote_location.country_code (string) about.location.country_or_region The about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.region (string) about.location.country_or_region The about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.city (string) about.location.city
remote_location.latitude (number - double) about.location.region_coordinates.latitude
remote_location.longitude (number - double) about.location.region_coordinates.longitude
security_result.severity
If the severity.level log field value contain one of the following values
  • 0
  • 1
then, the security_result.severity UDM field is set to HIGH.
Else, If severity.level log field value is equal to 2 then, the security_result.severity UDM field is set to CRITICAL.
Else, If severity.level log field value is equal to 3 then, the security_result.severity UDM field is set to ERROR.
Else, If severity.level log field value contain one of the following values
  • 4
  • 5
  • 6
then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, If severity.level log field value is equal to 7 then, the security_result.severity UDM field is set to LOW.
Else The security_result.severity UDM field is set to UNKNOWN_SEVERITY.
severity.name security_result.severity_details
severity.level security_result.detection_fields [severity_level]
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity_details
resp_vulnerable_host.cve (string) target.asset.vulnerabilities.cve_id
resp_vulnerable_host.host_uid (string) additional.fields [resp_vulnerable_host_uid]
resp_vulnerable_host.hostname (string) target.asset.hostname
resp_vulnerable_host.machine_domain (string) target.asset.network_domain
resp_vulnerable_host.os_version (string) target.asset.platform_software.platform_version
resp_vulnerable_host.source (string) target.asset.vulnerabilities.cve_description
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity_details
orig_vulnerable_host.cve (string) principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.host_uid (string) additional.fields [orig_vulnerable_host_uid]
orig_vulnerable_host.hostname (string) principal.asset.hostname
orig_vulnerable_host.machine_domain (string) principal.asset.network_domain
orig_vulnerable_host.os_version (string) principal.asset.platform_software.platform_version
orig_vulnerable_host.source (string) principal.asset.vulnerabilities.cve_description

Referenz für die Feldzuordnung: CORELIGHT – smb_files

In der folgenden Tabelle sind die Protokollfelder des smb_files-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type If the action log field value is equal to SMB::FILE_READ, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the action log field value is equal to SMB::FILE_WRITE, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the action log field value is equal to SMB::FILE_OPEN, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the action log field value is equal to SMB::FILE_CLOSE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, if the action log field value is equal to SMB::FILE_DELETE, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the action log field value is equal to SMB::FILE_RENAME, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the action log field value is equal to SMB::FILE_SET_ATTRIBUTE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMB.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
action, name metadata.description The metadata.description UDM field is set with action, name log fields as "action: action on: name".
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
fuid (string) about.labels [fuid]
action (string - enum) target.labels [action]
path (string) target.file.full_path
name (string) target.file.names
size (integer - count) target.file.size
prev_name (string) src.file.names
times.modified (time) target.file.last_modification_time
times.accessed (time) target.file.last_seen_time
times.created (time) target.file.first_seen_time
times.changed (time) target.labels [times_changed]
data_offset_req (integer - count) target.labels [data_offset_req]
data_len_req (integer - count) target.labels [data_len_req]
data_len_rsp (integer - count) target.labels [data_len_rsp]

Referenz für die Feldzuordnung: CORELIGHT – smb_mapping

In der folgenden Tabelle sind die Protokollfelder des smb_mapping-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMB.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
path (string) target.resource.attribute.labels [path]
service (string) target.application
native_file_system (string) target.resource.attribute.labels [native_file_system]
share_type (string) target.resource.resource_type If the share_type log field value is equal to DISK, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.

Else, if the share_type log field value is equal to PIPE, then the target.resource.resource_type UDM field is set to PIPE.

Else, the target.resource.resource_type UDM field is set to UNSPECIFIED.
share_type (string) target.resource.resource_subtype

Referenz für die Feldzuordnung: CORELIGHT – ssl, ssl_red

In der folgenden Tabelle sind die Protokollfelder des ssl, ssl_red-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to HTTPS.
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.
security_result.action The security_result.action UDM field is set to ALLOW.
version (string) network.tls.version
cipher (string) network.tls.cipher
curve (string) network.tls.curve
server_name (string) network.tls.client.server_name
resumed (boolean - bool) network.tls.resumed
last_alert (string) security_result.description
next_protocol (string) network.tls.next_protocol
established (boolean - bool) network.tls.established
ssl_history (string) about.labels [ssl_history]
cert_chain_fps (array[string] - vector of string) target.labels [cert_chain_fps]
client_cert_chain_fps (array[string] - vector of string) principal.labels [client_cert_chain_fps]
sni_matches_cert (boolean - bool) about.labels [sni_matches_cert]
validation_status (string) security_result.detection_fields [validation_status]
ja3 (string) network.tls.client.ja3
ja3s (string) network.tls.server.ja3s

Referenz für die Feldzuordnung: CORELIGHT – rdp

In der folgenden Tabelle sind die Protokollfelder des rdp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
cookie (string) about.labels [cookie]
result (string) about.labels [result]
security_protocol (string) target.labels [security_protocol]
client_channels (array[string] - vector of string) intermediary.labels [client_channels]
keyboard_layout (string) principal.labels [keyboard_layout]
client_build (string) principal.labels [client_build]
client_name (string) principal.hostname
client_dig_product_id (string) principal.labels [client_dig_product_id ]
desktop_width (integer - count) principal.labels [desktop_width]
desktop_height (integer - count) principal.labels [desktop_height]
requested_color_depth (string) principal.labels [requested_color_depth]
cert_type (string) about.labels [cert_type]
cert_count (integer - count) about.labels [cert_count]
cert_permanent (boolean - bool) about.labels [cert_permanent ]
encryption_level (string) about.labels [encryption_level]
encryption_method (string) about.labels [encryption_method]
auth_success (boolean - bool) about.labels [auth_success]
channels_joined (integer - int) intermediary.labels [channels_joined]
inferences (array[string] - set[string]) about.labels [inferences]
rdpeudp_uid (string) about.labels [rdpeudp_uid]
network.ip_protocol The network.ip_protocol UDM field is set to TCP.
rdfp_string (string) principal.labels [rdfp_string]
rdfp_hash (string) principal.labels [rdfp_hash]
result, security_protocol security_result.description The security_result.description UDM field is set with result, security_protocol log fields as "result connection with security protocol security_protocol".
security_result.severity The security_result.severity UDM field is set to INFORMATIONAL.

Referenz für die Feldzuordnung: CORELIGHT – sip

In der folgenden Tabelle sind die Protokollfelder des sip-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SIP.
trans_depth (integer - count) about.labels [trans_depth]
method (string) about.labels [method]
uri (string) target.url
date (string) about.labels [date]
request_from (string) principal.labels [request_from]
request_to (string) target.labels [request_to]
response_from principal.labels [response_from]
response_to (string) target.labels [response_to]
reply_to (string) about.labels [reply_to]
call_id (string) network.session_id
seq (string) about.labels [seq]
subject (string) about.labels [subject]
request_path (array[string] - vector of string) about.labels [request_path]
response_path (array[string] - vector of string) about.labels [response_path]
user_agent (string) about.labels [user_agent]
status_code (integer - count) about.labels [status_code]
status_msg (string) security_result.description
warning (string) security_result.summary
request_body_len (integer - count) network.sent_bytes
response_body_len (integer - count) network.received_bytes
content_type (string) about.labels [content_type]

Referenz für die Feldzuordnung: CORELIGHT – intel

In der folgenden Tabelle sind die Protokollfelder des intel-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
seen.indicator_type (string - enum) entity.metadata.entity_type If the indicator.type log field value is equal to Intel::ADDR, then the metadata.entity_type UDM field is set to IP_ADDRESS.

Else, if the indicator.type log field value is equal to Intel::SUBNET or Intel::SOFTWARE or Intel::CERT_HASH or Intel::PUBKEY_HASH, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the indicator.type log field value is equal to Intel::URL, then the metadata.entity_type UDM field is set to URL.

Else, if the indicator.type log field value is equal to the Intel::EMAIL or Intel::USER_NAME, then the metadata.entity_type UDM field is set to USER.

Else, if the indicator.type log field value is equal to Intel::DOMAIN, then the metadata.entity_type UDM field is set to DOMAIN_NAME.

Else, if the indicator.type log field value is equal to the Intel::FILE_HASH or Intel::FILE_NAME, then the metadata.entity_type UDM field is set to FILE.

Else, the metadata.entity_type UDM field is set to RESOURCE.
seen.indicator (string) entity.ip If the indicator.type log field value is equal to Intel::ADDR, then the seen.indicator log field is mapped to the entity.ip UDM field.
seen.indicator (string) entity.url If the indicator.type log field value is equal to Intel::URL, then the seen.indicator log field is mapped to the entity.url UDM field.
seen.indicator (string) entity.domain.name If the indicator.type log field value is equal to Intel::DOMAIN, then the seen.indicator log field is mapped to the entity.domain.name UDM field.
seen.indicator (string) entity.user.email_address If the indicator.type log field value is equal to Intel::USER_NAME or Intel::EMAIL, then the seen.indicator log field is mapped to the entity.user.email_address UDM field.
seen.indicator (string) entity.file.names If the indicator.type log field value is equal to Intel::FILE_HASH or Intel::FILE_NAME, then the seen.indicator log field is mapped to the entity.file.full_path UDM field.
seen.indicator (string) entity.resource.name If the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicatior log field is mapped to the entity.resource.name UDM field.
entity.resource.resource_type If the indicator.type log field value is equal to Intel::SUBNET, then the entity.resource.resource_name UDM field is set to VPC_NETWORK.
seen.indicator_type (string - enum) entity.resource.resource_sub_type If the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicatior_type log field is mapped to the entity.resource.resource_sub_type UDM field.
seen.where (string - enum) entity.metadata.source_labels [seen_where]
matched (array[string] - set[enum]) entity.labels [matched]
sources (array[string] - set[string]) entity.metadata.source_labels [source]
fuid (string) about.labels [fuid]
file_mime_type (string) entity.file.mime_type
file_desc (string) metadata.threat.detection_fields [file_desc]
desc (array[string] - set[string]) ioc.description The desc log field is mapped to ioc.description UDM field when index value in desc is equal to 0.

For every other index value, entity.labels.key UDM field is set to desc and desc log field is mapped to the entity.labels.value.
url (array[string] - set[string]) metadata.threat.url_back_to_product
confidence (array[number] - set[double]) ioc.confidence_score The confidence log field is mapped to ioc.confidence_score UDM field when index value in confidence is equal to 0.

For every other index value, entity.labels.key UDM field is set to confidence and confidence log field is mapped to the entity.labels.value.
firstseen (array[string] - set[string]) ioc.active_timerange.start The firstseen log field is mapped to ioc.active_timerange.start UDM field when index value in firstseen is equal to 0.

For every other index value, entity.labels.key UDM field is set to firstseen and firstseen log field is mapped to the entity.labels.value.
lastseen (array[string] - set[string]) ioc.active_timerange.end The lastseen log field is mapped to ioc.active_timerange.end UDM field when index value in lastseen is equal to 0.

For every other index value, entity.labels.key UDM field is set to lastseen and lastseen log field is mapped to the entity.labels.value.
associated (array[string] - set[string]) entity.labels [associated]
category (array[string] - set[string]) ioc.categorization The category log field is mapped to ioc.categorization UDM field when index value in category is equal to 0.

For every other index value, entity.labels.key UDM field is set to category and category log field is mapped to the entity.labels.value.
campaigns (array[string] - set[string]) entity.labels [campaign]
reports (array[string] - set[string]) entity.labels [report]
seen.indicator (string) about.labels [indicator]
seen.indicator_type (string - enum) about.labels [indicator_type]
seen.where (string - enum) about.labels [where]
sources (array[string] - set[string]) about.labels [sources]
confidence (array[number] - set[double]) about.labels [confidence]
category (array[string] - set[string]) about.labels [category]
threat_score (array[number] - set[double]) entity.security_result.detection_fields[threat_score]
verdict (array[string] - set[string]) entity.security_result.verdict_info.verdict_response Iterate through verdict,
If the verdict log field value matches the regular expression pattern "(?i)Malicious" or the verdict log field value is equal to "1" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to MALICIOUS.
Else, If verdict log field value matches the regular expression pattern "(?i)Benign" or the verdict log field value is equal to "2" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to BENIGN.
Else The "entity.security_result.verdict_info.verdict_response" UDM field is set to VERDICT_RESPONSE_UNSPECIFIED.
verdict_source (array[string] - set[string]) entity.security_result.verdict_info.source_provider Iterate through verdict_source,
verdict_source log field is mapped to the entity.security_result.VerdictInfo.source_provider UDM field.

Referenz für die Feldzuordnung: CORELIGHT – smtp

In der folgenden Tabelle sind die Protokollfelder des smtp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SMTP.
trans_depth (integer - count) about.labels [trans_depth]
helo (string) target.domain.name
mailfrom (string) network.smtp.mail_from
rcptto (array[string] - set[string]) network.smtp.rcpt_to
date (string) about.labels [date]
from (string) network.email.from
to (array[string] - set[string]) network.email.to
cc (array[string] - set[string]) network.email.cc
reply_to (string) network.email.reply_to
msg_id (string) network.email.mail_id
in_reply_to (string) about.labels [in_reply_to]
subject (string) network.email.subject
x_originating_ip (string - addr) principal.ip
first_received (string) about.labels [first_received]
second_received (string) about.labels [second_received]
last_reply (string) network.smtp.server_response
path (array[string] - vector of addr) intermediary.ip
user_agent (string) about.labels [user_agent]
tls (boolean - bool) network.smtp.is_tls
fuids (array[string] - vector of string) about.labels [fuid]
is_webmail (boolean - bool) network.smtp.is_webmail
urls (array[string] - set[string]) about.url
domains (array[string] - set[string]) about.domain.name

Referenz für die Feldzuordnung: CORELIGHT – ssh

In der folgenden Tabelle sind die Protokollfelder des ssh-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to SSH.
version (integer - count) network.application_protocol_version The network.application_protocol_version UDM field is set with version log field as "SSH version".
auth_success (boolean - bool) security_result.action_details
auth_success (boolean - bool) security_result.action If the auth_success log field value is not equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to BLOCK.
auth_attempts (integer - count) extensions.auth.auth_details The extensions.auth.auth_details UDM field is set with auth_attempts log field as "auth_attempts: auth_attempts".
direction (string - enum) network.direction If the direction log field value is equal to INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the direction log field value is equal to OUTBOUND, then the network.direction UDM field is set to OUTBOUND.
client (string) principal.application
server (string) target.application
cipher_alg (string) network.tls.cipher
mac_alg (string) security_result.detection_fields [mac_alg]
compression_alg (string) security_result.detection_fields [compression_alg]
kex_alg (string) security_result.detection_fields [kex_alg]
host_key_alg (string) security_result.detection_fields [host_key_alg]
host_key (string) security_result.detection_fields [host_key]
remote_location.country_code (string) target.location.country_or_region
remote_location.region (string) target.location.country_or_region
remote_location.city (string) target.location.city
remote_location.latitude (number - double) target.location.region_coordinates.latitude
remote_location.longitude (number - double) target.location.region_coordinates.longitude
hasshVersion (string) about.labels [hassh_version]
hassh (string) principal.labels [hassh]
hasshServer (string) target.labels [hassh_server]
cshka (string) about.labels [cshka]
hasshAlgorithms (string) about.labels [hassh_algorithms]
sshka (string) about.labels [sshka]
hasshServerAlgorithms (string) about.labels [hassh_server_algorithms]
inferences (array[string] - set[string]) security_result.summary, security_result.description If the inferences log field value is equal to ABP, then the security_result.summary UDM field is set to Client Authentication Bypass and the security_result.description UDM field is set to A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after enctyption begins.

If the inferences log field value is equal to AFR, then the security_result.summary UDM field is set to SSH Agent Forwarding Requested and the security_result.description UDM field is set to Agent Forwarding is requested by tge Client.

If the inferences log field value is equal to APWA, then the security_result.summary UDM field is set to Automated Password Authentication and the security_result.description UDM field is set to The client authenticated with an automated password tool (like sshpass).

If the inferences log field value is equal to AUTO, then the security_result.summary UDM field is set to Automated Interaction and the security_result.description UDM field is set to The client is a script automated utility and not driven by a user.

If the inferences log field value is equal to BAN, then the security_result.summary UDM field is set to Server Banner and the security_result.description UDM field is set to The server sent the client a pre-authentication banner, likely for legal reasons.

If the inferences log field value is equal to BF, then the security_result.summary UDM field is set to Client Brute Force Guessing and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

If the inferences log field value is equal to BFS, then the security_result.summary UDM field is set to Client Brute Force Success and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

If the inferences log field value is equal to CTS, then the security_result.summary UDM field is set to Client Trusted Server and the security_result.description UDM field is set to The client already has an entry in its known_hosts file for this server.

If the inferences log field value is equal to CUS, then the security_result.summary UDM field is set to Client Untrusted Server and the security_result.description UDM field is set to The client did not have an entry in its known_hosts file for this server.

If the inferences log field value is equal to IPWA, then the security_result.summary UDM field is set to Interactive Password Authentication and the security_result.description UDM field is set to The client interactively typed their password to authenticate.

If the inferences log field value is equal to KS, then the security_result.summary UDM field is set to Keystrokes and the security_result.description UDM field is set to An interactive session occurred in which the client set user-driven keystrokes to the server.

If the inferences log field value is equal to LFD, then the security_result.summary UDM field is set to Large Client File Donwload and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

If the inferences log field value is equal to LFU, then the security_result.summary UDM field is set to Large Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets.

If the inferences log field value is equal to MFA, then the security_result.summary UDM field is set to Multifactor Authentication and the security_result.description UDM field is set to The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it.

If the inferences log field value is equal to NA, then the security_result.summary UDM field is set to None Authentication and the security_result.description UDM field is set to The client successfully authenticated using the None method.

If the inferences log field value is equal to NRC, then the security_result.summary UDM field is set to No Remote Command and the security_result.description UDM field is set to The -N flag was used in SSH authentication.

If the inferences log field value is equal to PKA, then the security_result.summary UDM field is set to Public Key Authentication and the security_result.description UDM field is set to The client automatically authenticated using pubkey authentication.

If the inferences log field value is equal to RSI, then the security_result.summary UDM field is set to Reverse SSH Initiated and the security_result.description UDM field is set to The Reverse session is initiated from the server back to the client.

If the inferences log field value is equal to RSIA, then the security_result.summary UDM field is set to Reverse SSH Initiated Automated and the security_result.description UDM field is set to The inititation of the Reverse session happened very early in the packet stream, indicating automation.

If the inferences log field value is equal to RSK, then the security_result.summary UDM field is set to Reverse SSH Keystrokes and the security_result.description UDM field is set to Keystrokes are detected within the Reverse tunnel.

If the inferences log field value is equal to RSL, then the security_result.summary UDM field is set to Reverse SSH Logged In and the security_result.description UDM field is set to The Reverse Tunnel login has succeeded.

If the inferences log field value is equal to RSP, then the security_result.summary UDM field is set to Reverse SSH Providioned and the security_result.description UDM field is set to The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time.

If the inferences log field value is equal to SA, then the security_result.summary UDM field is set to Authentication Scanning and the security_result.description UDM field is set to The client scanned authentication method with the server and then disconnected.

If the inferences log field value is equal to SC, then the security_result.summary UDM field is set to Capabilities Scanning and the security_result.description UDM field is set to The client exchanged capabilities with the server and then disconnected.

If the inferences log field value is equal to SFD, then the security_result.summary UDM field is set to Small Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

If the inferences log field value is equal to SFU, then the security_result.summary UDM field is set to Small Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server.

If the inferences log field value is equal to SP, then the security_result.summary UDM field is set to Other Scanning and the security_result.description UDM field is set to A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.

If the inferences log field value is equal to SV, then the security_result.summary UDM field is set to Version Scanning and the security_result.description UDM field is set to A client exchanged version strings with the server and than disconnected.

If the inferences log field value is equal to UA, then the security_result.summary UDM field is set to Unknown Authentication and the security_result.description UDM field is set to The authentication method is not determinated or is unknown.

Referenz für die Feldzuordnung: CORELIGHT – suricata_corelight

In der folgenden Tabelle sind die Protokollfelder des suricata_corelight-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Suricata.
id.vlan (integer - count) intermediary.labels [id_vlan]
id.vlan_inner (integer - count) intermediary.labels [id_vlan_inner]
icmp_type (integer - count) about.labels [icmp_type]
icmp_code (integer - count) about.labels [icmp_code]
suri_id (string) metadata.product_log_id
service (string) network.application_protocol
flow_id (integer - count) network.session_id
tx_id (integer - count) about.labels [tx_id]
pcap_cnt (integer - count) about.labels [pcap_cnt]
alert.action (string) security_result.action_details
alert.gid (integer - count) security_result.detection_fields [alert_gid]
alert.signature_id (integer - count) security_result.rule_id
alert.rev (integer - count) security_result.detection_fields [alert_rev]
alert.signature (string) security_result.summary
alert.signature (string) security_result.rule_name
alert.category (string) security_result.category_details
alert.severity (integer - count) security_result.severity_details
alert.metadata (array[string] - vector of string) security_result.detection_fields [alert_metadata]
community_id (string) network.community_id
payload (string) about.labels [payload]
payload (string) about.labels [payload_decoded]
packet (string) about.labels [packet]
packet (string) about.labels [packet_decoded]
metadata (array[string] - vector of string) security_result.detection_fields [metadata]
orig_cve (string) extensions.vulns.vulnerabilities.cve_id
resp_cve (string) extensions.vulns.vulnerabilities.cve_id
idm.is_alert The idm.is_alert UDM field is set to true.
idm.is_significant The idm.is_significant UDM field is set to true.
signature_severity security_result.severity If alert.rule log field value matches the grok pattern signature_severity (?Critical|Major|Minor|Informational) then
If the signature_severity extracted field value is equal to Critical then, the security_result.severity UDM field is set to CRITICAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Major then, the security_result.severity UDM field is set to MEDIUM and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Minor then, the security_result.severity UDM field is set to LOW and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Informational then, the security_result.severity UDM field is set to INFORMATIONAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
orig_vulnerable_host.cve(string) principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.hostname(string) principal.asset.hostname
orig_vulnerable_host.host_uid(string) about.labels [orig_vulnerable_host_uid]
orig_vulnerable_host.machine_domain(string) principal.asset.network_domain
orig_vulnerable_host.os_version(string) principal.asset.platform_software.platform_version
orig_vulnerable_host.source(string) principal.asset.vulnerabilities.cve_description
resp_vulnerable_host.cve(string) target.asset.vulnerabilities.cve_id
resp_vulnerable_host.hostname(string) target.asset.hostname
resp_vulnerable_host.host_uid(string) about.labels [resp_vulnerable_host_uid]
resp_vulnerable_host.machine_domain(string) target.asset.network_domain
resp_vulnerable_host.os_version(string) target.asset.platform_software.platform_version
resp_vulnerable_host.source(string) target.asset.vulnerabilities.cve_description
service (string) about.labels [service]
alert.rule (string) security_result.description
alert.references (array[string] - vector of string) security_result.detection_fields[alert_references] iterate through alert.references,
alert.references log field is mapped to the security_result.detection_fields.alert_references UDM field.
payload_printable (string) security_result.detection_fields[payload_printable]
references (array[string] - vector of string) security_result.detection_fields[references] iterate through references,
references log field is mapped to the security_result.detection_fields.references UDM field.
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4" then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3" then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1" then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2" then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0" then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string) principal.asset.vulnerabilities.severity_details
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string) target.asset.vulnerabilities.severity_details
rule_content security_result.detection_fields[alert_rule_content] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}content:\\"%{GREEDYDATA:rule_content}\\" then, the rule_content extracted field is mapped to security_result.detection_fields [alert_rule_content] UDM field.
rule_classtype security_result.detection_fields [alert_rule_classtype] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}classtype:%{DATA:rule_classtype}; then, the rule_classtype extracted field is mapped to security_result.detection_fields [alert_rule_classtype] UDM field.
reference_url security_result.detection_fields[alert_rule_reference_url] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}reference:url,%{DATA:reference_url}; then, the reference_url extracted field is mapped to security_result.detection_fields [alert_rule_reference_url] UDM field.
attack_target security_result.detection_fields[alert_rule_attack_target] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The attack_target is extracted from rule_metadata using kv filter then the extracted attack_target field is mapped to security_result.detection_fields [alert_rule_attack_target] UDM field.
created_at security_result.detection_fields[alert_rule_created_at] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The created_at is extracted from rule_metadata using kv filter then the extracted created_at field is mapped to security_result.detection_fields [alert_rule_created_at] UDM field.
deployment security_result.detection_fields[alert_rule_deployment] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The deployment is extracted from rule_metadata using kv filter then the extracted deployment field is mapped to security_result.detection_fields [alert_rule_deployment] UDM field.
performance_impact security_result.detection_fields[alert_rule_performance_impact] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The performance_impact is extracted from rule_metadata using kv filter then the extracted performance_impact field is mapped to security_result.detection_fields [alert_rule_performance_impact] UDM field.
updated_at security_result.detection_fields[alert_rule_updated_at] If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The updated_at is extracted from rule_metadata using kv filter then the extracted updated_at field is mapped to security_result.detection_fields [alert_rule_updated_at] UDM field.
uri target.url If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.
http_method network.http.method If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.
proto_version network.application_protocol_version If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.
user_agent target.http.useragent If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.
hostname target.hostname If the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.
meta (array[string] - vector of string) additional.fields [meta]

Referenz für die Feldzuordnung: CORELIGHT – bacnet

In der folgenden Tabelle sind die Protokollfelder des bacnet-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
bvlc_function (string) about.labels [bvlc_function]
bvlc_len (integer - count) about.labels [bvlc_len]
apdu_type (string) about.labels [apdu_type]
service_choice (string) about.labels [service_choice]
data (array[string] - vector of string) about.labels [data]
invoke_id (integer - count) additional.fields [invoke_id]
is_orig (boolean - bool) additional.fields [is_orig]
pdu_service (string) additional.fields [pdu_service]
pdu_type (string) additional.fields [pdu_type]
result_code (string) additional.fields [result_code]

Referenz für die Feldzuordnung: CORELIGHT – cip

In der folgenden Tabelle sind die Protokollfelder des cip-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
service (string) about.labels [service]
status (string) about.labels [status]
tags (string) about.labels [tag]
attribute_id (string) additional.fields [attribute_id]
cip_extended_status (string) additional.fields [cip_extended_status]
cip_extended_status_code (string) additional.fields [cip_extended_status_code]
cip_sequence_count (integer - count) additional.fields [cip_sequence_count]
cip_service (string) additional.fields [cip_service]
cip_service_code (string) additional.fields [cip_service_code]
cip_status (string) additional.fields [cip_status]
cip_status_code (string) additional.fields [cip_status_code]
class_id (string) additional.fields [class_id]
class_name (string) additional.fields [class_name]
direction (string) additional.fields [direction]
instance_id (string) additional.fields [instance_id]
is_orig (boolean - bool) additional.fields [is_orig]

Referenz für die Feldzuordnung: CORELIGHT – corelight_burst

In der folgenden Tabelle sind die Protokollfelder des corelight_burst-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
proto (string - enum) network.ip_protocol
orig_size (integer - count) network.sent_bytes
resp_size (integer - count) network.received_bytes
mbps (number - double) about.labels [mbps]
age_of_conn (number - interval) about.labels [age_of_conn]

Referenz für die Feldzuordnung: CORELIGHT – corelight_overall_capture_loss

In der folgenden Tabelle sind die Protokollfelder des corelight_overall_capture_loss-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
gaps (number - double) security_result.detection_fields [gaps]
acks (number - double) security_result.detection_fields [acks]
percent_lost (number - double) security_result.detection_fields [percent_lost]
metadata.description The metadata.description UDM field is set with _system_name, percent_lost, ts. log fields as "node _system_name experienced percent_lost% packet loss at ts.".

Referenz für die Feldzuordnung: CORELIGHT – corelight_profiling

In der folgenden Tabelle sind die Protokollfelder des corelight_profiling-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
node (string) principal.hostname
prof.core_stack (string) about.labels [prof_core_stack]
prof.script_stack (string) about.labels [prof_script_stack]
prof.sched_wait_ns (integer - count) about.labels [prof_sched_wait_ns]

Referenz für die Feldzuordnung: CORELIGHT – datared

In der folgenden Tabelle sind die Protokollfelder des datared-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
conn_red (integer - count) about.labels [conn_red]
conn_total (integer - count) about.labels [conn_total]
dns_red (integer - count) about.labels [dns_red]
dns_total (integer - count) about.labels [dns_total]
dns_coal_miss (integer - count) about.labels [dns_coal_miss]
files_red (integer - count) about.labels [files_red]
files_total (integer - count) about.labels [files_total]
files_coal_miss (integer - count) about.labels [files_coal_miss]
http_red (integer - count) about.labels [http_red]
http_total (integer - count) about.labels [http_total]
ssl_red (integer - count) about.labels [ssl_red]
ssl_total (integer - count) about.labels [ssl_total]
ssl_coal_miss (integer - count) about.labels [ssl_coal_miss]
weird_red (integer - count) about.labels [weird_red]
weird_total (integer - count) about.labels [weird_total]
x509_red (integer - count) about.labels [x509_red]
x509_total (integer - count) about.labels [x509_total]
x509_coal_miss (integer - count) about.labels [x509_coal_miss]

Referenz für die Feldzuordnung: CORELIGHT – dhcp

In der folgenden Tabelle sind die Protokollfelder des dhcp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DHCP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DHCP.
uids (array[string] - set[string]) about.labels [uid]
client_addr (string - addr) network.dhcp.ciaddr
server_addr (string - addr) network.dhcp.siaddr
mac (string) network.dhcp.chaddr
host_name (string) network.dhcp.client_hostname
client_fqdn (string) principal.domain.name
domain (string) target.domain.name
requested_addr (string - addr) network.dhcp.requested_address
assigned_addr (string - addr) network.dhcp.yiaddr
lease_time (number - interval) network.dhcp.lease_time_seconds
client_message (string) security_result.description
server_message (string) security_result.description
msg_types (array[string] - vector of string) network.dhcp.type The msg_types log field is mapped to network.dhcp.type UDM field when index value in msg_types is equal to 0.

For every other index value, about.labels.key UDM field is set to msg_types and msg_types log field is mapped to the about.labels.value.
duration (number - interval) about.labels [duration]

Referenz für die Feldzuordnung: CORELIGHT – dga

In der folgenden Tabelle sind die Protokollfelder des dga-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
query (string) network.dns.questions.name
family (string) about.labels [family]
qtype_name (string) about.labels [qtype_name]
rcode (integer - count) network.dns.response_code
is_collision_heavy (boolean - bool) security_result.detection_fields [is_collision_heavy]
ruse (boolean - bool) about.labels [ruse]

Referenz für die Feldzuordnung: CORELIGHT – dnp3

In der folgenden Tabelle sind die Protokollfelder des dnp3-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
fc_request (string) about.labels [fc_request]
fc_reply (string) about.labels [fc_reply]
iin (integer - count) about.labels [iin]

Referenz für die Feldzuordnung: CORELIGHT – iso_cotp

In der folgenden Tabelle sind die Protokollfelder des iso_cotp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
pdu_type (string) about.labels [pdu_type]

Referenz für die Feldzuordnung: CORELIGHT – Kerberos

In der folgenden Tabelle sind die Protokollfelder des kerberos-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to KRB5.
request_type (string) principal.application
client (string) principal.hostname
service (string) target.application
success (boolean - bool) security_result.action If the success log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
error_msg (string) security_result.action_details
from (time) about.labels [from]
till (time) about.labels [till]
cipher (string) about.labels [cipher]
forwardable (boolean - bool) about.labels [forwardable]
renewable (boolean - bool) about.labels [renewable]
client_cert_subject (string) about.labels [client_cert_subject]
client_cert_fuid (string) about.labels [client_cert_fuid]
server_cert_subject (string) about.labels [server_cert_subject]
server_cert_fuid (string) about.labels [server_cert_fuid]

Referenz für die Feldzuordnung: CORELIGHT – ldap

In der folgenden Tabelle sind die Protokollfelder des ldap-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to LDAP.
proto (string) about.labels [proto]
message_id (integer - int) about.labels [message_id]
version (integer - int) network.application_protocol_version
opcode (array[string] - set[string]) security_result.detection_fields [opcode]
result (array[string] - set[string]) security_result.detection_fields [result]
diagnostic_message (array[string] - vector of string) security_result.description
object (array[string] - vector of string) about.labels [object]
argument (array[string] - vector of string) about.labels [argument]

Referenz für die Feldzuordnung: CORELIGHT – ldap_search

In der folgenden Tabelle sind die Protokollfelder des ldap_search-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to LDAP.
proto (string) about.labels [proto]
message_id (integer - int) about.labels [message_id]
scope (array[string] - set[string]) about.labels [scope]
deref (array[string] - set[string]) about.labels [deref]
base_object (array[string] - vector of string) about.labels [base_object]
result_count (integer - count) security_result.detection_fields [result_count]
result (array[string] - set[string]) security_result.detection_fields [result]
diagnostic_message (array[string] - vector of string) security_result.description
filter (string) about.labels [filter]
attributes (array[string] - vector of string) about.labels [attributes]

Referenz für die Feldzuordnung: CORELIGHT – local_subnets

In der folgenden Tabelle sind die Protokollfelder des local_subnets-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
round (integer - count) about.labels [round]
ip_version (integer - count) about.labels [ip_version]
subnets (array[string] - set[subnet]) about.labels [subnet]
component_ids (array[integer] - set[count]) about.labels [component_id]
size_of_component (integer - count) about.labels [size_of_component]
bipartite (boolean - bool) about.labels [bipartite]
inferred_site (boolean - bool) about.labels [inferred_site]
other_ips (array[string] - set[addr]) about.ip

Referenz für die Feldzuordnung: CORELIGHT – local_subnets_dj

In der folgenden Tabelle sind die Protokollfelder des local_subnets_dj-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
ip_version (integer - count) about.labels [ip_version]
v (string - addr) about.ip
side (string) about.labels [side]
component_id (integer - count) additional.fields [component_id]
round (integer - count) additional.fields [round]

Referenz für die Feldzuordnung: CORELIGHT – local_subnets_graphs

In der folgenden Tabelle sind die Protokollfelder des local_subnets_graphs-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
ip_version (integer - count) about.labels [ip_version]
v1 (string - addr) about.ip
v2 (string - addr) about.ip

Referenz für die Feldzuordnung: CORELIGHT – syslog

In der folgenden Tabelle sind die Protokollfelder des syslog-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
proto (string - enum) network.ip_protocol
facility (string) about.labels [facility]
severity (string) about.labels [severity]
message (string) metadata.description

Referenz für die Feldzuordnung: CORELIGHT – tds

In der folgenden Tabelle sind die Protokollfelder des tds-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
command (string) principal.process.command_line

Referenz für die Feldzuordnung: CORELIGHT – tds_rpc

In der folgenden Tabelle sind die Protokollfelder des tds_rpc-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
procedure_name (string) about.labels [procedure_name]
parameters (array[string] - vector of string) about.labels [parameter]

Referenz für die Feldzuordnung: CORELIGHT – tds_sql_batch

In der folgenden Tabelle sind die Protokollfelder des tds_sql_batch-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
target.resource.resource_type The target.resource.resource_type UDM field is set to DATABASE.
header_type (string) target.resource.attribute.labels [header_type]
query (string) target.resource.attribute.labels [query]

Referenz für die Feldzuordnung: CORELIGHT – traceroute

In der folgenden Tabelle sind die Protokollfelder des traceroute-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
src (string - addr) principal.ip
dst (string - addr) target.ip
proto (string) network.ip_protocol

Referenz für die Feldzuordnung: CORELIGHT – Tunnel

In der folgenden Tabelle sind die Protokollfelder des tunnel-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
tunnel_type (string - enum) intermediary.labels [tunnel_type]
action (string - enum) security_result.action_details
security_result.description The security_result.description UDM field is set with action, tunnel_type log fields as "action action on tunnel type tunnel_type".

Referenz für die Feldzuordnung: CORELIGHT – weird, weird_red

In der folgenden Tabelle sind die Protokollfelder des weird, weird_red-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
name (string) about.labels [name]
addl (string) about.labels [addl]
notice (boolean - bool) about.labels [notice]
source (string) about.labels [source]
peer (string) about.labels [peer]

Referenz für die Feldzuordnung: CORELIGHT – wireguard

In der folgenden Tabelle sind die Protokollfelder des wireguard-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
established (boolean - bool) about.labels [established]
initiations (integer - count) about.labels [initiations]
responses (integer - count) about.labels [responses]

Referenz für die Feldzuordnung: CORELIGHT – vpn

In der folgenden Tabelle sind die Protokollfelder des vpn-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
proto (string - enum) network.ip_protocol
vpn_type (string - enum) about.labels [vpn_type]
service (string) target.application
inferences (array[string] - set[string]) about.labels [inference]
server_name (string) network.tls.client.server_name
client_info (string) principal.labels [client_info]
duration (number - interval) network.session_duration
orig_bytes (integer - count) network.sent_bytes
resp_bytes (integer - count) network.received_bytes
orig_cc (string) principal.location.country_or_region
orig_region (string) principal.location.country_or_region
orig_city (string) principal.location.city
resp_cc (string) target.location.country_or_region
resp_region (string) target.location.country_or_region
resp_city (string) target.location.city
subject (string) network.tls.client.certificate.subject
issuer (string) network.tls.client.certificate.issuer
ja3 (string) network.tls.client.ja3
ja3s (string) network.tls.server.ja3s

Referenz für die Feldzuordnung: CORELIGHT – x509, x509_red

In der folgenden Tabelle sind die Protokollfelder des x509, x509_red-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
fingerprint (string) about.labels [fingerprint]
certificate.version (integer - count) network.tls.server.certificate.version
certificate.serial (string) network.tls.server.certificate.serial
certificate.subject (string) network.tls.server.certificate.subject
certificate.issuer (string) network.tls.server.certificate.issuer
certificate.not_valid_before (time) network.tls.server.certificate.not_before
certificate.not_valid_after (time) network.tls.server.certificate.not_after
certificate.key_alg (string) about.labels [certificate_key_alg]
certificate.sig_alg (string) about.labels [certificate_sig_alg]
certificate.key_type (string) about.labels [certificate_key_type]
certificate.key_length (integer - count) about.labels [certificate_key_length]
certificate.exponent (string) about.labels [certificate_exponent]
certificate.curve (string) network.tls.curve
san.dns (array[string] - vector of string) about.labels [san_dns]
san.uri (array[string] - vector of string) about.url
san.email (array[string] - vector of string) about.labels [san_email]
san.ip (array[string] - vector of addr) about.ip
basic_constraints.ca (boolean - bool) about.labels [basic_constraints_ca]
basic_constraints.path_len (integer - count) about.labels [basic_constraints_path_len]
host_cert (boolean - bool) about.labels [host_cert]
client_cert (boolean - bool) about.labels [client_cert]
vlan (integer - int) additional.fields [vlan]
vlan_inner (integer - int) additional.fields [vlan_inner]

Referenz für die Feldzuordnung: CORELIGHT – unknown-smartpcap

In der folgenden Tabelle sind die Protokollfelder des unknown-smartpcap-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Smartpcap.
tid (string) about.labels [tid]
pkts (integer - count) about.labels [pkts]
url (string) security_result.url_back_to_product

Referenz für die Feldzuordnung: CORELIGHT – mysql

In der folgenden Tabelle sind die Protokollfelder des mysql-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
cmd (string) target.resource.attribute.labels [cmd]
arg (string) principal.process.command_line
success (boolean - bool) target.resource.attribute.labels [success]
rows (integer - count) target.resource.attribute.labels [rows]
response (string) target.resource.attribute.labels [response]
target.resource.resource_type The target.resource.resource_type UDM field is set to DATABASE.

Referenz für die Feldzuordnung: CORELIGHT – napatech_shunting

In der folgenden Tabelle sind die Protokollfelder des napatech_shunting-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
peer (string) about.labels [peer]
terminated_flows (integer - count) about.labels [terminated_flows]
shunted_flows (integer - count) security_result.detection_fields [shunted_flows]

Referenz für die Feldzuordnung: CORELIGHT – ntlm

In der folgenden Tabelle sind die Protokollfelder des ntlm-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
username (string) target.user.userid
hostname (string) principal.hostname
domainname (string) principal.domain.name
server_nb_computer_name (string) target.hostname
server_dns_computer_name (string) target.domain.name
server_tree_name (string) target.labels [server_tree_name]
success (boolean - bool) extensions.auth.auth_details If the success log field value is equal to true, then the extensions.auth.auth_details UDM field is set to Authentication successful.

Else, the extensions.auth.auth_details UDM field is set to Authentication failed.

Referenz für die Feldzuordnung: CORELIGHT – pe

In der folgenden Tabelle sind die Protokollfelder des pe-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
id (string) about.labels [id]
machine (string) target.labels [machine]
compile_ts (time) about.labels [compile_ts]
os (string) target.platform If the os log field value is equal to windows, then the target.platform UDM field is set to WINDOWS.

Else, if is equal to linux, then the target.platform UDM field is set to LINUX.

Else, if the os log field value is equal to mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.
subsystem (string) target.application
is_exe (boolean - bool) about.file.file_type If the is_exe log field value is equal to true, then the about.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
is_64bit (boolean - bool) about.labels [is_64bit]
uses_aslr (boolean - bool) about.labels [uses_aslr]
uses_dep (boolean - bool) about.labels [uses_dep]
uses_code_integrity (boolean - bool) about.labels [uses_code_integrity]
uses_seh (boolean - bool) about.labels [uses_seh ]
has_import_table (boolean - bool) about.labels [has_import_table]
has_export_table (boolean - bool) about.labels [has_export_table]
has_cert_table (boolean - bool) about.labels [has_cert_table]
has_debug_data (boolean - bool) about.labels [has_debug_data]
section_names (array[string] - vector of string) about.labels [section_names]

Referenz für die Feldzuordnung: CORELIGHT – ntp

In der folgenden Tabelle sind die Protokollfelder des ntp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to NTP.
network.ip_protocol The network.ip_protocol UDM field is set to UDP.
version (integer - count) network.application_protocol_version
mode (integer - count) about.labels [mode]
stratum (integer - count) about.labels [stratum]
poll (number - interval) about.labels [poll]
precision (number - interval) about.labels [precision]
root_delay (number - interval) about.labels [root_delay]
root_disp (number - interval) about.labels [root_disp]
ref_id (string) target.ip If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field.

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_id (string) target.labels [ref_id] If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field.

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_time (time) about.labels [ref_time]
org_time (time) about.labels [org_time]
rec_time (time) about.labels [rec_time]
xmt_time (time) about.labels [rec_time]
num_exts (integer - count) about.labels [num_exts]

Referenz für die Feldzuordnung: CORELIGHT – Radius

In der folgenden Tabelle sind die Protokollfelder des radius-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
username (string) target.user.userid
mac (string) principal.mac
framed_addr (string - addr) intermediary.ip
tunnel_client (string) intermediary.ip If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
tunnel_client (string) intermediary.domain.name If the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
connect_info (string) about.labels [connect_info]
reply_msg (string) about.labels [reply_msg]
result (string) extensions.auth.auth_details
ttl (number - interval) network.session_duration

Referenz für die Feldzuordnung: CORELIGHT – Reporter

In der folgenden Tabelle sind die Protokollfelder des reporter-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
level (string - enum) security_result.severity If the level log field value is equal to CRITICAL or ERROR or HIGH or INFORMATIONAL or LOW or MEDIUM, then the level log field is mapped to the security_result.severity UDM field.
level (string - enum) security_result.severity_details
message (string) security_result.description
location (string) about.labels [location]

Referenz für die Feldzuordnung: CORELIGHT – log4shell

In der folgenden Tabelle sind die Protokollfelder des log4shell-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to SCAN_HOST.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
extensions.vulns.vulnerabilities.cve_id The extensions.vulns.vulnerabilities.cve_id UDM field is set to CVE-2021-44228.
http_uri (string) about.labels [http_uri]
uri (string) target.url
stem (string) target.labels [stem]
target_host (string) target.hostname
target_port (string) target.port
method (string) network.http.method
is_orig (boolean - bool) about.labels [is_orig]
name (string) about.labels.key
value (string) about.labels.value
matched_name (boolean - bool) about.labels [matched_name]
matched_value (boolean - bool) about.labels [matched_value]

Referenz für die Feldzuordnung: CORELIGHT – Modbus

In der folgenden Tabelle sind die Protokollfelder des modbus-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MODBUS.
func (string) about.labels [func]
exception (string) security_result.description
pdu_type (string) additional.fields [pdu_type]
tid (integer - count) additional.fields [tid]
unit (integer - count) additional.fields [unit]

Referenz für die Feldzuordnung: CORELIGHT – mqtt_connect

In der folgenden Tabelle sind die Protokollfelder des mqtt_connect-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
proto_name (string) about.labels [proto_name]
proto_version (string) network.application_protocol_version
client_id (string) principal.labels [client_id]
connect_status (string) security_result.description
will_topic (string) about.labels [will_topic]
will_payload (string) about.labels [will_payload]

Referenz für die Feldzuordnung: CORELIGHT – mqtt_publish

In der folgenden Tabelle sind die Protokollfelder des mqtt_publish-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
from_client (boolean - bool) about.labels [from_client]
retain (boolean - bool) target.labels [retain]
qos (string) about.labels [qos]
status (string) security_result.description
topic (string) about.labels [topic]
payload (string) about.labels [payload]
payload_len (integer - count) about.labels [payload_len]

Referenz für die Feldzuordnung: CORELIGHT – mqtt_subscribe

In der folgenden Tabelle sind die Protokollfelder des mqtt_subscribe-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to MQTT.
action (string - enum) security_result.action_details
topics (array[string] - vector of string) about.labels [topics]
qos_levels (array[integer] - vector of count) about.labels [qos_levels]
granted_qos_level (integer - count) about.labels [granted_qos_level]
ack (boolean - bool) security_result.detection_fields [ack]

Referenz für die Feldzuordnung: CORELIGHT – dpd

In der folgenden Tabelle sind die Protokollfelder des dpd-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
proto (string - enum) network.ip_protocol
analyzer (string) about.labels [analyzer]
failure_reason (string) about.labels [failure_reason]

Referenz für die Feldzuordnung: CORELIGHT – encrypted_dns

In der folgenden Tabelle sind die Protokollfelder des encrypted_dns-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
resp_h (string - addr) target.ip
cert.cn (string) about.labels [cert_cn]
cert.sans (array[string] - set[string]) about.labels [cert_sans]
sni (string) network.tls.client.server_name
match (string) about.labels [match]

Referenz für die Feldzuordnung: CORELIGHT – enip

In der folgenden Tabelle sind die Protokollfelder des enip-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
command (string) principal.process.command_line
length (integer - count) about.labels [length]
session_handle (string) network.session_id
status (string) about.labels [status]
sender_context (string) about.labels [sender_context]
options (string) about.labels [options]
enip_command (string) additional.fields [enip_command]
enip_command_code (string) additional.fields [enip_command_code]
enip_status (string) additional.fields [enip_status]
is_orig (boolean - bool) additional.fields [is_orig]

Referenz für die Feldzuordnung: CORELIGHT – enip_debug

In der folgenden Tabelle sind die Protokollfelder des enip_debug-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
raw_data (string) about.labels [raw_data]

Referenz für die Feldzuordnung: CORELIGHT – enip_list_identity

In der folgenden Tabelle sind die Protokollfelder des enip_list_identity-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
device_type (string) target.asset.attribute.labels [device_type]
vendor (string) target.asset.hardware.manufacturer
product_name (string) target.asset.attribute.labels [product_name]
serial_number (string) target.asset.asset_id The target.asset.asset_id UDM field is set with serial_number log fields as "CORELIGHT: serial_number".
product_code (integer - count) target.asset.attribute.labels [product_code]
revision (number - double) target.asset.attribute.labels [revision]
status (string) about.labels [status]
state (string) target.asset.attribute.labels [state]
device_ip (string - addr) target.asset.ip

Referenz für die Feldzuordnung: CORELIGHT – etc_viz

In der folgenden Tabelle sind die Protokollfelder des etc_viz-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
server_a (string - addr) target.ip
server_p (integer - port) target.port
service (array[string] - set[string]) target.application The service log field is mapped to target.application UDM field when index value in service is equal to 0.

For every other index value, target.labels.key UDM field is set to service and service log field is mapped to the target.labels.value.
viz_stat (string) about.labels [viz_stat]
c2s_viz.size (integer - count) about.labels [c2s_viz_size]
c2s_viz.enc_dev (number - double) about.labels [c2s_viz_enc_dev]
c2s_viz.enc_frac (number - double) about.labels [c2s_viz_enc_frac]
c2s_viz.pdu1_enc (boolean - bool) about.labels [c2s_viz_pdu1_enc]
c2s_viz.clr_frac (number - double) about.labels [c2s_viz_clr_frac]
c2s_viz.clr_ex (string) about.labels [c2s_viz_clr_ex]
s2c_viz.size (integer - count) about.labels [s2c_viz_size]
s2c_viz.enc_dev (number - double) about.labels [s2c_viz_enc_dev]
s2c_viz.enc_frac (number - double) about.labels [s2c_viz_enc_frac]
s2c_viz.pdu1_enc (boolean - bool) about.labels [s2c_viz_pdu1_enc]
s2c_viz.clr_frac (number - double) about.labels [s2c_viz_clr_frac]
s2c_viz.clr_ex (string) about.labels [s2c_viz_clr_ex]

Referenz für die Feldzuordnung: CORELIGHT – ftp

In der folgenden Tabelle sind die Protokollfelder des ftp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_FTP.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
user (string) principal.user.user_display_name
password (string) extensions.auth.auth_details
command (string), arg (string) network.ftp.command The network.ftp.command UDM field is set with command, arg log fields as "command arg".
mime_type (string) target.file.mime_type
file_size (integer - count) target.file.size
reply_code (integer - count) about.labels [reply_code]
reply_msg (string) about.labels [reply_msg]
data_channel.passive (boolean - bool) about.labels [data_channel_passive]
data_channel.orig_h (string - addr) principal.ip
data_channel.resp_h (string - addr) target.ip
data_channel.resp_p (integer - port) target.labels [data_channel_resp_p]
fuid (string) about.labels [fuid]

Referenz für die Feldzuordnung: CORELIGHT – generic_dns_tunnels

In der folgenden Tabelle sind die Protokollfelder des generic_dns_tunnels-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
dns_client (string - addr) principal.ip
domain (string) network.dns_domain
domain (string) network.dns.questions.name
bytes (integer - int) about.labels [bytes]
capture_secs (number - interval) about.labels [capture_secs]

Referenz für die Feldzuordnung: CORELIGHT – generic_icmp_tunnels

In der folgenden Tabelle sind die Protokollfelder des generic_icmp_tunnels-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.ip_protocol The network.ip_protocol UDM field is set to ICMP.
detection (string) security_result.detection_fields [detection]
orig (string - addr) principal.ip
resp (string - addr) target.ip
id (integer - count) about.labels [id]
seq (integer - count) about.labels [seq]
bytes (integer - count) about.labels [bytes]
payload_len (integer - count) about.labels [payload_len]
payload (string) about.labels [payload]

Referenz für die Feldzuordnung: CORELIGHT – icmp_specific_tunnels

In der folgenden Tabelle sind die Protokollfelder des icmp_specific_tunnels-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.ip_protocol The network.ip_protocol UDM field is set to ICMP.
start_time (time) about.labels [start_time]
duration (number - interval) network.session_duration
tunnel (string) intermediary.labels [tunnel]
seq (integer - count) about.labels [seq]
icmp_id (integer - count) about.labels [icmp_id]
payload (string) about.labels [payload]

Referenz für die Feldzuordnung: CORELIGHT – ipsec

In der folgenden Tabelle sind die Protokollfelder des ipsec-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
initiator_spi (string) principal.labels [initiator_spi]
responder_spi (string) target.labels [responder_spi]
maj_ver (integer - count) about.labels [maj_ver]
min_ver (integer - count) about.labels [min_ver]
exchange_type (integer - count) about.labels [exchange_type]
flag_e (boolean - bool) about.labels [flag_e]
flag_c (boolean - bool) about.labels [flag_c]
flag_a (boolean - bool) about.labels [flag_a]
flag_i (boolean - bool) about.labels [flag_i]
flag_v (boolean - bool) about.labels [flag_v]
flag_r (boolean - bool) about.labels [flag_r]
message_id (integer - count) about.labels [message_id]
vendor_ids (array[string] - vector of string) about.labels [vendor_id]
notify_messages (array[string] - vector of string) about.labels [notify_message]
transforms (array[string] - vector of string) about.labels [transform]
ke_dh_groups (array[integer] - vector of count) about.labels [ke_dh_group]
proposals (array[integer] - vector of count) about.labels [proposal]
protocol_id (integer - count) about.labels [protocol_id]
certificates (array[string] - vector of string) about.labels [certificate]
transform_attributes (array[string] - vector of string) about.labels [transform_attribute]
length (integer - count) about.labels [length]
hash (string) about.labels [hash]
doi (integer - count) about.labels [doi]
situation (string) about.labels [situation]
is_orig (boolean - bool) additional.fields [is_orig]

Referenz für die Feldzuordnung: CORELIGHT – profinet

In der folgenden Tabelle sind die Protokollfelder des profinet-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
operation_type (string) about.labels [operation_type]
block_version (string) about.labels [block_version]
slot_number (integer - count) about.labels [slot_number]
subslot_number (integer - count) about.labels [subslot_number]
index (string) about.labels [index]

Referenz für die Feldzuordnung: CORELIGHT – profinet_dce_rpc

In der folgenden Tabelle sind die Protokollfelder des profinet_dce_rpc-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
network.application_protocol The network.application_protocol UDM field is set to DCERPC.
version (integer - count) about.labels [version]
packet_type (integer - count) about.labels [packet_type]
object_uuid (string) about.labels [object_uuid]
interface_uuid (string) about.labels [interface_uuid]
activity_uuid (string) about.labels [activity_uuid]
server_boot_time (integer - count) about.labels [server_boot_time]
operation (string) about.labels [operation]

Referenz für die Feldzuordnung: CORELIGHT – profinet_debug

In der folgenden Tabelle sind die Protokollfelder des profinet_debug-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
raw_data (string) about.labels [raw_data]

Referenz für die Feldzuordnung: CORELIGHT – rfb

In der folgenden Tabelle sind die Protokollfelder des rfb-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
client_major_version (string) principal.labels [client_major_version]
client_minor_version (string) principal.labels [client_minor_version]
server_major_version (string) target.labels [server_major_version]
server_minor_version (string) target.labels [server_minor_version]
authentication_method (string) extension.auth.mechanism If the authentication_method log field value is equal to VNC, then the extension.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
authentication_method (string) extension.auth.auth_details
auth (boolean - bool) security_result.action If the auth log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
share_flag (boolean - bool) about.labels [share_flag]
desktop_name (string) principal.labels [desktop_name]
width (integer - count) principal.labels [width]
height (integer - count) principal.labels [height]

Referenz für die Feldzuordnung: CORELIGHT – known_certs

In der folgenden Tabelle sind die Protokollfelder des known_certs-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
entity.resource.resource_subtype The entity.resource.resource_subtype UDM field is set to CERTIFICATE.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
hash (string) entity.resource.attribute.labels [hash]
port (integer - port) entity.port
protocol (string - enum) entity.labels [protocol]
serial (string) entity.resource.attribute.labels [serial]
subject (string) entity.resource.attribute.labels [subject]
issuer_subject (string) entity.resource.attribute.labels [issuer_subject]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
port_num (integer - port) entity.port

Referenz für die Feldzuordnung: CORELIGHT – known_devices

In der folgenden Tabelle sind die Protokollfelder des known_devices-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
ts (time) metadata.interval.start_time
ts (time) entity.asset.first_seen_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.asset.ip
mac (string) entity.asset.mac
vendor_mac (string) entity.asset.hardware.manufacturer
protocols (array[string] - set[string]) entity.labels [protocol]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]

Referenz für die Feldzuordnung: CORELIGHT – known_domains

In der folgenden Tabelle sind die Protokollfelder des known_domains-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to DOMAIN_NAME.
ts (time) metadata.interval.start_time
ts (time) entity.domain.first_seen_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
domain (string) entity.domain.name
protocols (array[string] - set[string]) entity.labels [protocol]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]

Referenz für die Feldzuordnung: CORELIGHT – known_hosts

In der folgenden Tabelle sind die Protokollfelder des known_hosts-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
conns_opened (integer - count) metadata.threat.detection_fields [conns_opened]
conns_closed (integer - count) metadata.threat.detection_fields [conns_closed]
conns_pending (integer - count) metadata.threat.detection_fields [conns_pending]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
ep.cid (string) additional.fields [ep_cid]
ep.criticality (string) entity.security_result.detection_fields[ep_criticality]
ep.desc (string) metadata.description
ep.os_version (string) entity.platform_version
ep.source (string) additional.fields [ep_source]
ep.status (string) additional.fields [ep_status]
ep.uid (string) additional.fields [ep_uid]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]

Referenz für die Feldzuordnung: CORELIGHT – known_names

In der folgenden Tabelle sind die Protokollfelder des known_names-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
hostname (string) entity.hostname
protocols (array[string] - set[string]) entity.labels [protocol]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]

Referenz für die Feldzuordnung: CORELIGHT – known_remotes

In der folgenden Tabelle sind die Protokollfelder des known_remotes-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]

Referenz für die Feldzuordnung: CORELIGHT – known_services

In der folgenden Tabelle sind die Protokollfelder des known_services-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
port (integer - port) entity.port
protocol (string - enum) entity.labels [protocol]
service (array[string] - vector of string) entity.labels [service]
software (array[string] - set[string]) entity.asset.software.name
app (array[string] - set[string]) entity.application The app log field is mapped to entity.application UDM field when index value in app is equal to 0.

For every other index value, entity.labels.key UDM field is set to app and app log field is mapped to the entity.labels.value.
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]
num_conns_complete (integer - count) entity.security_result.detection_fields[num_conns_complete]
num_conns_pending (integer - int) entity.security_result.detection_fields[num_conns_pending]
port_num (integer - port) entity.port

Referenz für die Feldzuordnung: CORELIGHT – known_users

In der folgenden Tabelle sind die Protokollfelder des known_users-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.product_name The metadata.product_name UDM field is set to Zeek.
metadata.entity_type The metadata.entity_type UDM field is set to RESOURCE.
ts (time) metadata.interval.start_time
duration (number - interval) entity.labels [duration]
kuid (string) entity.labels [kuid]
host_ip (string - addr) entity.ip
remote_ip (string - addr) entity.ip
user (string) entity.user.user_display_name
protocol (string) entity.labels [protocol]
num_conns (integer - count) metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string) metadata.threat.detection_fields [annotations]
last_active_session (string) entity.labels [last_active_session]
last_active_interval (number - interval) entity.labels [last_active_interval]
host_inner_vlan (integer - int) additional.fields [host_inner_vlan]
host_vlan (integer - int) additional.fields [host_vlan]
remote_inner_vlan (integer - int) additional.fields [remote_inner_vlan]
remote_vlan (integer - int) additional.fields [remote_vlan]
long_conns (integer - count) metadata.threat.detection_fields [long_conns]

Referenz für die Feldzuordnung: CORELIGHT – s7comm

In der folgenden Tabelle sind die Protokollfelder des s7comm-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to Zeek.
rosctr (string) about.labels [rosctr]
parameter (array[string] - vector of string) about.labels [parameter]
item_count (integer - count) about.labels [item_count]
data_info (array[string] - vector of string) about.labels [data_info]
error_class (string) additional.fields [error_class]
error_code (string) additional.fields [error_code]
function_code (string) additional.fields [function_code]
function_name (string) additional.fields [function_name]
is_orig (boolean - bool) additional.fields [is_orig]
pdu_reference (integer - count) additional.fields [pdu_reference]
rosctr_code (integer - count) additional.fields [rosctr_code]
rosctr_name (string) additional.fields [rosctr_name]
subfunction_code (string) additional.fields [subfunction_code]
subfunction_name (string) additional.fields [subfunction_name]

Referenz für die Feldzuordnung: CORELIGHT – smartpcap

In der folgenden Tabelle sind die Protokollfelder des smartpcap-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Smartpcap.
logstr (string) metadata.description

Referenz für die Feldzuordnung: CORELIGHT – snmp

In der folgenden Tabelle sind die Protokollfelder des snmp-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_name The metadata.product_name UDM field is set to zeek.
duration (number - interval) network.session_duration
version (string) network.application_protocol_version
community (string) about.labels [community]
get_requests (integer - count) about.labels [get_requests]
get_bulk_requests (integer - count) about.labels [get_bulk_requests]
get_responses (integer - count) about.labels [get_responses]
set_requests (integer - count) about.labels [set_requests]
display_string (string) about.labels [display_string]
up_since (time) about.labels [up_since]

Referenz für die Feldzuordnung: CORELIGHT – Socken

In der folgenden Tabelle sind die Protokollfelder des socks-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
version (integer - count) about.labels [version]
user (string) principal.user.userid
password (string) extensions.auth.auth_details
status (string) about.labels [status]
request.host (string - addr) target.ip
request.name (string) target.hostname
request_p (integer - port) target.labels [request_p]
bound.host (string - addr) intermediary.ip
bound.name (string) intermediary.hostname
bound_p (integer - port) intermediary.port

Referenz für die Feldzuordnung: CORELIGHT – Software

In der folgenden Tabelle sind die Protokollfelder des software-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to zeek.
host (string - addr) target.asset.ip
host_p (integer - port) target.port
software_type (string - enum) target.asset.software.description
name (string) target.asset.software.name
version.major (integer - count) target.asset.software.version
version.minor (integer - count) target.asset.attribute.labels [version_minor]
version.minor2 (integer - count) target.asset.attribute.labels [version_minor2]
version.minor3 (integer - count) target.asset.attribute.labels [version_minor3]
version.addl (string) target.asset.attribute.labels [version_addl]
unparsed_version (string) target.asset.attribute.labels [unparsed_version]

Referenz für die Feldzuordnung: CORELIGHT – specific_dns_tunnels

In der folgenden Tabelle sind die Protokollfelder des specific_dns_tunnels-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_name The metadata.product_name UDM field is set to zeek.
network.application_protocol The network.application_protocol UDM field is set to DNS.
trans_id (integer - count) network.dns.id
dns_client (string - addr) principal.ip
resolver (string - addr) target.ip
query (string) network.dns.questions.name
program (string - enum) principal.application
session_id (integer - count) network.session_id
detection (string) security_result.detection_fields [detection]
sods_id (integer - count) about.labels [sods_id]

Referenz für die Feldzuordnung: CORELIGHT – Schrittweite

In der folgenden Tabelle sind die Protokollfelder des stepping-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
dt (number - interval) about.labels [dt]
uid1 (string) about.labels [uid1]
uid2 (string) about.labels [uid2]
direct (boolean - bool) about.labels [direct]
client1_h (string - addr) principal.ip
client1_p (integer - port) principal.port
server1_h (string - addr) target.ip
server1_p (integer - port) target.port
client2_h (string - addr) principal.ip
client2_p (integer - port) principal.labels [client2_p]
server2_h (string - addr) target.labels [server2_h]
server2_p (integer - port) target.labels [server2_p]

Referenz für die Feldzuordnung: CORELIGHT – stun

In der folgenden Tabelle sind die Protokollfelder des stun-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
proto (string - enum) network.ip_protocol
is_orig (boolean - bool) about.labels [is_orig]
trans_id (string) network.session_id
method (string) about.labels [method]
class (string) about.labels [class]
attr_types (array[string] - vector of string) about.labels.key
attr_vals (array[string] - vector of string) about.labels.value

Referenz für die Feldzuordnung: CORELIGHT – stun_nat

In der folgenden Tabelle sind die Protokollfelder des stun_nat-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_name The metadata.product_name UDM field is set to zeek.
proto (string - enum) network.ip_protocol
is_orig (boolean - bool) about.labels [is_orig]
wan_addrs (array[string] - vector of addr) principal.nat_ip
wan_ports (array[integer] - vector of count) principal.nat_port The wan_ports log field is mapped to principal.nat_port UDM field when index value in wan_ports is equal to 0.

For every other index value, principal.labels.key UDM field is set to wan_port and wan_ports log field is mapped to the principal.labels.value.
lan_addrs (array[string] - vector of addr) principal.ip

Referenz für die Feldzuordnung: CORELIGHT – suricata_stats

In der folgenden Tabelle sind die Protokollfelder des suricata_stats-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_name The metadata.product_name UDM field is set to Suricata.
raw_mgmt about.labels [raw_mgmt]
timestamp(time) metadata.event_timestamp
event_type(string) about.labels [event_type]
stats.uptime(integer) about.labels [stats_uptime]
stats.napa_total.pkts(integer) about.labels [stats_napa_total_pkts]
stats.napa_total.byte(integer) about.labels [stats_napa_total_byte]
stats.napa_total.overflow_drop_pkts(integer) about.labels [stats_napa_total_overflow_drop_pkts]
stats.napa_total.overflow_drop_byte(integer) about.labels [stats_napa_total_overflow_drop_byte]
stats.napa_dispatch_host.pkts(integer) about.labels [stats_napa_dispatch_host_pkts]
stats.napa_dispatch_host.byte(integer) about.labels [stats_napa_dispatch_host_byte]
stats.napa_dispatch_drop.pkts(integer) about.labels [stats_napa_dispatch_drop_pkts]
stats.napa_dispatch_drop.byte(integer) about.labels [stats_napa_dispatch_drop_byte]
stats.decoder.pkts(integer) about.labels [stats_decoder_pkts]
stats.decoder.bytes(integer) about.labels [stats_decoder_bytes]
stats.decoder.invalid(integer) about.labels [stats_decoder_invalid]
stats.decoder.ipv4(integer) about.labels [stats_decoder_ipv4]
stats.decoder.ipv6(integer) about.labels [stats_decoder_ipv6]
stats.decoder.ethernet(integer) about.labels [stats_decoder_ethernet]
stats.decoder.chdlc(integer) about.labels [stats_decoder_chdlc]
stats.decoder.raw(integer) about.labels [stats_decoder_raw]
stats.decoder.null(integer) about.labels [stats_decoder_null]
stats.decoder.sll(integer) about.labels [stats_decoder_sll]
stats.decoder.tcp(integer) about.labels [stats_decoder_tcp]
stats.decoder.udp(integer) about.labels [stats_decoder_udp]
stats.decoder.sctp(integer) about.labels [stats_decoder_sctp]
stats.decoder.icmpv4(integer) about.labels [stats_decoder_icmpv4]
stats.decoder.icmpv6(integer) about.labels [stats_decoder_icmpv6]
stats.decoder.ppp(integer) about.labels [stats_decoder_ppp]
stats.decoder.pppoe(integer) about.labels [stats_decoder_pppoe]
stats.decoder.geneve(integer) about.labels [stats_decoder_geneve]
stats.decoder.gre(integer) about.labels [stats_decoder_gre]
stats.decoder.vlan(integer) about.labels [stats_decoder_vlan]
stats.decoder.vlan_qinq(integer) about.labels [stats_decoder_vlan_qinq]
stats.decoder.vxlan(integer) about.labels [stats_decoder_vxlan]
stats.decoder.vntag(integer) about.labels [stats_decoder_vntag]
stats.decoder.ieee8021ah(integer) about.labels [stats_decoder_ieee8021ah]
stats.decoder.teredo(integer) about.labels [stats_decoder_teredo]
stats.decoder.ipv4_in_ipv6(integer) about.labels [stats_decoder_ipv4_in_ipv6]
stats.decoder.ipv6_in_ipv6(integer) about.labels [stats_decoder_ipv6_in_ipv6]
stats.decoder.mpls(integer) about.labels [stats_decoder_mpls]
stats.decoder.avg_pkt_size(integer) about.labels [stats_decoder_avg_pkt_size]
stats.decoder.max_pkt_size(integer) about.labels [stats_decoder_max_pkt_size]
stats.decoder.max_mac_addrs_src(integer) about.labels [stats_decoder_max_mac_addrs_src]
stats.decoder.max_mac_addrs_dst(integer) about.labels [stats_decoder_max_mac_addrs_dst]
stats.decoder.erspan(integer) about.labels [stats_decoder_erspan]
stats.decoder.event.ipv4.pkt_too_small(integer) about.labels [stats_decoder_event_ipv4_pkt_too_small]
stats.decoder.event.ipv4.hlen_too_small(integer) about.labels [stats_decoder_event_ipv4_hlen_too_small]
stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer) about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]
stats.decoder.event.ipv4.trunc_pkt(integer) about.labels [stats_decoder_event_ipv4_trunc_pkt]
stats.decoder.event.ipv4.opt_invalid(integer) about.labels [stats_decoder_event_ipv4_opt_invalid]
stats.decoder.event.ipv4.opt_invalid_len(integer) about.labels [stats_decoder_event_ipv4_opt_invalid_len]
stats.decoder.event.ipv4.opt_malformed(integer) about.labels [stats_decoder_event_ipv4_opt_malformed]
stats.decoder.event.ipv4.opt_pad_required(integer) about.labels [stats_decoder_event_ipv4_opt_pad_required]
stats.decoder.event.ipv4.opt_eol_required(integer) about.labels [stats_decoder_event_ipv4_opt_eol_required]
stats.decoder.event.ipv4.opt_duplicate(integer) about.labels [stats_decoder_event_ipv4_opt_duplicate]
stats.decoder.event.ipv4.opt_unknown(integer) about.labels [stats_decoder_event_ipv4_opt_unknown]
stats.decoder.event.ipv4.wrong_ip_version(integer) about.labels [stats_decoder_event_ipv4_wrong_ip_version]
stats.decoder.event.ipv4.icmpv6(integer) about.labels [stats_decoder_event_ipv4_icmpv6]
stats.decoder.event.ipv4.frag_pkt_too_large(integer) about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]
stats.decoder.event.ipv4.frag_overlap(integer) about.labels [stats_decoder_event_ipv4_frag_overlap]
stats.decoder.event.ipv4.frag_ignored(integer) about.labels [stats_decoder_event_ipv4_frag_ignored]
stats.decoder.event.icmpv4.pkt_too_small(integer) about.labels [stats_decoder_event_icmpv4_pkt_too_small]
stats.decoder.event.icmpv4.unknown_type(integer) about.labels [stats_decoder_event_icmpv4_unknown_type]
stats.decoder.event.icmpv4.unknown_code(integer) about.labels [stats_decoder_event_icmpv4_unknown_code]
stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer) about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]
stats.decoder.event.icmpv4.ipv4_unknown_ver(integer) about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]
stats.decoder.event.icmpv6.unknown_type(integer) about.labels [stats_decoder_event_icmpv6_unknown_type]
stats.decoder.event.icmpv6.unknown_code(integer) about.labels [stats_decoder_event_icmpv6_unknown_code]
stats.decoder.event.icmpv6.pkt_too_small(integer) about.labels [stats_decoder_event_icmpv6_pkt_too_small]
stats.decoder.event.icmpv6.ipv6_unknown_version(integer) about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]
stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer) about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]
stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer) about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]
stats.decoder.event.icmpv6.unassigned_type(integer) about.labels [stats_decoder_event_icmpv6_unassigned_type]
stats.decoder.event.icmpv6.experimentation_type(integer) about.labels [stats_decoder_event_icmpv6_experimentation_type]
stats.decoder.event.ipv6.pkt_too_small(integer) about.labels [stats_decoder_event_ipv6_pkt_too_small]
stats.decoder.event.ipv6.trunc_pkt(integer) about.labels [stats_decoder_event_ipv6_trunc_pkt]
stats.decoder.event.ipv6.trunc_exthdr(integer) about.labels [stats_decoder_event_ipv6_trunc_exthdr]
stats.decoder.event.ipv6.exthdr_dupl_fh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]
stats.decoder.event.ipv6.exthdr_useless_fh(integer) about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]
stats.decoder.event.ipv6.exthdr_dupl_rh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]
stats.decoder.event.ipv6.exthdr_dupl_hh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]
stats.decoder.event.ipv6.exthdr_dupl_dh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]
stats.decoder.event.ipv6.exthdr_dupl_ah(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]
stats.decoder.event.ipv6.exthdr_dupl_eh(integer) about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]
stats.decoder.event.ipv6.exthdr_invalid_optlen(integer) about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]
stats.decoder.event.ipv6.wrong_ip_version(integer) about.labels [stats_decoder_event_ipv6_wrong_ip_version]
stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer) about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]
stats.decoder.event.ipv6.hopopts_unknown_opt(integer) about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]
stats.decoder.event.ipv6.hopopts_only_padding(integer) about.labels [stats_decoder_event_ipv6_hopopts_only_padding]
stats.decoder.event.ipv6.dstopts_unknown_opt(integer) about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]
stats.decoder.event.ipv6.dstopts_only_padding(integer) about.labels [stats_decoder_event_ipv6_dstopts_only_padding]
stats.decoder.event.ipv6.rh_type_0(integer) about.labels [stats_decoder_event_ipv6_rh_type_0]
stats.decoder.event.ipv6.zero_len_padn(integer) about.labels [stats_decoder_event_ipv6_zero_len_padn]
stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer) about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]
stats.decoder.event.ipv6.data_after_none_header(integer) about.labels [stats_decoder_event_ipv6_data_after_none_header]
stats.decoder.event.ipv6.unknown_next_header(integer) about.labels [stats_decoder_event_ipv6_unknown_next_header]
stats.decoder.event.ipv6.icmpv4(integer) about.labels [stats_decoder_event_ipv6_icmpv4]
stats.decoder.event.ipv6.frag_pkt_too_large(integer) about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]
stats.decoder.event.ipv6.frag_overlap(integer) about.labels [stats_decoder_event_ipv6_frag_overlap]
stats.decoder.event.ipv6.frag_invalid_length(integer) about.labels [stats_decoder_event_ipv6_frag_invalid_length]
stats.decoder.event.ipv6.frag_ignored(integer) about.labels [stats_decoder_event_ipv6_frag_ignored]
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer) about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer) about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer) about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer) about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]
stats.decoder.event.tcp.pkt_too_small(integer) about.labels [stats_decoder_event_tcp_pkt_too_small]
stats.decoder.event.tcp.hlen_too_small(integer) about.labels [stats_decoder_event_tcp_hlen_too_small]
stats.decoder.event.tcp.invalid_optlen(integer) about.labels [stats_decoder_event_tcp_invalid_optlen]
stats.decoder.event.tcp.opt_invalid_len(integer) about.labels [stats_decoder_event_tcp_opt_invalid_len]
stats.decoder.event.tcp.opt_duplicate(integer) about.labels [stats_decoder_event_tcp_opt_duplicate]
stats.decoder.event.udp.pkt_too_small(integer) about.labels [stats_decoder_event_udp_pkt_too_small]
stats.decoder.event.udp.hlen_too_small(integer) about.labels [stats_decoder_event_udp_hlen_too_small]
stats.decoder.event.udp.hlen_invalid(integer) about.labels [stats_decoder_event_udp_hlen_invalid]
stats.decoder.event.udp.len_invalid(integer) about.labels [stats_decoder_event_udp_len_invalid]
stats.decoder.event.sll.pkt_too_small(integer) about.labels [stats_decoder_event_sll_pkt_too_small]
stats.decoder.event.ethernet.pkt_too_small(integer) about.labels [stats_decoder_event_ethernet_pkt_too_small]
stats.decoder.event.ppp.pkt_too_small(integer) about.labels [stats_decoder_event_ppp_pkt_too_small]
stats.decoder.event.ppp.vju_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_vju_pkt_too_small]
stats.decoder.event.ppp.ip4_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]
stats.decoder.event.ppp.ip6_pkt_too_small(integer) about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]
stats.decoder.event.ppp.wrong_type(integer) about.labels [stats_decoder_event_ppp_wrong_type]
stats.decoder.event.ppp.unsup_proto(integer) about.labels [stats_decoder_event_ppp_unsup_proto]
stats.decoder.event.pppoe.pkt_too_small(integer) about.labels [stats_decoder_event_pppoe_pkt_too_small]
stats.decoder.event.pppoe.wrong_code(integer) about.labels [stats_decoder_event_pppoe_wrong_code]
stats.decoder.event.pppoe.malformed_tags(integer) about.labels [stats_decoder_event_pppoe_malformed_tags]
stats.decoder.event.gre.pkt_too_small(integer) about.labels [stats_decoder_event_gre_pkt_too_small]
stats.decoder.event.gre.wrong_version(integer) about.labels [stats_decoder_event_gre_wrong_version]
stats.decoder.event.gre.version0_recur(integer) about.labels [stats_decoder_event_gre_version0_recur]
stats.decoder.event.gre.version0_flags(integer) about.labels [stats_decoder_event_gre_version0_flags]
stats.decoder.event.gre.version0_hdr_too_big(integer) about.labels [stats_decoder_event_gre_version0_hdr_too_big]
stats.decoder.event.gre.version0_malformed_sre_hdr(integer) about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]
stats.decoder.event.gre.version1_chksum(integer) about.labels [stats_decoder_event_gre_version1_chksum]
stats.decoder.event.gre.version1_route(integer) about.labels [stats_decoder_event_gre_version1_route]
stats.decoder.event.gre.version1_ssr(integer) about.labels [stats_decoder_event_gre_version1_ssr]
stats.decoder.event.gre.version1_recur(integer) about.labels [stats_decoder_event_gre_version1_recur]
stats.decoder.event.gre.version1_flags(integer) about.labels [stats_decoder_event_gre_version1_flags]
stats.decoder.event.gre.version1_no_key(integer) about.labels [stats_decoder_event_gre_version1_no_key]
stats.decoder.event.gre.version1_wrong_protocol(integer) about.labels [stats_decoder_event_gre_version1_wrong_protocol]
stats.decoder.event.gre.version1_malformed_sre_hdr(integer) about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]
stats.decoder.event.gre.version1_hdr_too_big(integer) about.labels [stats_decoder_event_gre_version1_hdr_too_big]
stats.decoder.event.vlan.header_too_small(integer) about.labels [stats_decoder_event_vlan_header_too_small]
stats.decoder.event.vlan.unknown_type(integer) about.labels [stats_decoder_event_vlan_unknown_type]
stats.decoder.event.vlan.too_many_layers(integer) about.labels [stats_decoder_event_vlan_too_many_layers]
stats.decoder.event.ieee8021ah.header_too_small(integer) about.labels [stats_decoder_event_ieee8021ah_header_too_small]
stats.decoder.event.vntag.header_too_small(integer) about.labels [stats_decoder_event_vntag_header_too_small]
stats.decoder.event.vntag.unknown_type(integer) about.labels [stats_decoder_event_vntag_unknown_type]
stats.decoder.event.ipraw.invalid_ip_version(integer) about.labels [stats_decoder_event_ipraw_invalid_ip_version]
stats.decoder.event.ltnull.pkt_too_small(integer) about.labels [stats_decoder_event_ltnull_pkt_too_small]
stats.decoder.event.ltnull.unsupported_type(integer) about.labels [stats_decoder_event_ltnull_unsupported_type]
stats.decoder.event.sctp.pkt_too_small(integer) about.labels [stats_decoder_event_sctp_pkt_too_small]
stats.decoder.event.mpls.header_too_small(integer) about.labels [stats_decoder_event_mpls_header_too_small]
stats.decoder.event.mpls.pkt_too_small(integer) about.labels [stats_decoder_event_mpls_pkt_too_small]
stats.decoder.event.mpls.bad_label_router_alert(integer) about.labels [stats_decoder_event_mpls_bad_label_router_alert]
stats.decoder.event.mpls.bad_label_implicit_null(integer) about.labels [stats_decoder_event_mpls_bad_label_implicit_null]
stats.decoder.event.mpls.bad_label_reserved(integer) about.labels [stats_decoder_event_mpls_bad_label_reserved]
stats.decoder.event.mpls.unknown_payload_type(integer) about.labels [stats_decoder_event_mpls_unknown_payload_type]
stats.decoder.event.vxlan.unknown_payload_type(integer) about.labels [stats_decoder_event_vxlan_unknown_payload_type]
stats.decoder.event.geneve.unknown_payload_type(integer) about.labels [stats_decoder_event_geneve_unknown_payload_type]
stats.decoder.event.erspan.header_too_small(integer) about.labels [stats_decoder_event_erspan_header_too_small]
stats.decoder.event.erspan.unsupported_version(integer) about.labels [stats_decoder_event_erspan_unsupported_version]
stats.decoder.event.erspan.too_many_vlan_layers(integer) about.labels [stats_decoder_event_erspan_too_many_vlan_layers]
stats.decoder.event.dce.pkt_too_small(integer) about.labels [stats_decoder_event_dce_pkt_too_small]
stats.decoder.event.chdlc.pkt_too_small(integer) about.labels [stats_decoder_event_chdlc_pkt_too_small]
stats.decoder.too_many_layers(integer) about.labels [stats_decoder_too_many_layers]
stats.flow.memcap(integer) about.labels [stats_flow_memcap]
stats.flow.tcp(integer) about.labels [stats_flow_tcp]
stats.flow.udp(integer) about.labels [stats_flow_udp]
stats.flow.icmpv4(integer) about.labels [stats_flow_icmpv4]
stats.flow.icmpv6(integer) about.labels [stats_flow_icmpv6]
stats.flow.tcp_reuse(integer) about.labels [stats_flow_tcp_reuse]
stats.flow.get_used(integer) about.labels [stats_flow_get_used]
stats.flow.get_used_eval(integer) about.labels [stats_flow_get_used_eval]
stats.flow.get_used_eval_reject(integer) about.labels [stats_flow_get_used_eval_reject]
stats.flow.get_used_eval_busy(integer) about.labels [stats_flow_get_used_eval_busy]
stats.flow.get_used_failed(integer) about.labels [stats_flow_get_used_failed]
stats.flow.wrk.spare_sync_avg(integer) about.labels [stats_flow_wrk_spare_sync_avg]
stats.flow.wrk.spare_sync(integer) about.labels [stats_flow_wrk_spare_sync]
stats.flow.wrk.spare_sync_incomplete(integer) about.labels [stats_flow_wrk_spare_sync_incomplete]
stats.flow.wrk.spare_sync_empty(integer) about.labels [stats_flow_wrk_spare_sync_empty]
stats.flow.wrk.flows_evicted_needs_work(integer) about.labels [stats_flow_wrk_flows_evicted_needs_work]
stats.flow.wrk.flows_evicted_pkt_inject(integer) about.labels [stats_flow_wrk_flows_evicted_pkt_inject]
stats.flow.wrk.flows_evicted(integer) about.labels [stats_flow_wrk_flows_evicted]
stats.flow.wrk.flows_injected(integer) about.labels [stats_flow_wrk_flows_injected]
stats.flow.mgr.full_hash_pass(integer) about.labels [stats_flow_mgr_full_hash_pass]
stats.flow.mgr.closed_pruned(integer) about.labels [stats_flow_mgr_closed_pruned]
stats.flow.mgr.new_pruned(integer) about.labels [stats_flow_mgr_new_pruned]
stats.flow.mgr.est_pruned(integer) about.labels [stats_flow_mgr_est_pruned]
stats.flow.mgr.bypassed_pruned(integer) about.labels [stats_flow_mgr_bypassed_pruned]
stats.flow.mgr.rows_maxlen(integer) about.labels [stats_flow_mgr_rows_maxlen]
stats.flow.mgr.flows_checked(integer) about.labels [stats_flow_mgr_flows_checked]
stats.flow.mgr.flows_notimeout(integer) about.labels [stats_flow_mgr_flows_notimeout]
stats.flow.mgr.flows_timeout(integer) about.labels [stats_flow_mgr_flows_timeout]
stats.flow.mgr.flows_timeout_inuse(integer) about.labels [stats_flow_mgr_flows_timeout_inuse]
stats.flow.mgr.flows_evicted(integer) about.labels [stats_flow_mgr_flows_evicted]
stats.flow.mgr.flows_evicted_needs_work(integer) about.labels [stats_flow_mgr_flows_evicted_needs_work]
stats.flow.spare(integer) about.labels [stats_flow_spare]
stats.flow.emerg_mode_entered(integer) about.labels [stats_flow_emerg_mode_entered]
stats.flow.emerg_mode_over(integer) about.labels [stats_flow_emerg_mode_over]
stats.flow.memuse(integer) about.labels [stats_flow_memuse]
stats.defrag.ipv4.fragments(integer) about.labels [stats_defrag_ipv4_fragments]
stats.defrag.ipv4.reassembled(integer) about.labels [stats_defrag_ipv4_reassembled]
stats.defrag.ipv4.timeouts(integer) about.labels [stats_defrag_ipv4_timeouts]
stats.defrag.ipv6.fragments(integer) about.labels [stats_defrag_ipv6_fragments]
stats.defrag.ipv6.reassembled(integer) about.labels [stats_defrag_ipv6_reassembled]
stats.defrag.ipv6.timeouts(integer) about.labels [stats_defrag_ipv6_timeouts]
stats.defrag.max_frag_hits(integer) about.labels [stats_defrag_max_frag_hits]
stats.flow_bypassed.local_pkts(integer) about.labels [stats_flow_bypassed_local_pkts]
stats.flow_bypassed.local_bytes(integer) about.labels [stats_flow_bypassed_local_bytes]
stats.flow_bypassed.local_capture_pkts(integer) about.labels [stats_flow_bypassed_local_capture_pkts]
stats.flow_bypassed.local_capture_bytes(integer) about.labels [stats_flow_bypassed_local_capture_bytes]
stats.flow_bypassed.closed(integer) about.labels [stats_flow_bypassed_closed]
stats.flow_bypassed.pkts(integer) about.labels [stats_flow_bypassed_pkts]
stats.flow_bypassed.bytes(integer) about.labels [stats_flow_bypassed_bytes]
stats.tcp.sessions(integer) about.labels [stats_tcp_sessions]
stats.tcp.ssn_memcap_drop(integer) about.labels [stats_tcp_ssn_memcap_drop]
stats.tcp.pseudo(integer) about.labels [stats_tcp_pseudo]
stats.tcp.pseudo_failed(integer) about.labels [stats_tcp_pseudo_failed]
stats.tcp.invalid_checksum(integer) about.labels [stats_tcp_invalid_checksum]
stats.tcp.no_flow(integer) about.labels [stats_tcp_no_flow]
stats.tcp.syn(integer) about.labels [stats_tcp_syn]
stats.tcp.synack(integer) about.labels [stats_tcp_synack]
stats.tcp.rst(integer) about.labels [stats_tcp_rst]
stats.tcp.midstream_pickups(integer) about.labels [stats_tcp_midstream_pickups]
stats.tcp.pkt_on_wrong_thread(integer) about.labels [stats_tcp_pkt_on_wrong_thread]
stats.tcp.segment_memcap_drop(integer) about.labels [stats_tcp_segment_memcap_drop]
stats.tcp.stream_depth_reached(integer) about.labels [stats_tcp_stream_depth_reached]
stats.tcp.reassembly_gap(integer) about.labels [stats_tcp_reassembly_gap]
stats.tcp.overlap(integer) about.labels [stats_tcp_overlap]
stats.tcp.overlap_diff_data(integer) about.labels [stats_tcp_overlap_diff_data]
stats.tcp.insert_data_normal_fail(integer) about.labels [stats_tcp_insert_data_normal_fail]
stats.tcp.insert_data_overlap_fail(integer) about.labels [stats_tcp_insert_data_overlap_fail]
stats.tcp.insert_list_fail(integer) about.labels [stats_tcp_insert_list_fail]
stats.tcp.memuse(integer) about.labels [stats_tcp_memuse]
stats.tcp.reassembly_memuse(integer) about.labels [stats_tcp_reassembly_memuse]
stats.detect.engines.id(array) about.labels [stats_detect_engines_id]
stats.detect.engines.last_reload(array) about.labels [stats_detect_engines_last_reload]
stats.detect.engines.rules_loaded(array) about.labels [stats_detect_engines_rules_loaded]
stats.detect.engines.rules_failed(array) about.labels [stats_detect_engines_rules_failed]
stats.detect.alert(integer) about.labels [stats_detect_alert]
stats.detect.alert_queue_overflow(integer) about.labels [stats_detect_alert_queue_overflow]
stats.detect.alerts_suppressed(integer) about.labels [stats_detect_alerts_suppressed]
stats.app_layer.flow.http(integer) about.labels [stats_app_layer_flow_http]
stats.app_layer.flow.ftp(integer) about.labels [stats_app_layer_flow_ftp]
stats.app_layer.flow.smtp(integer) about.labels [stats_app_layer_flow_smtp]
stats.app_layer.flow.tls(integer) about.labels [stats_app_layer_flow_tls]
stats.app_layer.flow.ssh(integer) about.labels [stats_app_layer_flow_ssh]
stats.app_layer.flow.imap(integer) about.labels [stats_app_layer_flow_imap]
stats.app_layer.flow.smb(integer) about.labels [stats_app_layer_flow_smb]
stats.app_layer.flow.dcerpc_tcp(integer) about.labels [stats_app_layer_flow_dcerpc_tcp]
stats.app_layer.flow.dns_tcp(integer) about.labels [stats_app_layer_flow_dns_tcp]
stats.app_layer.flow.nfs_tcp(integer) about.labels [stats_app_layer_flow_nfs_tcp]
stats.app_layer.flow.ntp(integer) about.labels [stats_app_layer_flow_ntp]
stats.app_layer.flow.ftp-data(integer) about.labels [stats_app_layer_flow_ftp-data]
stats.app_layer.flow.tftp(integer) about.labels [stats_app_layer_flow_tftp]
stats.app_layer.flow.ikev2(integer) about.labels [stats_app_layer_flow_ikev2]
stats.app_layer.flow.krb5_tcp(integer) about.labels [stats_app_layer_flow_krb5_tcp]
stats.app_layer.flow.dhcp(integer) about.labels [stats_app_layer_flow_dhcp]
stats.app_layer.flow.rfb(integer) about.labels [stats_app_layer_flow_rfb]
stats.app_layer.flow.rdp(integer) about.labels [stats_app_layer_flow_rdp]
stats.app_layer.flow.failed_tcp(integer) about.labels [stats_app_layer_flow_failed_tcp]
stats.app_layer.flow.dcerpc_udp(integer) about.labels [stats_app_layer_flow_dcerpc_udp]
stats.app_layer.flow.dns_udp(integer) about.labels [stats_app_layer_flow_dns_udp]
stats.app_layer.flow.nfs_udp(integer) about.labels [stats_app_layer_flow_nfs_udp]
stats.app_layer.flow.krb5_udp(integer) about.labels [stats_app_layer_flow_krb5_udp]
stats.app_layer.flow.failed_udp(integer) about.labels [stats_app_layer_flow_failed_udp]
stats.app_layer.tx.http(integer) about.labels [stats_app_layer_tx_http]
stats.app_layer.tx.ftp(integer) about.labels [stats_app_layer_tx_ftp]
stats.app_layer.tx.smtp(integer) about.labels [stats_app_layer_tx_smtp]
stats.app_layer.tx.tls(integer) about.labels [stats_app_layer_tx_tls]
stats.app_layer.tx.ssh(integer) about.labels [stats_app_layer_tx_ssh]
stats.app_layer.tx.imap(integer) about.labels [stats_app_layer_tx_imap]
stats.app_layer.tx.smb(integer) about.labels [stats_app_layer_tx_smb]
stats.app_layer.tx.dcerpc_tcp(integer) about.labels [stats_app_layer_tx_dcerpc_tcp]
stats.app_layer.tx.dns_tcp(integer) about.labels [stats_app_layer_tx_dns_tcp]
stats.app_layer.tx.nfs_tcp(integer) about.labels [stats_app_layer_tx_nfs_tcp]
stats.app_layer.tx.ntp(integer) about.labels [stats_app_layer_tx_ntp]
stats.app_layer.tx.ftp-data(integer) about.labels [stats_app_layer_tx_ftp-data]
stats.app_layer.tx.tftp(integer) about.labels [stats_app_layer_tx_tftp]
stats.app_layer.tx.ikev2(integer) about.labels [stats_app_layer_tx_ikev2]
stats.app_layer.tx.krb5_tcp(integer) about.labels [stats_app_layer_tx_krb5_tcp]
stats.app_layer.tx.dhcp(integer) about.labels [stats_app_layer_tx_dhcp]
stats.app_layer.tx.rfb(integer) about.labels [stats_app_layer_tx_rfb]
stats.app_layer.tx.rdp(integer) about.labels [stats_app_layer_tx_rdp]
stats.app_layer.tx.dcerpc_udp(integer) about.labels [stats_app_layer_tx_dcerpc_udp]
stats.app_layer.tx.dns_udp(integer) about.labels [stats_app_layer_tx_dns_udp]
stats.app_layer.tx.nfs_udp(integer) about.labels [stats_app_layer_tx_nfs_udp]
stats.app_layer.tx.krb5_udp(integer) about.labels [stats_app_layer_tx_krb5_udp]
stats.app_layer.expectations(integer) about.labels [stats_app_layer_expectations]
stats.http.memuse(integer) about.labels [stats_http_memuse]
stats.http.memcap(integer) about.labels [stats_http_memcap]
stats.ftp.memuse(integer) about.labels [stats_ftp_memuse]
stats.ftp.memcap(integer) about.labels [stats_ftp_memcap]

Referenz für die Feldzuordnung: CORELIGHT – Protokollschema

In der folgenden Tabelle sind die Protokollfelder des logschema-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.

Log field UDM mapping Logic
metadata.event_type The metadata.event_type UDM field is set to GENERIC_EVENT.
name(string) about.labels [name]
text(string) about.labels [text]
schema(string) about.labels [schema]
avro(string) about.labels [avro]

Nächste Schritte

Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten