Esta página foi traduzida pela API Cloud Translation.

Coletar registros do sensor Corelight

Compatível com:

Google SecOps SIEM

Este documento descreve como coletar registros do Corelight Sensor configurando esse sensor e um serviço encaminhador. Este documento também lista os tipos de registro aceitos gerados pelo sensor Corelight e as versões compatíveis do Corelight.

Para mais informações, consulte Ingestão de dados para as Operações de segurança do Google.

O diagrama de arquitetura de implantação a seguir mostra como um sensor do Corelight é configurado para enviar registros ao Google Security Operations. Cada implantação do cliente pode ser diferente dessa representação e ser mais complexa.

Arquitetura de implantação

O diagrama da arquitetura mostra os seguintes componentes:

Sensor Corelight: o sistema que executa o sensor Corelight.
Exportador do sensor Corelight: o exportador do sensor Corelight coleta dados de registro do sensor e os encaminha para o forwarder das Operações de segurança do Google.
Encaminhador de Operações de segurança do Google: o encaminhador de Operações de segurança do Google é um componente de software, implantado na rede do cliente, que suporta o syslog. O encaminhador das Operações de segurança do Google encaminha os registros para as Operações de segurança do Google.
Google Security Operations: as Operações de segurança do Google retém e analisa os registros de Sensor Corelight.

Um rótulo de ingestão identifica o analisador que normaliza dados de registro brutos ao formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão CORELIGHT.

Antes de começar

Verifique a versão do sensor Corelight. O analisador Corelight do Google SecOps foi projetado para a versão 27.4 e anteriores. As versões mais recentes do sensor Corelight podem ter registros adicionais que o analisador não reconhece, e esses registros podem receber uma análise de campo limitada ou nenhuma. No entanto, o conteúdo do registro ainda estará disponível no formato de registro bruto no Google SecOps.
Verifique se todos os sistemas na arquitetura de implantação estão configurados com o fuso horário UTC.

Tipos de registro do Corelight com suporte

O analisador Corelight oferece suporte aos seguintes tipos de registro gerados pelo sensor Corelight:

Log Type

conn
conn_long
conn_red
dce_rpc
dns
dns_red
files
files_red
http
http2
http_red
intel
irc
notice
rdp
sip
smb_files
smb_mapping
smtp
smtp_links
ssh
ssl
ssl_red
suricata_corelight
bacnet
cip
corelight_burst
corelight_overall_capture_loss
corelight_profiling
datared
dga
dhcp
dnp3
dpd
encrypted_dns
enip
enip_debug
enip_list_identity
etc_viz
ftp
generic_dns_tunnels
generic_icmp_tunnels
icmp_specific_tunnels
ipsec
iso_cotp
kerberos
known_certs
known_devices
known_domains
known_hosts
known_names
known_remotes
known_services
known_users
ldap
ldap_search
local_subnets
local_subnets_dj
local_subnets_graphs
log4shell
modbus
mqtt_connect
mqtt_publish
mqtt_subscribe
mysql
napatech_shunting
ntlm
ntp
pe
profinet
profinet_dce_rpc
profinet_debug
radius
reporter
rfb
s7comm
smartpcap
snmp
socks
software
specific_dns_tunnels
stepping
stun
stun_nat
suricata_eve
suricata_stats
syslog
tds
tds_rpc
tds_sql_batch
traceroute
tunnel
unknown-smartpcap
vpn
weird
weird_red
wireguard
x509
x509_red

Configurar o encaminhador do Google Security Operations

Para configurar o encaminhador de operações de segurança do Google, faça o seguinte:

Configure um encaminhador do Google Security Operations. Consulte Instalar e configurar o encaminhador no Linux.

Configure o encaminhador das Operações de segurança do Google para enviar registros às Operações de segurança do Google.

  collectors:
    - syslog:
        common:
          enabled: true
          data_type:  CORELIGHT
          data_hint:
          batch_n_seconds: 10
          batch_n_bytes: 1048576
        tcp_address: <Chronicle forwarder listening IP:Port>
        tcp_buffer_size: 524288
        udp_address: <Chronicle forwarder listening IP:Port>
        connection_timeout_sec: 60

Configurar o exportador do sensor Corelight

Faça login no Corelight Sensor como administrador.
Selecione a guia Exportar.
Encontre e ative a opção EXPORT TO SYSLOG.
Em EXPORTAR PARA SYSLOG, configure os seguintes campos:
- SYSLOG SERVER: especifique o endereço IP e a porta do listener syslog do encaminhador das Operações de segurança do Google.
- Acesse Configurações avançadas > FORMATO SYSLOG e mude a configuração para Legado.
Clique em Aplicar mudanças.

Referência de mapeamento de campo

Esta seção explica como o analisador das Operações de segurança do Google mapeia os campos do Corelight para os campos do Modelo de dados unificado (UDM, na sigla em inglês) das Operações de segurança do Google.

Referência de mapeamento de campo: CORELIGHT - Campos comuns

A tabela a seguir lista campos comuns do registro CORELIGHT e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Corelight`.
`_path (string)`	`metadata.product_event_type`
`_system_name (string)`	`observer.hostname`
`ts (time)`	`metadata.event_timestamp`
`uid (string)`	`about.labels [uid]`
`id.orig_h (string - addr)`	`principal.ip`
`id.orig_p (integer - port)`	`principal.port`
`id.resp_h (string - addr)`	`target.ip`
`id.resp_p (integer - port)`	`target.port`

Referência do mapeamento de campo: CORELIGHT - conn, conn_red, conn_long

A tabela a seguir lista os campos de registro do tipo de registro conn, conn_red, conn_long e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`service (string)`	`network.application_protocol`
`duration (number - interval)`	`network.session_duration`
`orig_bytes (integer - count)`	`network.sent_bytes`
`resp_bytes (integer - count)`	`network.received_bytes`
`conn_state (string)`	`metadata.description`	If the `conn_state` log field value is equal to `S0`, then the `metadata.description` UDM field is set to `S0: Connection attempt seen, no reply`. Else, if the `conn_state` log field value is equal to `S1`, then the `metadata.description` UDM field is set to `S1: Connection established, not terminated`. Else, if the `conn_state` log field value is equal to `S2`, then the `metadata.description` UDM field is set to `S2: Connection established and close attempt by originator seen (but no reply from responder)`. Else, if the `conn_state` log field value is equal to `S3`, then the `metadata.description` UDM field is set to `S3: Connection established and close attempt by responder seen (but no reply from originator)`. Else, if the `conn_state` log field value is equal to `SF`, then the `metadata.description` UDM field is set to `SF: Normal SYN/FIN completion`. Else, if the `conn_state` log field value is equal to `REJ`, then the `metadata.description` UDM field is set to `REJ: Connection attempt rejected`. Else, if the `conn_state` log field value is equal to `RSTO`, then the `metadata.description` UDM field is set to `RSTO: Connection established, originator aborted (sent a RST)`. Else, if the `conn_state` log field value is equal to `RSTOS0`, then the `metadata.description` UDM field is set to `RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder`. Else, if the `conn_state` log field value is equal to `RSTOSH`, then the `metadata.description` UDM field is set to `RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator`. Else, if the `conn_state` log field value is equal to `RSTR`, then the `metadata.description` UDM field is set to `RSTR: Established, responder aborted`. Else, if the `conn_state` log field value is equal to `SH`, then the `metadata.description` UDM field is set to `SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open)`. Else, if the `conn_state` log field value is equal to `SHR`, then the `metadata.description` UDM field is set to `SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator`. Else, if the `conn_state` log field value is equal to `OTH`, then the `metadata.description` UDM field is set to `OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed)`.
`local_orig (boolean - bool)`	`about.labels [local_orig]`
`local_resp (boolean - bool)`	`about.labels [local_resp]`
`missed_bytes (integer - count)`	`about.labels [missed_bytes]`
`history (string)`	`about.labels [history]`
`orig_pkts (integer - count)`	`network.sent_packets`
`orig_ip_bytes (integer - count)`	`principal.labels [orig_ip_bytes]`
`resp_pkts (integer - count)`	`network.received_packets`
`resp_ip_bytes (integer - count)`	`target.labels [resp_ip_bytes]`
`tunnel_parents (array[string] - set[string])`	`intermediary.labels [tunnel_parent]`
`orig_cc (string)`	`principal.ip_geo_artifact.location.country_or_region`
`resp_cc (string)`	`target.ip_geo_artifact.location.country_or_region`
`suri_ids (array[string] - set[string])`	`security_result.rule_id`
`spcap.url (string)`	`security_result.url_back_to_product`
`spcap.rule (integer - count)`	`security_result.rule_labels [spcap_rule]`
`spcap.trigger (string)`	`security_result.detection_fields [spcap_trigger]`
`app (array[string] - vector of string)`	`about.application`
`corelight_shunted (boolean - bool)`	`about.labels [corelight_shunted]`
`orig_shunted_pkts (integer - count)`	`principal.labels [orig_shunted_pkts]`
`orig_shunted_bytes (integer - count)`	`principal.labels [orig_shunted_bytes]`
`resp_shunted_pkts (integer - count)`	`target.labels [resp_shunted_pkts]`
`resp_shunted_bytes (integer - count)`	`target.labels [resp_shunted_bytes]`
`orig_l2_addr (string)`	`principal.mac`
`resp_l2_addr (string)`	`target.mac`
`id_orig_h_n.src (string)`	`principal.labels [id_orig_h_n_src]`
`id_orig_h_n.vals (array[string] - set[string])`	`principal.labels [id_orig_h_n_val]`
`id_resp_h_n.src (string)`	`target.labels [id_resp_h_n_src]`
`id_resp_h_n.vals (array[string] - set[string])`	`target.labels [id_resp_h_n_val]`
`vlan (integer - int)`	`intermediary.labels [vlan]`
`inner_vlan (integer - int)`	`intermediary.labels [inner_vlan]`
`community_id (string)`	`network.community_id`
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.

Referência de mapeamento de campo: CORELIGHT - dce_rpc

A tabela a seguir lista os campos de registro do tipo de registro dce_rpc e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`rtt (number - interval)`	`network.session_duration`
`named_pipe (string)`	`intermediary.resource.name`
	`intermediary.resource.resource_type`	If the `named_pipe` log field value is not empty, then the `intermediary.resource.resource_type` UDM field is set to `PIPE`.
`endpoint (string)`	`target.labels [endpoint]`
`operation (string)`	`target.labels [operation]`
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DCERPC`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
`operation, endpoint, named_pipe (string)`	`metadata.description`	The `metadata.description` UDM field is set with `operation`, `endpoint`, `named_pipe` log fields as "operation `operation` on `endpoint` using named pipe `named_pipe`".
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.

Referência do mapeamento de campo: CORELIGHT - dns, dns_red

A tabela a seguir lista os campos de registro do tipo de registro dns, dns_red e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`proto (string - enum)`	`network.ip_protocol`
`trans_id (integer - count)`	`network.dns.id`
`rtt (number - interval)`	`network.session_duration`
`query (string)`	`network.dns.questions.name`
`qclass (integer - count)`	`network.dns.questions.class`
`qclass_name (string)`	`about.labels [qclass_name]`
`qtype (integer - count)`	`network.dns.questions.type`
`qtype_name (string)`	`about.labels [qtype_name]`
`rcode (integer - count)`	`network.dns.response_code`
`rcode (integer - count)`	`network.dns.response`	If the `rcode` log field value is not empty, then the `network.dns.response` UDM field is set to `true`.
`rcode_name (string)`	`about.labels [rcode_name]`
`AA (boolean - bool)`	`network.dns.authoritative`
`TC (boolean - bool)`	`network.dns.truncated`
`RD (boolean - bool)`	`network.dns.recursion_desired`
`RA (boolean - bool)`	`network.dns.recursion_available`
`Z (integer - count)`	`about.labels [Z]`
`answers (array[string] - vector of string)`	`network.dns.answers.name`
`TTLs (array[number] - vector of interval)`	`network.dns.answers.ttl`
`rejected (boolean - bool)`	`about.labels [rejected]`
`is_trusted_domain (string)`	`about.labels [is_trusted_domain]`
`icann_host_subdomain (string)`	`about.labels [icann_host_subdomain]`
`icann_domain (string)`	`network.dns_domain`
`icann_tld (string)`	`about.labels [icann_tld]`
`num (integer - count)`	`security_result.detection_fields [num]`

Referência do mapeamento de campo: CORELIGHT - http, http_red, http2

A tabela a seguir lista os campos de registro do tipo de registro http, http_red, http2 e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_HTTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`method (string)`	`network.http.method`
`host (string)`	`target.hostname`
`uri (string)`	`target.url`
`referrer (string)`	`network.http.referral_url`
`version (string)`	`network.application_protocol_version`
`user_agent (string)`	`network.http.user_agent`
`origin (string)`	`principal.hostname`
`request_body_len (integer - count)`	`network.sent_bytes`
`response_body_len (integer - count)`	`network.received_bytes`
`status_code (integer - count)`	`network.http.response_code`
`status_msg (string)`	`about.labels [status_msg]`
`info_code (integer - count)`	`about.labels [info_code]`
`info_msg (string)`	`about.labels [info_msg]`
`tags (array[string] - set[enum])`	`about.labels [tags]`
`username (string)`	`principal.user.user_display_name`
`password (string)`	`extensions.auth.auth_details`
`proxied (array[string] - set[string])`	`intermediary.hostname`
`orig_fuids (array[string] - vector of string)`	`about.labels [orig_fuid]`
`orig_filenames (array[string] - vector of string)`	`src.file.names`	The `orig_filenames` log field is mapped to `src.file.names` UDM field when index value in `orig_filenames` is equal to `0`. For every other index value, `orig_filenames` log field is mapped to the `about.file.names`.
`orig_mime_types (array[string] - vector of string)`	`src.file.mime_type`	The `orig_mime_types` log field is mapped to `src.file.mime_type` UDM field when index value in `orig_mime_types` is equal to `0`. For every other index value, `orig_mime_types` log field is mapped to the `about.file.mime_type`.
`resp_fuids (array[string] - vector of string)`	`about.labels [resp_fuid]`
`resp_filenames (array[string] - vector of string)`	`target.file.names`	The `resp_filenames` log field is mapped to `target.file.names` UDM field when index value in `resp_filenames` is equal to `0`. For every other index value, `resp_filenames` log field is mapped to the `about.file.names`.
`resp_mime_types (array[string] - vector of string)`	`target.file.mime_type`	The `resp_mime_types` log field is mapped to `target.file.mime_type` UDM field when index value in `resp_mime_types` is equal to `0`. For every other index value, `resp_mime_types` log field is mapped to the `about.file.mime_type`.
`post_body (string)`	`about.labels [post_body]`
`stream_id (integer - count)`	`about.labels [stream_id]`
`encoding (string)`	`about.labels [encoding]`
`push (boolean - bool)`	`about.labels [push]`

Referência de mapeamento de campo: CORELIGHT - smtp_links

A tabela a seguir lista os campos de registro do tipo smtp_links e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_SMTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMTP`.
`fuid (string)`	`about.labels [fuid]`
`link (string)`	`about.url`
`domain (string)`	`about.domain.name`

Referência do mapeamento de campo: CORELIGHT - irc

A tabela a seguir lista os campos de registro do tipo de registro irc e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`nick (string)`	`principal.user.user_display_name`
`user (string)`	`principal.user.userid`	If the `user` log field value is less than or equal to 255, then the `user` log field is mapped to the `principal.user.userid` UDM field. Else, the `user` log field is mapped to the `about.labels` UDM field.
`command, value, addl`	`principal.process.command_line`
`dcc_file_name (string)`	`src.file.names`
`dcc_file_size (integer - count)`	`src.file.size`
`dcc_mime_type (string)`	`src.file.mime_type`
`fuid (string)`	`about.labels [fuid]`

Referência do mapeamento de campo: CORELIGHT - arquivos, files_red

A tabela a seguir lista os campos de registro do tipo files, files_red e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fuid (string)`	`about.labels [fuid]`
`tx_hosts (array[string] - set[addr])`	`principal.ip`
`rx_hosts (array[string] - set[addr])`	`target.ip`
`conn_uids (array[string] - set[string])`	`about.labels [conn_uid]`
`source (string)`	`about.labels [source]`
`depth (integer - count)`	`about.labels [depth]`
`analyzers (array[string] - set[string])`	`about.labels [analyzer]`
`mime_type (string)`	`about.file.mime_type`
`filename (string)`	`about.file.names`
`duration (number - interval)`	`about.labels [duration]`
`local_orig (boolean - bool)`	`about.labels [local_orig]`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`seen_bytes (integer - count)`	`about.file.size`
`total_bytes (integer - count)`	`about.labels [total_bytes]`
`missing_bytes (integer - count)`	`about.labels [missing_bytes]`
`overflow_bytes (integer - count)`	`about.labels [overflow_bytes]`
`timedout (boolean - bool)`	`about.labels [timedout]`
`parent_fuid (string)`	`about.labels [parent_fuid]`
`md5 (string)`	`about.file.md5`
`sha1 (string)`	`about.file.sha1`
`sha256 (string)`	`about.file.sha256`
`md5 (string)`	`network.tls.client.certificate.md5`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.md5` UDM field is set to `md5`.
`sha1 (string)`	`network.tls.client.certificate.sha1`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.sha1` UDM field is set to `sha1`.
`sha256 (string)`	`network.tls.client.certificate.sha256`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.sha256` UDM field is set to `sha256`.
`md5 (string)`	`network.tls.server.certificate.md5`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.md5` UDM field is set to `md5`.
`sha1 (string)`	`network.tls.server.certificate.sha1`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.sha1` UDM field is set to `sha1`.
`sha256 (string)`	`network.tls.server.certificate.sha256`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.sha256` UDM field is set to `sha256`.
`extracted (array[string] - set[string])`	`about.file.names`
`extracted_cutoff (boolean - bool)`	`about.labels [extracted_cutoff]`
`extracted_size (integer - count)`	`about.labels [extracted_size]`
`num (integer - count)`	`about.labels [num]`

Referência de mapeamento de campo: CORELIGHT (aviso)

A tabela a seguir lista os campos de registro do tipo notice e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fuid (string)`	`about.labels [fuid]`
`file_mime_type (string)`	`target.file.mime_type`
`file_desc (string)`	`about.labels [file_desc]`
`proto (string - enum)`	`network.ip_protocol`
`note (string - enum)`	`security_result.description`
`msg (string)`	`metadata.description`
`sub (string)`	`about.labels [sub]`
`src (string - addr)`	`principal.ip`
`dst (string - addr)`	`target.ip`
`p (integer - port)`	`about.port`
`n (integer - count)`	`about.labels [n]`
`peer_descr (string)`	`about.labels [peer_descr]`
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`actions (array[string] - set[enum])`	`security_result.action_details`
`suppress_for (number - interval)`	`about.labels [suppress_for]`
`remote_location.country_code (string)`	`about.location.country_or_region`	The `about.location.country_or_region` UDM field is set with `remote_location.country_code`, `remote_location.region` log fields as "`remote_location.country_code`: `remote_location.region`".
`remote_location.region (string)`	`about.location.country_or_region`	The `about.location.country_or_region` UDM field is set with `remote_location.country_code`, `remote_location.region` log fields as "`remote_location.country_code`: `remote_location.region`".
`remote_location.city (string)`	`about.location.city`
`remote_location.latitude (number - double)`	`about.location.region_coordinates.latitude`
`remote_location.longitude (number - double)`	`about.location.region_coordinates.longitude`
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.

Referência do mapeamento de campo: CORELIGHT - smb_files

A tabela a seguir lista os campos de registro do tipo de registro smb_files e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	If the `action` log field value is equal to `SMB::FILE_READ`, then the `metadata.event_type` UDM field is set to `FILE_READ`. Else, if the `action` log field value is equal to `SMB::FILE_WRITE`, then the `metadata.event_type` UDM field is set to `FILE_MODIFICATION`. Else, if the `action` log field value is equal to `SMB::FILE_OPEN`, then the `metadata.event_type` UDM field is set to `FILE_OPEN`. Else, if the `action` log field value is equal to `SMB::FILE_CLOSE`, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`. Else, if the `action` log field value is equal to `SMB::FILE_DELETE`, then the `metadata.event_type` UDM field is set to `FILE_DELETION`. Else, if the `action` log field value is equal to `SMB::FILE_RENAME`, then the `metadata.event_type` UDM field is set to `FILE_MOVE`. Else, if the `action` log field value is equal to `SMB::FILE_SET_ATTRIBUTE`, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`. Else, the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMB`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
`action, name`	`metadata.description`	The `metadata.description` UDM field is set with `action`, `name` log fields as "action: `action` on: `name`".
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`fuid (string)`	`about.labels [fuid]`
`action (string - enum)`	`target.labels [action]`
`path (string)`	`target.file.full_path`
`name (string)`	`target.file.names`
`size (integer - count)`	`target.file.size`
`prev_name (string)`	`src.file.names`
`times.modified (time)`	`target.file.last_modification_time`
`times.accessed (time)`	`target.file.last_seen_time`
`times.created (time)`	`target.file.first_seen_time`
`times.changed (time)`	`target.labels [times_changed]`
`data_offset_req (integer - count)`	`target.labels [data_offset_req]`
`data_len_req (integer - count)`	`target.labels [data_len_req]`
`data_len_rsp (integer - count)`	`target.labels [data_len_rsp]`

Referência de mapeamento de campo: CORELIGHT - smb_mapping

A tabela a seguir lista os campos de registro do tipo de registro smb_mapping e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMB`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`path (string)`	`target.resource.attribute.labels [path]`
`service (string)`	`target.application`
`native_file_system (string)`	`target.resource.attribute.labels [native_file_system]`
`share_type (string)`	`target.resource.resource_type`	If the `share_type` log field value is equal to `DISK`, then the `target.resource.resource_type` UDM field is set to `STORAGE_OBJECT`. Else, if the `share_type` log field value is equal to `PIPE`, then the `target.resource.resource_type` UDM field is set to `PIPE`. Else, the `target.resource.resource_type` UDM field is set to `UNSPECIFIED`.
`share_type (string)`	`target.resource.resource_subtype`

Referência de mapeamento de campo: CORELIGHT - ssl, ssl_red

A tabela a seguir lista os campos de registro do tipo de registro ssl, ssl_red e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `HTTPS`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`version (string)`	`network.tls.version`
`cipher (string)`	`network.tls.cipher`
`curve (string)`	`network.tls.curve`
`server_name (string)`	`network.tls.client.server_name`
`resumed (boolean - bool)`	`network.tls.resumed`
`last_alert (string)`	`security_result.description`
`next_protocol (string)`	`network.tls.next_protocol`
`established (boolean - bool)`	`network.tls.established`
`ssl_history (string)`	`about.labels [ssl_history]`
`cert_chain_fps (array[string] - vector of string)`	`target.labels [cert_chain_fps]`
`client_cert_chain_fps (array[string] - vector of string)`	`principal.labels [client_cert_chain_fps]`
`sni_matches_cert (boolean - bool)`	`about.labels [sni_matches_cert]`
`validation_status (string)`	`security_result.detection_fields [validation_status]`
`ja3 (string)`	`network.tls.client.ja3`
`ja3s (string)`	`network.tls.server.ja3s`

Referência de mapeamento de campo: CORELIGHT - rdp

A tabela a seguir lista os campos de registro do tipo de registro rdp e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`cookie (string)`	`about.labels [cookie]`
`result (string)`	`about.labels [result]`
`security_protocol (string)`	`target.labels [security_protocol]`
`client_channels (array[string] - vector of string)`	`intermediary.labels [client_channels]`
`keyboard_layout (string)`	`principal.labels [keyboard_layout]`
`client_build (string)`	`principal.labels [client_build]`
`client_name (string)`	`principal.hostname`
`client_dig_product_id (string)`	`principal.labels [client_dig_product_id ]`
`desktop_width (integer - count)`	`principal.labels [desktop_width]`
`desktop_height (integer - count)`	`principal.labels [desktop_height]`
`requested_color_depth (string)`	`principal.labels [requested_color_depth]`
`cert_type (string)`	`about.labels [cert_type]`
`cert_count (integer - count)`	`about.labels [cert_count]`
`cert_permanent (boolean - bool)`	`about.labels [cert_permanent ]`
`encryption_level (string)`	`about.labels [encryption_level]`
`encryption_method (string)`	`about.labels [encryption_method]`
`auth_success (boolean - bool)`	`about.labels [auth_success]`
`channels_joined (integer - int)`	`intermediary.labels [channels_joined]`
`inferences (array[string] - set[string])`	`about.labels [inferences]`
`rdpeudp_uid (string)`	`about.labels [rdpeudp_uid]`
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
`rdfp_string (string)`	`principal.labels [rdfp_string]`
`rdfp_hash (string)`	`principal.labels [rdfp_hash]`
`result, security_protocol`	`security_result.description`	The `security_result.description` UDM field is set with `result`, `security_protocol` log fields as "`result` connection with security protocol `security_protocol`".
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.

Referência de mapeamento de campo: CORELIGHT - sip

A tabela a seguir lista os campos de registro do tipo de registro sip e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SIP`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`method (string)`	`about.labels [method]`
`uri (string)`	`target.url`
`date (string)`	`about.labels [date]`
`request_from (string)`	`principal.labels [request_from]`
`request_to (string)`	`target.labels [request_to]`
`response_from`	`principal.labels [response_from]`
`response_to (string)`	`target.labels [response_to]`
`reply_to (string)`	`about.labels [reply_to]`
`call_id (string)`	`network.session_id`
`seq (string)`	`about.labels [seq]`
`subject (string)`	`about.labels [subject]`
`request_path (array[string] - vector of string)`	`about.labels [request_path]`
`response_path (array[string] - vector of string)`	`about.labels [response_path]`
`user_agent (string)`	`about.labels [user_agent]`
`status_code (integer - count)`	`about.labels [status_code]`
`status_msg (string)`	`security_result.description`
`warning (string)`	`security_result.summary`
`request_body_len (integer - count)`	`network.sent_bytes`
`response_body_len (integer - count)`	`network.received_bytes`
`content_type (string)`	`about.labels [content_type]`

Referência de mapeamento de campo: CORELIGHT - intel

A tabela a seguir lista os campos de registro do tipo de registro intel e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`seen.indicator_type (string - enum)`	`entity.metadata.entity_type`	If the `indicator.type` log field value is equal to `Intel::ADDR`, then the `metadata.entity_type` UDM field is set to `IP_ADDRESS`. Else, if the `indicator.type` log field value is equal to `Intel::SUBNET` or `Intel::SOFTWARE` or `Intel::CERT_HASH` or `Intel::PUBKEY_HASH`, then the `metadata.entity_type` UDM field is set to `RESOURCE`. Else, if the `indicator.type` log field value is equal to `Intel::URL`, then the `metadata.entity_type` UDM field is set to `URL`. Else, if the `indicator.type` log field value is equal to the `Intel::EMAIL` or `Intel::USER_NAME`, then the `metadata.entity_type` UDM field is set to `USER`. Else, if the `indicator.type` log field value is equal to `Intel::DOMAIN`, then the `metadata.entity_type` UDM field is set to `DOMAIN_NAME`. Else, if the `indicator.type` log field value is equal to the `Intel::FILE_HASH` or `Intel::FILE_NAME`, then the `metadata.entity_type` UDM field is set to `FILE`. Else, the `metadata.entity_type` UDM field is set to `RESOURCE`.
`seen.indicator (string)`	`entity.ip`	If the `indicator.type` log field value is equal to `Intel::ADDR`, then the `seen.indicator` log field is mapped to the `entity.ip` UDM field.
`seen.indicator (string)`	`entity.url`	If the `indicator.type` log field value is equal to `Intel::URL`, then the `seen.indicator` log field is mapped to the `entity.url` UDM field.
`seen.indicator (string)`	`entity.domain.name`	If the `indicator.type` log field value is equal to `Intel::DOMAIN`, then the `seen.indicator` log field is mapped to the `entity.domain.name` UDM field.
`seen.indicator (string)`	`entity.user.email_address`	If the `indicator.type` log field value is equal to `Intel::USER_NAME` or `Intel::EMAIL`, then the `seen.indicator` log field is mapped to the `entity.user.email_address` UDM field.
`seen.indicator (string)`	`entity.file.names`	If the `indicator.type` log field value is equal to `Intel::FILE_HASH` or `Intel::FILE_NAME`, then the `seen.indicator` log field is mapped to the `entity.file.full_path` UDM field.
`seen.indicator (string)`	`entity.resource.name`	If the `metadata.entity_type` log field value is equal to `RESOURCE`, then the `seen.indicatior` log field is mapped to the `entity.resource.name` UDM field.
	`entity.resource.resource_type`	If the `indicator.type` log field value is equal to `Intel::SUBNET`, then the `entity.resource.resource_name` UDM field is set to `VPC_NETWORK`.
`seen.indicator_type (string - enum)`	`entity.resource.resource_sub_type`	If the `metadata.entity_type` log field value is equal to `RESOURCE`, then the `seen.indicatior_type` log field is mapped to the `entity.resource.resource_sub_type` UDM field.
`seen.where (string - enum)`	`entity.metadata.source_labels [seen_where]`
`matched (array[string] - set[enum])`	`entity.labels [matched]`
`sources (array[string] - set[string])`	`entity.metadata.source_labels [source]`
`fuid (string)`	`about.labels [fuid]`
`file_mime_type (string)`	`entity.file.mime_type`
`file_desc (string)`	`metadata.threat.detection_fields [file_desc]`
`desc (array[string] - set[string])`	`ioc.description`	The `desc` log field is mapped to `ioc.description` UDM field when index value in `desc` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `desc` and `desc` log field is mapped to the `entity.labels.value`.
`url (array[string] - set[string])`	`metadata.threat.url_back_to_product`
`confidence (array[number] - set[double])`	`ioc.confidence_score`	The `confidence` log field is mapped to `ioc.confidence_score` UDM field when index value in `confidence` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `confidence` and `confidence` log field is mapped to the `entity.labels.value`.
`firstseen (array[string] - set[string])`	`ioc.active_timerange.start`	The `firstseen` log field is mapped to `ioc.active_timerange.start` UDM field when index value in `firstseen` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `firstseen` and `firstseen` log field is mapped to the `entity.labels.value`.
`lastseen (array[string] - set[string])`	`ioc.active_timerange.end`	The `lastseen` log field is mapped to `ioc.active_timerange.end` UDM field when index value in `lastseen` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `lastseen` and `lastseen` log field is mapped to the `entity.labels.value`.
`associated (array[string] - set[string])`	`entity.labels [associated]`
`category (array[string] - set[string])`	`ioc.categorization`	The `category` log field is mapped to `ioc.categorization` UDM field when index value in `category` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `category` and `category` log field is mapped to the `entity.labels.value`.
`campaigns (array[string] - set[string])`	`entity.labels [campaign]`
`reports (array[string] - set[string])`	`entity.labels [report]`

Referência de mapeamento de campo: CORELIGHT - smtp

A tabela a seguir lista os campos de registro do tipo smtp e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_SMTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMTP`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`helo (string)`	`target.domain.name`
`mailfrom (string)`	`network.smtp.mail_from`
`rcptto (array[string] - set[string])`	`network.smtp.rcpt_to`
`date (string)`	`about.labels [date]`
`from (string)`	`network.email.from`
`to (array[string] - set[string])`	`network.email.to`
`cc (array[string] - set[string])`	`network.email.cc`
`reply_to (string)`	`network.email.reply_to`
`msg_id (string)`	`network.email.mail_id`
`in_reply_to (string)`	`about.labels [in_reply_to]`
`subject (string)`	`network.email.subject`
`x_originating_ip (string - addr)`	`principal.ip`
`first_received (string)`	`about.labels [first_received]`
`second_received (string)`	`about.labels [second_received]`
`last_reply (string)`	`network.smtp.server_response`
`path (array[string] - vector of addr)`	`intermediary.ip`
`user_agent (string)`	`about.labels [user_agent]`
`tls (boolean - bool)`	`network.smtp.is_tls`
`fuids (array[string] - vector of string)`	`about.labels [fuid]`
`is_webmail (boolean - bool)`	`network.smtp.is_webmail`
`urls (array[string] - set[string])`	`about.url`
`domains (array[string] - set[string])`	`about.domain.name`

Referência de mapeamento de campo: CORELIGHT - ssh

A tabela a seguir lista os campos de registro do tipo ssh e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`version (integer - count)`	`network.application_protocol_version`	The `network.application_protocol_version` UDM field is set with `version` log field as "SSH `version`".
`auth_success (boolean - bool)`	`security_result.action_details`
`auth_success (boolean - bool)`	`security_result.action`	If the `auth_success` log field value is not equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `BLOCK`.
`auth_attempts (integer - count)`	`extensions.auth.auth_details`	The `extensions.auth.auth_details` UDM field is set with `auth_attempts` log field as "auth_attempts: `auth_attempts`".
`direction (string - enum)`	`network.direction`	If the `direction` log field value is equal to `INBOUND`, then the `network.direction` UDM field is set to `INBOUND`. Else, if the `direction` log field value is equal to `OUTBOUND`, then the `network.direction` UDM field is set to `OUTBOUND`.
`client (string)`	`principal.application`
`server (string)`	`target.application`
`cipher_alg (string)`	`network.tls.cipher`
`mac_alg (string)`	`security_result.detection_fields [mac_alg]`
`compression_alg (string)`	`security_result.detection_fields [compression_alg]`
`kex_alg (string)`	`security_result.detection_fields [kex_alg]`
`host_key_alg (string)`	`security_result.detection_fields [host_key_alg]`
`host_key (string)`	`security_result.detection_fields [host_key]`
`remote_location.country_code (string)`	`target.location.country_or_region`
`remote_location.region (string)`	`target.location.country_or_region`
`remote_location.city (string)`	`target.location.city`
`remote_location.latitude (number - double)`	`target.location.region_coordinates.latitude`
`remote_location.longitude (number - double)`	`target.location.region_coordinates.longitude`
`hasshVersion (string)`	`about.labels [hassh_version]`
`hassh (string)`	`principal.labels [hassh]`
`hasshServer (string)`	`target.labels [hassh_server]`
`cshka (string)`	`about.labels [cshka]`
`hasshAlgorithms (string)`	`about.labels [hassh_algorithms]`
`sshka (string)`	`about.labels [sshka]`
`hasshServerAlgorithms (string)`	`about.labels [hassh_server_algorithms]`
`inferences (array[string] - set[string])`	`security_result.summary, security_result.description`	If the `inferences` log field value is equal to `ABP`, then the `security_result.summary` UDM field is set to `Client Authentication Bypass` and the `security_result.description` UDM field is set to `A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after enctyption begins`. If the `inferences` log field value is equal to `AFR`, then the `security_result.summary` UDM field is set to `SSH Agent Forwarding Requested` and the `security_result.description` UDM field is set to `Agent Forwarding is requested by tge Client`. If the `inferences` log field value is equal to `APWA`, then the `security_result.summary` UDM field is set to `Automated Password Authentication` and the `security_result.description` UDM field is set to `The client authenticated with an automated password tool (like sshpass)`. If the `inferences` log field value is equal to `AUTO`, then the `security_result.summary` UDM field is set to `Automated Interaction` and the `security_result.description` UDM field is set to `The client is a script automated utility and not driven by a user`. If the `inferences` log field value is equal to `BAN`, then the `security_result.summary` UDM field is set to `Server Banner` and the `security_result.description` UDM field is set to `The server sent the client a pre-authentication banner, likely for legal reasons`. If the `inferences` log field value is equal to `BF`, then the `security_result.summary` UDM field is set to `Client Brute Force Guessing` and the `security_result.description` UDM field is set to `A client made a number of authentication attempts that exceeded some configured, pre-connection threshold`. If the `inferences` log field value is equal to `BFS`, then the `security_result.summary` UDM field is set to `Client Brute Force Success` and the `security_result.description` UDM field is set to `A client made a number of authentication attempts that exceeded some configured, pre-connection threshold`. If the `inferences` log field value is equal to `CTS`, then the `security_result.summary` UDM field is set to `Client Trusted Server` and the `security_result.description` UDM field is set to `The client already has an entry in its known_hosts file for this server`. If the `inferences` log field value is equal to `CUS`, then the `security_result.summary` UDM field is set to `Client Untrusted Server` and the `security_result.description` UDM field is set to `The client did not have an entry in its known_hosts file for this server`. If the `inferences` log field value is equal to `IPWA`, then the `security_result.summary` UDM field is set to `Interactive Password Authentication` and the `security_result.description` UDM field is set to `The client interactively typed their password to authenticate`. If the `inferences` log field value is equal to `KS`, then the `security_result.summary` UDM field is set to `Keystrokes` and the `security_result.description` UDM field is set to `An interactive session occurred in which the client set user-driven keystrokes to the server`. If the `inferences` log field value is equal to `LFD`, then the `security_result.summary` UDM field is set to `Large Client File Donwload` and the `security_result.description` UDM field is set to `A file transfer occurred in which the server sent a sequence of bytes to the client`. If the `inferences` log field value is equal to `LFU`, then the `security_result.summary` UDM field is set to `Large Client File Upload` and the `security_result.description` UDM field is set to `A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets`. If the `inferences` log field value is equal to `MFA`, then the `security_result.summary` UDM field is set to `Multifactor Authentication` and the `security_result.description` UDM field is set to `The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it`. If the `inferences` log field value is equal to `NA`, then the `security_result.summary` UDM field is set to `None Authentication` and the `security_result.description` UDM field is set to `The client successfully authenticated using the None method`. If the `inferences` log field value is equal to `NRC`, then the `security_result.summary` UDM field is set to `No Remote Command` and the `security_result.description` UDM field is set to `The -N flag was used in SSH authentication`. If the `inferences` log field value is equal to `PKA`, then the `security_result.summary` UDM field is set to `Public Key Authentication` and the `security_result.description` UDM field is set to `The client automatically authenticated using pubkey authentication`. If the `inferences` log field value is equal to `RSI`, then the `security_result.summary` UDM field is set to `Reverse SSH Initiated` and the `security_result.description` UDM field is set to `The Reverse session is initiated from the server back to the client`. If the `inferences` log field value is equal to `RSIA`, then the `security_result.summary` UDM field is set to `Reverse SSH Initiated Automated` and the `security_result.description` UDM field is set to `The inititation of the Reverse session happened very early in the packet stream, indicating automation`. If the `inferences` log field value is equal to `RSK`, then the `security_result.summary` UDM field is set to `Reverse SSH Keystrokes` and the `security_result.description` UDM field is set to `Keystrokes are detected within the Reverse tunnel`. If the `inferences` log field value is equal to `RSL`, then the `security_result.summary` UDM field is set to `Reverse SSH Logged In` and the `security_result.description` UDM field is set to `The Reverse Tunnel login has succeeded`. If the `inferences` log field value is equal to `RSP`, then the `security_result.summary` UDM field is set to `Reverse SSH Providioned` and the `security_result.description` UDM field is set to `The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time`. If the `inferences` log field value is equal to `SA`, then the `security_result.summary` UDM field is set to `Authentication Scanning` and the `security_result.description` UDM field is set to `The client scanned authentication method with the server and then disconnected`. If the `inferences` log field value is equal to `SC`, then the `security_result.summary` UDM field is set to `Capabilities Scanning` and the `security_result.description` UDM field is set to `The client exchanged capabilities with the server and then disconnected`. If the `inferences` log field value is equal to `SFD`, then the `security_result.summary` UDM field is set to `Small Client File Download` and the `security_result.description` UDM field is set to `A file transfer occurred in which the server sent a sequence of bytes to the client`. If the `inferences` log field value is equal to `SFU`, then the `security_result.summary` UDM field is set to `Small Client File Upload` and the `security_result.description` UDM field is set to `A file transfer occurred in which the client sent a sequence of bytes to the server`. If the `inferences` log field value is equal to `SP`, then the `security_result.summary` UDM field is set to `Other Scanning` and the `security_result.description` UDM field is set to `A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner`. If the `inferences` log field value is equal to `SV`, then the `security_result.summary` UDM field is set to `Version Scanning` and the `security_result.description` UDM field is set to `A client exchanged version strings with the server and than disconnected`. If the `inferences` log field value is equal to `UA`, then the `security_result.summary` UDM field is set to `Unknown Authentication` and the `security_result.description` UDM field is set to `The authentication method is not determinated or is unknown`.

Referência do mapeamento de campo: CORELIGHT - suricata_corelight

A tabela a seguir lista os campos de registro do tipo de registro suricata_corelight e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Suricata`.
`id.vlan (integer - count)`	`intermediary.labels [id_vlan]`
`id.vlan_inner (integer - count)`	`intermediary.labels [id_vlan_inner]`
`icmp_type (integer - count)`	`about.labels [icmp_type]`
`icmp_code (integer - count)`	`about.labels [icmp_code]`
`suri_id (string)`	`metadata.product_log_id`
`service (string)`	`network.application_protocol`
`flow_id (integer - count)`	`network.session_id`
`tx_id (integer - count)`	`about.labels [tx_id]`
`pcap_cnt (integer - count)`	`about.labels [pcap_cnt]`
`alert.action (string)`	`security_result.action_details`
`alert.gid (integer - count)`	`security_result.detection_fields [alert_gid]`
`alert.signature_id (integer - count)`	`security_result.rule_id`
`alert.rev (integer - count)`	`security_result.detection_fields [alert_rev]`
`alert.signature (string)`	`security_result.summary`
`alert.signature (string)`	`security_result.rule_name`
`alert.category (string)`	`security_result.category_details`
`alert.severity (integer - count)`	`security_result.severity_details`
`alert.metadata (array[string] - vector of string)`	`security_result.detection_fields [alert_metadata]`
`community_id (string)`	`network.community_id`
`payload (string)`	`about.labels [payload]`
`payload (string)`	`about.labels [payload_decoded]`
`packet (string)`	`about.labels [packet]`
`packet (string)`	`about.labels [packet_decoded]`
`metadata (array[string] - vector of string)`	`security_result.detection_fields [metadata]`
`orig_cve (string)`	`extensions.vulns.vulnerabilities.cve_id`
`resp_cve (string)`	`extensions.vulns.vulnerabilities.cve_id`
	`idm.is_alert`	The `idm.is_alert` UDM field is set to `true`.
	`idm.is_significant`	The `idm.is_significant` UDM field is set to `true`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.

Referência de mapeamento de campo: CORELIGHT - bacnet

A tabela a seguir lista os campos de registro do tipo de registro bacnet e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`bvlc_function (string)`	`about.labels [bvlc_function]`
`bvlc_len (integer - count)`	`about.labels [bvlc_len]`
`apdu_type (string)`	`about.labels [apdu_type]`
`service_choice (string)`	`about.labels [service_choice]`
`data (array[string] - vector of string)`	`about.labels [data]`

Referência do mapeamento de campo: CORELIGHT - cip

A tabela a seguir lista os campos de registro do tipo cip e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`service (string)`	`about.labels [service]`
`status (string)`	`about.labels [status]`
`tags (string)`	`about.labels [tag]`

Referência de mapeamento de campo: CORELIGHT - corelight_burst

A tabela a seguir lista os campos de registro do tipo de registro corelight_burst e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`orig_size (integer - count)`	`network.sent_bytes`
`resp_size (integer - count)`	`network.received_bytes`
`mbps (number - double)`	`about.labels [mbps]`
`age_of_conn (number - interval)`	`about.labels [age_of_conn]`

Referência de mapeamento de campo: CORELIGHT - corelight_overall_capture_loss

A tabela a seguir lista os campos de registro do tipo de registro corelight_overall_capture_loss e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`gaps (number - double)`	`security_result.detection_fields [gaps]`
`acks (number - double)`	`security_result.detection_fields [acks]`
`percent_lost (number - double)`	`security_result.detection_fields [percent_lost]`
	`metadata.description`	The `metadata.description` UDM field is set with `_system_name`, `percent_lost`, `ts.` log fields as "node `_system_name` experienced `percent_lost`% packet loss at `ts.`".

Referência de mapeamento de campo: CORELIGHT - corelight_profiling

A tabela a seguir lista os campos de registro do tipo de registro corelight_profiling e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`node (string)`	`principal.hostname`
`prof.core_stack (string)`	`about.labels [prof_core_stack]`
`prof.script_stack (string)`	`about.labels [prof_script_stack]`
`prof.sched_wait_ns (integer - count)`	`about.labels [prof_sched_wait_ns]`

Referência do mapeamento de campo: CORELIGHT - datared

A tabela a seguir lista os campos de registro do tipo de registro datared e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`conn_red (integer - count)`	`about.labels [conn_red]`
`conn_total (integer - count)`	`about.labels [conn_total]`
`dns_red (integer - count)`	`about.labels [dns_red]`
`dns_total (integer - count)`	`about.labels [dns_total]`
`dns_coal_miss (integer - count)`	`about.labels [dns_coal_miss]`
`files_red (integer - count)`	`about.labels [files_red]`
`files_total (integer - count)`	`about.labels [files_total]`
`files_coal_miss (integer - count)`	`about.labels [files_coal_miss]`
`http_red (integer - count)`	`about.labels [http_red]`
`http_total (integer - count)`	`about.labels [http_total]`
`ssl_red (integer - count)`	`about.labels [ssl_red]`
`ssl_total (integer - count)`	`about.labels [ssl_total]`
`ssl_coal_miss (integer - count)`	`about.labels [ssl_coal_miss]`
`weird_red (integer - count)`	`about.labels [weird_red]`
`weird_total (integer - count)`	`about.labels [weird_total]`
`x509_red (integer - count)`	`about.labels [x509_red]`
`x509_total (integer - count)`	`about.labels [x509_total]`
`x509_coal_miss (integer - count)`	`about.labels [x509_coal_miss]`

Referência de mapeamento de campo: CORELIGHT - dhcp

A tabela a seguir lista os campos de registro do tipo de registro dhcp e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DHCP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DHCP`.
`uids (array[string] - set[string])`	`about.labels [uid]`
`client_addr (string - addr)`	`network.dhcp.ciaddr`
`server_addr (string - addr)`	`network.dhcp.siaddr`
`mac (string)`	`network.dhcp.chaddr`
`host_name (string)`	`network.dhcp.client_hostname`
`client_fqdn (string)`	`principal.domain.name`
`domain (string)`	`target.domain.name`
`requested_addr (string - addr)`	`network.dhcp.requested_address`
`assigned_addr (string - addr)`	`network.dhcp.yiaddr`
`lease_time (number - interval)`	`network.dhcp.lease_time_seconds`
`client_message (string)`	`security_result.description`
`server_message (string)`	`security_result.description`
`msg_types (array[string] - vector of string)`	`network.dhcp.type`	The `msg_types` log field is mapped to `network.dhcp.type` UDM field when index value in `msg_types` is equal to `0`. For every other index value, `about.labels.key` UDM field is set to `msg_types` and `msg_types` log field is mapped to the `about.labels.value`.
`duration (number - interval)`	`about.labels [duration]`

Referência do mapeamento de campo: CORELIGHT - dga

A tabela a seguir lista os campos de registro do tipo de registro dga e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`query (string)`	`network.dns.questions.name`
`family (string)`	`about.labels [family]`
`qtype_name (string)`	`about.labels [qtype_name]`
`rcode (integer - count)`	`network.dns.response_code`
`is_collision_heavy (boolean - bool)`	`security_result.detection_fields [is_collision_heavy]`
`ruse (boolean - bool)`	`about.labels [ruse]`

Referência de mapeamento de campo: CORELIGHT - dnp3

A tabela a seguir lista os campos de registro do tipo de registro dnp3 e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fc_request (string)`	`about.labels [fc_request]`
`fc_reply (string)`	`about.labels [fc_reply]`
`iin (integer - count)`	`about.labels [iin]`

Referência de mapeamento de campo: CORELIGHT - iso_cotp

A tabela a seguir lista os campos de registro do tipo iso_cotp e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`pdu_type (string)`	`about.labels [pdu_type]`

Referência de mapeamento de campo: CORELIGHT - kerberos

A tabela a seguir lista os campos de registro do tipo de registro kerberos e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `KRB5`.
`request_type (string)`	`principal.application`
`client (string)`	`principal.hostname`
`service (string)`	`target.application`
`success (boolean - bool)`	`security_result.action`	If the `success` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `FAIL`.
`error_msg (string)`	`security_result.action_details`
`from (time)`	`about.labels [from]`
`till (time)`	`about.labels [till]`
`cipher (string)`	`about.labels [cipher]`
`forwardable (boolean - bool)`	`about.labels [forwardable]`
`renewable (boolean - bool)`	`about.labels [renewable]`
`client_cert_subject (string)`	`about.labels [client_cert_subject]`
`client_cert_fuid (string)`	`about.labels [client_cert_fuid]`
`server_cert_subject (string)`	`about.labels [server_cert_subject]`
`server_cert_fuid (string)`	`about.labels [server_cert_fuid]`

Referência de mapeamento de campo: CORELIGHT - ldap

A tabela a seguir lista os campos de registro do tipo de registro ldap e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `LDAP`.
`proto (string)`	`about.labels [proto]`
`message_id (integer - int)`	`about.labels [message_id]`
`version (integer - int)`	`network.application_protocol_version`
`opcode (array[string] - set[string])`	`security_result.detection_fields [opcode]`
`result (array[string] - set[string])`	`security_result.detection_fields [result]`
`diagnostic_message (array[string] - vector of string)`	`security_result.description`
`object (array[string] - vector of string)`	`about.labels [object]`
`argument (array[string] - vector of string)`	`about.labels [argument]`

Referência de mapeamento de campo: CORELIGHT - ldap_search

A tabela a seguir lista os campos de registro do tipo de registro ldap_search e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `LDAP`.
`proto (string)`	`about.labels [proto]`
`message_id (integer - int)`	`about.labels [message_id]`
`scope (array[string] - set[string])`	`about.labels [scope]`
`deref (array[string] - set[string])`	`about.labels [deref]`
`base_object (array[string] - vector of string)`	`about.labels [base_object]`
`result_count (integer - count)`	`security_result.detection_fields [result_count]`
`result (array[string] - set[string])`	`security_result.detection_fields [result]`
`diagnostic_message (array[string] - vector of string)`	`security_result.description`
`filter (string)`	`about.labels [filter]`
`attributes (array[string] - vector of string)`	`about.labels [attributes]`

Referência do mapeamento de campo: CORELIGHT - local_subnets

A tabela a seguir lista os campos de registro do tipo de registro local_subnets e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`round (integer - count)`	`about.labels [round]`
`ip_version (integer - count)`	`about.labels [ip_version]`
`subnets (array[string] - set[subnet])`	`about.labels [subnet]`
`component_ids (array[integer] - set[count])`	`about.labels [component_id]`
`size_of_component (integer - count)`	`about.labels [size_of_component]`
`bipartite (boolean - bool)`	`about.labels [bipartite]`
`inferred_site (boolean - bool)`	`about.labels [inferred_site]`
`other_ips (array[string] - set[addr])`	`about.ip`

Referência do mapeamento de campo: CORELIGHT - local_subnets_dj

A tabela a seguir lista os campos de registro do tipo de registro local_subnets_dj e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`ip_version (integer - count)`	`about.labels [ip_version]`
`v (string - addr)`	`about.ip`
`side (string)`	`about.labels [side]`

Referência do mapeamento de campo: CORELIGHT - local_subnets_graphs

A tabela a seguir lista os campos de registro do tipo de registro local_subnets_graphs e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`ip_version (integer - count)`	`about.labels [ip_version]`
`v1 (string - addr)`	`about.ip`
`v2 (string - addr)`	`about.ip`

Referência do mapeamento de campo: CORELIGHT - syslog

A tabela a seguir lista os campos de registro do tipo de registro syslog e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`proto (string - enum)`	`network.ip_protocol`
`facility (string)`	`about.labels [facility]`
`severity (string)`	`about.labels [severity]`
`message (string)`	`metadata.description`

Referência de mapeamento de campo: CORELIGHT - tds

A tabela a seguir lista os campos de registro do tipo tds e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`command (string)`	`principal.process.command_line`

Referência de mapeamento de campo: CORELIGHT - tds_rpc

A tabela a seguir lista os campos de registro do tipo de registro tds_rpc e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`procedure_name (string)`	`about.labels [procedure_name]`
`parameters (array[string] - vector of string)`	`about.labels [parameter]`

Referência de mapeamento de campo: CORELIGHT - tds_sql_batch

A tabela a seguir lista os campos de registro do tipo de registro tds_sql_batch e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `DATABASE`.
`header_type (string)`	`target.resource.attribute.labels [header_type]`
`query (string)`	`target.resource.attribute.labels [query]`

Referência de mapeamento de campo: CORELIGHT - traceroute

A tabela a seguir lista os campos de registro do tipo de registro traceroute e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`src (string - addr)`	`principal.ip`
`dst (string - addr)`	`target.ip`
`proto (string)`	`network.ip_protocol`

Referência do mapeamento de campo: CORELIGHT - túnel

A tabela a seguir lista os campos de registro do tipo de registro tunnel e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
`tunnel_type (string - enum)`	`intermediary.labels [tunnel_type]`
`action (string - enum)`	`security_result.action_details`
	`security_result.description`	The `security_result.description` UDM field is set with `action`, `tunnel_type` log fields as "action `action` on tunnel type `tunnel_type`".

Referência de mapeamento de campo: CORELIGHT - estranha, estranha_vermelha

A tabela a seguir lista os campos de registro do tipo de registro weird, weird_red e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`name (string)`	`about.labels [name]`
`addl (string)`	`about.labels [addl]`
`notice (boolean - bool)`	`about.labels [notice]`
`source (string)`	`about.labels [source]`
`peer (string)`	`about.labels [peer]`

Referência de mapeamento de campo: CORELIGHT - wireguard

A tabela a seguir lista os campos de registro do tipo de registro wireguard e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
`established (boolean - bool)`	`about.labels [established]`
`initiations (integer - count)`	`about.labels [initiations]`
`responses (integer - count)`	`about.labels [responses]`

Referência de mapeamento de campo: CORELIGHT - vpn

A tabela a seguir lista os campos de registro do tipo de registro vpn e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`vpn_type (string - enum)`	`about.labels [vpn_type]`
`service (string)`	`target.application`
`inferences (array[string] - set[string])`	`about.labels [inference]`
`server_name (string)`	`network.tls.client.server_name`
`client_info (string)`	`principal.labels [client_info]`
`duration (number - interval)`	`network.session_duration`
`orig_bytes (integer - count)`	`network.sent_bytes`
`resp_bytes (integer - count)`	`network.received_bytes`
`orig_cc (string)`	`principal.location.country_or_region`
`orig_region (string)`	`principal.location.country_or_region`
`orig_city (string)`	`principal.location.city`
`resp_cc (string)`	`target.location.country_or_region`
`resp_region (string)`	`target.location.country_or_region`
`resp_city (string)`	`target.location.city`
`subject (string)`	`network.tls.client.certificate.subject`
`issuer (string)`	`network.tls.client.certificate.issuer`
`ja3 (string)`	`network.tls.client.ja3`
`ja3s (string)`	`network.tls.server.ja3s`

Referência de mapeamento de campo: CORELIGHT - x509, x509_red

A tabela a seguir lista os campos de registro do tipo x509, x509_red e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fingerprint (string)`	`about.labels [fingerprint]`
`certificate.version (integer - count)`	`network.tls.server.certificate.version`
`certificate.serial (string)`	`network.tls.server.certificate.serial`
`certificate.subject (string)`	`network.tls.server.certificate.subject`
`certificate.issuer (string)`	`network.tls.server.certificate.issuer`
`certificate.not_valid_before (time)`	`network.tls.server.certificate.not_before`
`certificate.not_valid_after (time)`	`network.tls.server.certificate.not_after`
`certificate.key_alg (string)`	`about.labels [certificate_key_alg]`
`certificate.sig_alg (string)`	`about.labels [certificate_sig_alg]`
`certificate.key_type (string)`	`about.labels [certificate_key_type]`
`certificate.key_length (integer - count)`	`about.labels [certificate_key_length]`
`certificate.exponent (string)`	`about.labels [certificate_exponent]`
`certificate.curve (string)`	`network.tls.curve`
`san.dns (array[string] - vector of string)`	`about.labels [san_dns]`
`san.uri (array[string] - vector of string)`	`about.url`
`san.email (array[string] - vector of string)`	`about.labels [san_email]`
`san.ip (array[string] - vector of addr)`	`about.ip`
`basic_constraints.ca (boolean - bool)`	`about.labels [basic_constraints_ca]`
`basic_constraints.path_len (integer - count)`	`about.labels [basic_constraints_path_len]`
`host_cert (boolean - bool)`	`about.labels [host_cert]`
`client_cert (boolean - bool)`	`about.labels [client_cert]`

Referência do mapeamento de campo: CORELIGHT -unknown-smartpcap

A tabela a seguir lista os campos de registro do tipo de registro unknown-smartpcap e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Smartpcap`.
`tid (string)`	`about.labels [tid]`
`pkts (integer - count)`	`about.labels [pkts]`
`url (string)`	`security_result.url_back_to_product`

Referência do mapeamento de campo: CORELIGHT - mysql

A tabela a seguir lista os campos de registro do tipo mysql e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_ACCESS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`cmd (string)`	`target.resource.attribute.labels [cmd]`
`arg (string)`	`principal.process.command_line`
`success (boolean - bool)`	`target.resource.attribute.labels [success]`
`rows (integer - count)`	`target.resource.attribute.labels [rows]`
`response (string)`	`target.resource.attribute.labels [response]`
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `DATABASE`.

Referência de mapeamento de campo: CORELIGHT - napatech_shunting

A tabela a seguir lista os campos de registro do tipo de registro napatech_shunting e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`peer (string)`	`about.labels [peer]`
`terminated_flows (integer - count)`	`about.labels [terminated_flows]`
`shunted_flows (integer - count)`	`security_result.detection_fields [shunted_flows]`

Referência de mapeamento de campo: CORELIGHT - ntlm

A tabela a seguir lista os campos de registro do tipo de registro ntlm e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`username (string)`	`target.user.userid`
`hostname (string)`	`principal.hostname`
`domainname (string)`	`principal.domain.name`
`server_nb_computer_name (string)`	`target.hostname`
`server_dns_computer_name (string)`	`target.domain.name`
`server_tree_name (string)`	`target.labels [server_tree_name]`
`success (boolean - bool)`	`extensions.auth.auth_details`	If the `success` log field value is equal to `true`, then the `extensions.auth.auth_details` UDM field is set to `Authentication successful`. Else, the `extensions.auth.auth_details` UDM field is set to `Authentication failed`.

Referência do mapeamento de campo: CORELIGHT - pe

A tabela a seguir lista os campos de registro do tipo de registro pe e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`id (string)`	`about.labels [id]`
`machine (string)`	`target.labels [machine]`
`compile_ts (time)`	`about.labels [compile_ts]`
`os (string)`	`target.platform`	If the `os` log field value is equal to `windows`, then the `target.platform` UDM field is set to `WINDOWS`. Else, if is equal to `linux`, then the `target.platform` UDM field is set to `LINUX`. Else, if the `os` log field value is equal to `mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.`
`subsystem (string)`	`target.application`
`is_exe (boolean - bool)`	`about.file.file_type`	If the `is_exe` log field value is equal to `true`, then the `about.file.file_type` UDM field is set to `FILE_TYPE_PE_EXE`.
`is_64bit (boolean - bool)`	`about.labels [is_64bit]`
`uses_aslr (boolean - bool)`	`about.labels [uses_aslr]`
`uses_dep (boolean - bool)`	`about.labels [uses_dep]`
`uses_code_integrity (boolean - bool)`	`about.labels [uses_code_integrity]`
`uses_seh (boolean - bool)`	`about.labels [uses_seh ]`
`has_import_table (boolean - bool)`	`about.labels [has_import_table]`
`has_export_table (boolean - bool)`	`about.labels [has_export_table]`
`has_cert_table (boolean - bool)`	`about.labels [has_cert_table]`
`has_debug_data (boolean - bool)`	`about.labels [has_debug_data]`
`section_names (array[string] - vector of string)`	`about.labels [section_names]`

Referência de mapeamento de campo: CORELIGHT - ntp

A tabela a seguir lista os campos de registro do tipo ntp e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `NTP`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `UDP`.
`version (integer - count)`	`network.application_protocol_version`
`mode (integer - count)`	`about.labels [mode]`
`stratum (integer - count)`	`about.labels [stratum]`
`poll (number - interval)`	`about.labels [poll]`
`precision (number - interval)`	`about.labels [precision]`
`root_delay (number - interval)`	`about.labels [root_delay]`
`root_disp (number - interval)`	`about.labels [root_disp]`
`ref_id (string)`	`target.ip`	If the `ref_id`log field value is matched with regex of IP, then the `ref_id`log field is mapped to the `target.ip` UDM field. Else, the `ref_id`log field is mapped to the `target.labels` UDM field.
`ref_id (string)`	`target.labels [ref_id]`	If the `ref_id`log field value is matched with regex of IP, then the `ref_id`log field is mapped to the `target.ip` UDM field. Else, the `ref_id`log field is mapped to the `target.labels` UDM field.
`ref_time (time)`	`about.labels [ref_time]`
`org_time (time)`	`about.labels [org_time]`
`rec_time (time)`	`about.labels [rec_time]`
`xmt_time (time)`	`about.labels [rec_time]`
`num_exts (integer - count)`	`about.labels [num_exts]`

Referência do mapeamento de campo: CORELIGHT - raio

A tabela a seguir lista os campos de registro do tipo de registro radius e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`username (string)`	`target.user.userid`
`mac (string)`	`principal.mac`
`framed_addr (string - addr)`	`intermediary.ip`
`tunnel_client (string)`	`intermediary.ip`	If the `tunnel_client` log field value is matched with regex of IP, then the `tunnel_client` log field is mapped to the `intermediary.ip` UDM field. Else, the `tunnel_client` log field is mapped to the `intermediary.domain.name` UDM field.
`tunnel_client (string)`	`intermediary.domain.name`	If the `tunnel_client` log field value is matched with regex of IP, then the `tunnel_client` log field is mapped to the `intermediary.ip` UDM field. Else, the `tunnel_client` log field is mapped to the `intermediary.domain.name` UDM field.
`connect_info (string)`	`about.labels [connect_info]`
`reply_msg (string)`	`about.labels [reply_msg]`
`result (string)`	`extensions.auth.auth_details`
`ttl (number - interval)`	`network.session_duration`

Referência de mapeamento de campo: CORELIGHT – informante

A tabela a seguir lista os campos de registro do tipo de registro reporter e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`level (string - enum)`	`security_result.severity`	If the `level` log field value is equal to `CRITICAL` or `ERROR` or `HIGH` or `INFORMATIONAL` or `LOW` or `MEDIUM`, then the `level` log field is mapped to the `security_result.severity` UDM field.
`level (string - enum)`	`security_result.severity_details`
`message (string)`	`security_result.description`
`location (string)`	`about.labels [location]`

Referência de mapeamento de campo: CORELIGHT - log4shell

A tabela a seguir lista os campos de registro do tipo de registro log4shell e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`extensions.vulns.vulnerabilities.cve_id`	The `extensions.vulns.vulnerabilities.cve_id` UDM field is set to `CVE-2021-44228`.
`http_uri (string)`	`about.labels [http_uri]`
`uri (string)`	`target.url`
`stem (string)`	`target.labels [stem]`
`target_host (string)`	`target.hostname`
`target_port (string)`	`target.port`
`method (string)`	`network.http.method`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`name (string)`	`about.labels.key`
`value (string)`	`about.labels.value`
`matched_name (boolean - bool)`	`about.labels [matched_name]`
`matched_value (boolean - bool)`	`about.labels [matched_value]`

Referência de mapeamento de campo: CORELIGHT - modbus

A tabela a seguir lista os campos de registro do tipo de registro modbus e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MODBUS`.
`func (string)`	`about.labels [func]`
`exception (string)`	`security_result.description`

Referência de mapeamento de campo: CORELIGHT - mqtt_connect

A tabela a seguir lista os campos de registro do tipo de registro mqtt_connect e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`proto_name (string)`	`about.labels [proto_name]`
`proto_version (string)`	`network.application_protocol_version`
`client_id (string)`	`principal.labels [client_id]`
`connect_status (string)`	`security_result.description`
`will_topic (string)`	`about.labels [will_topic]`
`will_payload (string)`	`about.labels [will_payload]`

Referência de mapeamento de campo: CORELIGHT - mqtt_publish

A tabela a seguir lista os campos de registro do tipo de registro mqtt_publish e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`from_client (boolean - bool)`	`about.labels [from_client]`
`retain (boolean - bool)`	`target.labels [retain]`
`qos (string)`	`about.labels [qos]`
`status (string)`	`security_result.description`
`topic (string)`	`about.labels [topic]`
`payload (string)`	`about.labels [payload]`
`payload_len (integer - count)`	`about.labels [payload_len]`

Referência de mapeamento de campo: CORELIGHT - mqtt_subscribe

A tabela a seguir lista os campos de registro do tipo de registro mqtt_subscribe e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`action (string - enum)`	`security_result.action_details`
`topics (array[string] - vector of string)`	`about.labels [topics]`
`qos_levels (array[integer] - vector of count)`	`about.labels [qos_levels]`
`granted_qos_level (integer - count)`	`about.labels [granted_qos_level]`
`ack (boolean - bool)`	`security_result.detection_fields [ack]`

Referência de mapeamento de campo: CORELIGHT - dpd

A tabela a seguir lista os campos de registro do tipo de registro dpd e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`analyzer (string)`	`about.labels [analyzer]`
`failure_reason (string)`	`about.labels [failure_reason]`

Referência do mapeamento de campo: CORELIGHT - encryption_dns

A tabela a seguir lista os campos de registro do tipo encrypted_dns e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`resp_h (string - addr)`	`target.ip`
`cert.cn (string)`	`about.labels [cert_cn]`
`cert.sans (array[string] - set[string])`	`about.labels [cert_sans]`
`sni (string)`	`network.tls.client.server_name`
`match (string)`	`about.labels [match]`

Referência de mapeamento de campo: CORELIGHT - enip

A tabela a seguir lista os campos de registro do tipo enip e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`command (string)`	`principal.process.command_line`
`length (integer - count)`	`about.labels [length]`
`session_handle (string)`	`network.session_id`
`status (string)`	`about.labels [status]`
`sender_context (string)`	`about.labels [sender_context]`
`options (string)`	`about.labels [options]`

Referência de mapeamento de campo: CORELIGHT - enip_debug

A tabela a seguir lista os campos de registro do tipo enip_debug e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`raw_data (string)`	`about.labels [raw_data]`

Referência de mapeamento de campo: CORELIGHT - enip_list_identity

A tabela a seguir lista os campos de registro do tipo de registro enip_list_identity e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`device_type (string)`	`target.asset.attribute.labels [device_type]`
`vendor (string)`	`target.asset.hardware.manufacturer`
`product_name (string)`	`target.asset.attribute.labels [product_name]`
`serial_number (string)`	`target.asset.asset_id`	The `target.asset.asset_id` UDM field is set with `serial_number` log fields as "CORELIGHT: `serial_number`".
`product_code (integer - count)`	`target.asset.attribute.labels [product_code]`
`revision (number - double)`	`target.asset.attribute.labels [revision]`
`status (string)`	`about.labels [status]`
`state (string)`	`target.asset.attribute.labels [state]`
`device_ip (string - addr)`	`target.asset.ip`

Referência do mapeamento de campo: CORELIGHT - etc_viz

A tabela a seguir lista os campos de registro do tipo de registro etc_viz e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`server_a (string - addr)`	`target.ip`
`server_p (integer - port)`	`target.port`
`service (array[string] - set[string])`	`target.application`	The `service` log field is mapped to `target.application` UDM field when index value in `service` is equal to `0`. For every other index value, `target.labels.key` UDM field is set to `service` and `service` log field is mapped to the `target.labels.value`.
`viz_stat (string)`	`about.labels [viz_stat]`
`c2s_viz.size (integer - count)`	`about.labels [c2s_viz_size]`
`c2s_viz.enc_dev (number - double)`	`about.labels [c2s_viz_enc_dev]`
`c2s_viz.enc_frac (number - double)`	`about.labels [c2s_viz_enc_frac]`
`c2s_viz.pdu1_enc (boolean - bool)`	`about.labels [c2s_viz_pdu1_enc]`
`c2s_viz.clr_frac (number - double)`	`about.labels [c2s_viz_clr_frac]`
`c2s_viz.clr_ex (string)`	`about.labels [c2s_viz_clr_ex]`
`s2c_viz.size (integer - count)`	`about.labels [s2c_viz_size]`
`s2c_viz.enc_dev (number - double)`	`about.labels [s2c_viz_enc_dev]`
`s2c_viz.enc_frac (number - double)`	`about.labels [s2c_viz_enc_frac]`
`s2c_viz.pdu1_enc (boolean - bool)`	`about.labels [s2c_viz_pdu1_enc]`
`s2c_viz.clr_frac (number - double)`	`about.labels [s2c_viz_clr_frac]`
`s2c_viz.clr_ex (string)`	`about.labels [s2c_viz_clr_ex]`

Referência de mapeamento de campo: CORELIGHT - ftp

A tabela a seguir lista os campos de registro do tipo de registro ftp e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_FTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`user (string)`	`principal.user.user_display_name`
`password (string)`	`extensions.auth.auth_details`
`command (string), arg (string)`	`network.ftp.command`	The `network.ftp.command` UDM field is set with `command`, `arg` log fields as "`command` `arg`".
`mime_type (string)`	`target.file.mime_type`
`file_size (integer - count)`	`target.file.size`
`reply_code (integer - count)`	`about.labels [reply_code]`
`reply_msg (string)`	`about.labels [reply_msg]`
`data_channel.passive (boolean - bool)`	`about.labels [data_channel_passive]`
`data_channel.orig_h (string - addr)`	`principal.ip`
`data_channel.resp_h (string - addr)`	`target.ip`
`data_channel.resp_p (integer - port)`	`target.labels [data_channel_resp_p]`
`fuid (string)`	`about.labels [fuid]`

Referência do mapeamento de campo: CORELIGHT - general_dns_tunnels

A tabela a seguir lista os campos de registro do tipo de registro generic_dns_tunnels e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`dns_client (string - addr)`	`principal.ip`
`domain (string)`	`network.dns_domain`
`domain (string)`	`network.dns.questions.name`
`bytes (integer - int)`	`about.labels [bytes]`
`capture_secs (number - interval)`	`about.labels [capture_secs]`

Referência de mapeamento de campo: CORELIGHT - generic_icmp_tunnels

A tabela a seguir lista os campos de registro do tipo de registro generic_icmp_tunnels e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `ICMP`.
`detection (string)`	`security_result.detection_fields [detection]`
`orig (string - addr)`	`principal.ip`
`resp (string - addr)`	`target.ip`
`id (integer - count)`	`about.labels [id]`
`seq (integer - count)`	`about.labels [seq]`
`bytes (integer - count)`	`about.labels [bytes]`
`payload_len (integer - count)`	`about.labels [payload_len]`
`payload (string)`	`about.labels [payload]`

Referência de mapeamento de campo: CORELIGHT - icmp_specific_tunnels

A tabela a seguir lista os campos de registro do tipo de registro icmp_specific_tunnels e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `ICMP`.
`start_time (time)`	`about.labels [start_time]`
`duration (number - interval)`	`network.session_duration`
`tunnel (string)`	`intermediary.labels [tunnel]`
`seq (integer - count)`	`about.labels [seq]`
`icmp_id (integer - count)`	`about.labels [icmp_id]`
`payload (string)`	`about.labels [payload]`

Referência de mapeamento de campo: CORELIGHT - ipsec

A tabela a seguir lista os campos de registro do tipo de registro ipsec e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`initiator_spi (string)`	`principal.labels [initiator_spi]`
`responder_spi (string)`	`target.labels [responder_spi]`
`maj_ver (integer - count)`	`about.labels [maj_ver]`
`min_ver (integer - count)`	`about.labels [min_ver]`
`exchange_type (integer - count)`	`about.labels [exchange_type]`
`flag_e (boolean - bool)`	`about.labels [flag_e]`
`flag_c (boolean - bool)`	`about.labels [flag_c]`
`flag_a (boolean - bool)`	`about.labels [flag_a]`
`flag_i (boolean - bool)`	`about.labels [flag_i]`
`flag_v (boolean - bool)`	`about.labels [flag_v]`
`flag_r (boolean - bool)`	`about.labels [flag_r]`
`message_id (integer - count)`	`about.labels [message_id]`
`vendor_ids (array[string] - vector of string)`	`about.labels [vendor_id]`
`notify_messages (array[string] - vector of string)`	`about.labels [notify_message]`
`transforms (array[string] - vector of string)`	`about.labels [transform]`
`ke_dh_groups (array[integer] - vector of count)`	`about.labels [ke_dh_group]`
`proposals (array[integer] - vector of count)`	`about.labels [proposal]`
`protocol_id (integer - count)`	`about.labels [protocol_id]`
`certificates (array[string] - vector of string)`	`about.labels [certificate]`
`transform_attributes (array[string] - vector of string)`	`about.labels [transform_attribute]`
`length (integer - count)`	`about.labels [length]`
`hash (string)`	`about.labels [hash]`
`doi (integer - count)`	`about.labels [doi]`
`situation (string)`	`about.labels [situation]`

Referência do mapeamento de campo: CORELIGHT - profinet

A tabela a seguir lista os campos de registro do tipo de registro profinet e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`operation_type (string)`	`about.labels [operation_type]`
`block_version (string)`	`about.labels [block_version]`
`slot_number (integer - count)`	`about.labels [slot_number]`
`subslot_number (integer - count)`	`about.labels [subslot_number]`
`index (string)`	`about.labels [index]`

Referência de mapeamento de campo: CORELIGHT - profinet_dce_rpc

A tabela a seguir lista os campos de registro do tipo de registro profinet_dce_rpc e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DCERPC`.
`version (integer - count)`	`about.labels [version]`
`packet_type (integer - count)`	`about.labels [packet_type]`
`object_uuid (string)`	`about.labels [object_uuid]`
`interface_uuid (string)`	`about.labels [interface_uuid]`
`activity_uuid (string)`	`about.labels [activity_uuid]`
`server_boot_time (integer - count)`	`about.labels [server_boot_time]`
`operation (string)`	`about.labels [operation]`

Referência de mapeamento de campo: CORELIGHT - profinet_debug

A tabela a seguir lista os campos de registro do tipo de registro profinet_debug e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`raw_data (string)`	`about.labels [raw_data]`

Referência de mapeamento de campo: CORELIGHT - rfb

A tabela a seguir lista os campos de registro do tipo de registro rfb e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`client_major_version (string)`	`principal.labels [client_major_version]`
`client_minor_version (string)`	`principal.labels [client_minor_version]`
`server_major_version (string)`	`target.labels [server_major_version]`
`server_minor_version (string)`	`target.labels [server_minor_version]`
`authentication_method (string)`	`extension.auth.mechanism`	If the `authentication_method` log field value is equal to `VNC`, then the `extension.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`.
`authentication_method (string)`	`extension.auth.auth_details`
`auth (boolean - bool)`	`security_result.action`	If the `auth` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `FAIL`.
`share_flag (boolean - bool)`	`about.labels [share_flag]`
`desktop_name (string)`	`principal.labels [desktop_name]`
`width (integer - count)`	`principal.labels [width]`
`height (integer - count)`	`principal.labels [height]`

Referência de mapeamento de campo: CORELIGHT - known_certs

A tabela a seguir lista os campos de registro do tipo de registro known_certs e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
	`entity.resource.resource_subtype`	The `entity.resource.resource_subtype` UDM field is set to `CERTIFICATE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`hash (string)`	`entity.resource.attribute.labels [hash]`
`port (integer - port)`	`entity.port`
`protocol (string - enum)`	`entity.labels [protocol]`
`serial (string)`	`entity.resource.attribute.labels [serial]`
`subject (string)`	`entity.resource.attribute.labels [subject]`
`issuer_subject (string)`	`entity.resource.attribute.labels [issuer_subject]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência de mapeamento de campo: CORELIGHT - known_devices

A tabela a seguir lista os campos de registro do tipo de registro known_devices e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`ts (time)`	`entity.asset.first_seen_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.asset.ip`
`mac (string)`	`entity.asset.mac`
`vendor_mac (string)`	`entity.asset.hardware.manufacturer`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência de mapeamento de campo: CORELIGHT - known_domains

A tabela a seguir lista os campos de registro do tipo known_domains e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `DOMAIN_NAME`.
`ts (time)`	`metadata.interval.start_time`
`ts (time)`	`entity.domain.first_seen_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`domain (string)`	`entity.domain.name`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência do mapeamento de campo: CORELIGHT - known_hosts

A tabela a seguir lista os campos de registro do tipo de registro known_hosts e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `IP_ADDRESS`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`conns_opened (integer - count)`	`metadata.threat.detection_fields [conns_opened]`
`conns_closed (integer - count)`	`metadata.threat.detection_fields [conns_closed]`
`conns_pending (integer - count)`	`metadata.threat.detection_fields [conns_pending]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência de mapeamento de campo: CORELIGHT - known_names

A tabela a seguir lista os campos de registro do tipo de registro known_names e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`hostname (string)`	`entity.hostname`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência de mapeamento de campo: CORELIGHT - known_remotes

A tabela a seguir lista os campos de registro do tipo known_remotes e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `IP_ADDRESS`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`

Referência de mapeamento de campo: CORELIGHT - known_services

A tabela a seguir lista os campos de registro do tipo de registro known_services e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`port (integer - port)`	`entity.port`
`protocol (string - enum)`	`entity.labels [protocol]`
`service (array[string] - vector of string)`	`entity.labels [service]`
`software (array[string] - set[string])`	`entity.asset.software.name`
`app (array[string] - set[string])`	`entity.application`	The `app` log field is mapped to `entity.application` UDM field when index value in `app` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `app` and `app` log field is mapped to the `entity.labels.value`.
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência de mapeamento de campo: CORELIGHT - known_users

A tabela a seguir lista os campos de registro do tipo de registro known_users e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`remote_ip (string - addr)`	`entity.ip`
`user (string)`	`entity.user.user_display_name`
`protocol (string)`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`

Referência do mapeamento de campo: CORELIGHT - s7comm

A tabela a seguir lista os campos de registro do tipo de registro s7comm e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`rosctr (string)`	`about.labels [rosctr]`
`parameter (array[string] - vector of string)`	`about.labels [parameter]`
`item_count (integer - count)`	`about.labels [item_count]`
`data_info (array[string] - vector of string)`	`about.labels [data_info]`

Referência de mapeamento de campo: CORELIGHT - smartpcap

A tabela a seguir lista os campos de registro do tipo de registro smartpcap e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Smartpcap`.
`logstr (string)`	`metadata.description`

Referência de mapeamento de campo: CORELIGHT - snmp

A tabela a seguir lista os campos de registro do tipo de registro snmp e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`duration (number - interval)`	`network.session_duration`
`version (string)`	`network.application_protocol_version`
`community (string)`	`about.labels [community]`
`get_requests (integer - count)`	`about.labels [get_requests]`
`get_bulk_requests (integer - count)`	`about.labels [get_bulk_requests]`
`get_responses (integer - count)`	`about.labels [get_responses]`
`set_requests (integer - count)`	`about.labels [set_requests]`
`display_string (string)`	`about.labels [display_string]`
`up_since (time)`	`about.labels [up_since]`

Referência de mapeamento de campo: CORELIGHT - meias

A tabela a seguir lista os campos de registro do tipo de registro socks e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`version (integer - count)`	`about.labels [version]`
`user (string)`	`principal.user.userid`
`password (string)`	`extensions.auth.auth_details`
`status (string)`	`about.labels [status]`
`request.host (string - addr)`	`target.ip`
`request.name (string)`	`target.hostname`
`request_p (integer - port)`	`target.labels [request_p]`
`bound.host (string - addr)`	`intermediary.ip`
`bound.name (string)`	`intermediary.hostname`
`bound_p (integer - port)`	`intermediary.port`

Referência de mapeamento de campo: CORELIGHT – software

A tabela a seguir lista os campos de registro do tipo de registro software e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`host (string - addr)`	`target.asset.ip`
`host_p (integer - port)`	`target.port`
`software_type (string - enum)`	`target.asset.software.description`
`name (string)`	`target.asset.software.name`
`version.major (integer - count)`	`target.asset.software.version`
`version.minor (integer - count)`	`target.asset.attribute.labels [version_minor]`
`version.minor2 (integer - count)`	`target.asset.attribute.labels [version_minor2]`
`version.minor3 (integer - count)`	`target.asset.attribute.labels [version_minor3]`
`version.addl (string)`	`target.asset.attribute.labels [version_addl]`
`unparsed_version (string)`	`target.asset.attribute.labels [unparsed_version]`

Referência do mapeamento de campo: CORELIGHT - specific_dns_tunnels

A tabela a seguir lista os campos de registro do tipo de registro specific_dns_tunnels e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`trans_id (integer - count)`	`network.dns.id`
`dns_client (string - addr)`	`principal.ip`
`resolver (string - addr)`	`target.ip`
`query (string)`	`network.dns.questions.name`
`program (string - enum)`	`principal.application`
`session_id (integer - count)`	`network.session_id`
`detection (string)`	`security_result.detection_fields [detection]`
`sods_id (integer - count)`	`about.labels [sods_id]`

Referência de mapeamento de campo: CORELIGHT - caminhada

A tabela a seguir lista os campos de registro do tipo de registro stepping e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`dt (number - interval)`	`about.labels [dt]`
`uid1 (string)`	`about.labels [uid1]`
`uid2 (string)`	`about.labels [uid2]`
`direct (boolean - bool)`	`about.labels [direct]`
`client1_h (string - addr)`	`principal.ip`
`client1_p (integer - port)`	`principal.port`
`server1_h (string - addr)`	`target.ip`
`server1_p (integer - port)`	`target.port`
`client2_h (string - addr)`	`principal.ip`
`client2_p (integer - port)`	`principal.labels [client2_p]`
`server2_h (string - addr)`	`target.labels [server2_h]`
`server2_p (integer - port)`	`target.labels [server2_p]`

Referência de mapeamento de campo: CORELIGHT - stun

A tabela a seguir lista os campos de registro do tipo de registro stun e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`proto (string - enum)`	`network.ip_protocol`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`trans_id (string)`	`network.session_id`
`method (string)`	`about.labels [method]`
`class (string)`	`about.labels [class]`
`attr_types (array[string] - vector of string)`	`about.labels.key`
`attr_vals (array[string] - vector of string)`	`about.labels.value`

Referência de mapeamento de campo: CORELIGHT - stun_nat

A tabela a seguir lista os campos de registro do tipo de registro stun_nat e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`proto (string - enum)`	`network.ip_protocol`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`wan_addrs (array[string] - vector of addr)`	`principal.nat_ip`
`wan_ports (array[integer] - vector of count)`	`principal.nat_port`	The `wan_ports` log field is mapped to `principal.nat_port` UDM field when index value in `wan_ports` is equal to `0`. For every other index value, `principal.labels.key` UDM field is set to `wan_port` and `wan_ports` log field is mapped to the `principal.labels.value`.
`lan_addrs (array[string] - vector of addr)`	`principal.ip`

Referência de mapeamento de campo: CORELIGHT - suricata_stats

A tabela a seguir lista os campos de registro do tipo de registro suricata_stats e os campos de UDM correspondentes.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Suricata`.
`raw_mgmt`	`about.labels [raw_mgmt]`
`timestamp(time)`	`metadata.event_timestamp`
`event_type(string)`	`about.labels [event_type]`
`stats.uptime(integer)`	`about.labels [stats_uptime]`
`stats.napa_total.pkts(integer)`	`about.labels [stats_napa_total_pkts]`
`stats.napa_total.byte(integer)`	`about.labels [stats_napa_total_byte]`
`stats.napa_total.overflow_drop_pkts(integer)`	`about.labels [stats_napa_total_overflow_drop_pkts]`
`stats.napa_total.overflow_drop_byte(integer)`	`about.labels [stats_napa_total_overflow_drop_byte]`
`stats.napa_dispatch_host.pkts(integer)`	`about.labels [stats_napa_dispatch_host_pkts]`
`stats.napa_dispatch_host.byte(integer)`	`about.labels [stats_napa_dispatch_host_byte]`
`stats.napa_dispatch_drop.pkts(integer)`	`about.labels [stats_napa_dispatch_drop_pkts]`
`stats.napa_dispatch_drop.byte(integer)`	`about.labels [stats_napa_dispatch_drop_byte]`
`stats.decoder.pkts(integer)`	`about.labels [stats_decoder_pkts]`
`stats.decoder.bytes(integer)`	`about.labels [stats_decoder_bytes]`
`stats.decoder.invalid(integer)`	`about.labels [stats_decoder_invalid]`
`stats.decoder.ipv4(integer)`	`about.labels [stats_decoder_ipv4]`
`stats.decoder.ipv6(integer)`	`about.labels [stats_decoder_ipv6]`
`stats.decoder.ethernet(integer)`	`about.labels [stats_decoder_ethernet]`
`stats.decoder.chdlc(integer)`	`about.labels [stats_decoder_chdlc]`
`stats.decoder.raw(integer)`	`about.labels [stats_decoder_raw]`
`stats.decoder.null(integer)`	`about.labels [stats_decoder_null]`
`stats.decoder.sll(integer)`	`about.labels [stats_decoder_sll]`
`stats.decoder.tcp(integer)`	`about.labels [stats_decoder_tcp]`
`stats.decoder.udp(integer)`	`about.labels [stats_decoder_udp]`
`stats.decoder.sctp(integer)`	`about.labels [stats_decoder_sctp]`
`stats.decoder.icmpv4(integer)`	`about.labels [stats_decoder_icmpv4]`
`stats.decoder.icmpv6(integer)`	`about.labels [stats_decoder_icmpv6]`
`stats.decoder.ppp(integer)`	`about.labels [stats_decoder_ppp]`
`stats.decoder.pppoe(integer)`	`about.labels [stats_decoder_pppoe]`
`stats.decoder.geneve(integer)`	`about.labels [stats_decoder_geneve]`
`stats.decoder.gre(integer)`	`about.labels [stats_decoder_gre]`
`stats.decoder.vlan(integer)`	`about.labels [stats_decoder_vlan]`
`stats.decoder.vlan_qinq(integer)`	`about.labels [stats_decoder_vlan_qinq]`
`stats.decoder.vxlan(integer)`	`about.labels [stats_decoder_vxlan]`
`stats.decoder.vntag(integer)`	`about.labels [stats_decoder_vntag]`
`stats.decoder.ieee8021ah(integer)`	`about.labels [stats_decoder_ieee8021ah]`
`stats.decoder.teredo(integer)`	`about.labels [stats_decoder_teredo]`
`stats.decoder.ipv4_in_ipv6(integer)`	`about.labels [stats_decoder_ipv4_in_ipv6]`
`stats.decoder.ipv6_in_ipv6(integer)`	`about.labels [stats_decoder_ipv6_in_ipv6]`
`stats.decoder.mpls(integer)`	`about.labels [stats_decoder_mpls]`
`stats.decoder.avg_pkt_size(integer)`	`about.labels [stats_decoder_avg_pkt_size]`
`stats.decoder.max_pkt_size(integer)`	`about.labels [stats_decoder_max_pkt_size]`
`stats.decoder.max_mac_addrs_src(integer)`	`about.labels [stats_decoder_max_mac_addrs_src]`
`stats.decoder.max_mac_addrs_dst(integer)`	`about.labels [stats_decoder_max_mac_addrs_dst]`
`stats.decoder.erspan(integer)`	`about.labels [stats_decoder_erspan]`
`stats.decoder.event.ipv4.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ipv4_pkt_too_small]`
`stats.decoder.event.ipv4.hlen_too_small(integer)`	`about.labels [stats_decoder_event_ipv4_hlen_too_small]`
`stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer)`	`about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]`
`stats.decoder.event.ipv4.trunc_pkt(integer)`	`about.labels [stats_decoder_event_ipv4_trunc_pkt]`
`stats.decoder.event.ipv4.opt_invalid(integer)`	`about.labels [stats_decoder_event_ipv4_opt_invalid]`
`stats.decoder.event.ipv4.opt_invalid_len(integer)`	`about.labels [stats_decoder_event_ipv4_opt_invalid_len]`
`stats.decoder.event.ipv4.opt_malformed(integer)`	`about.labels [stats_decoder_event_ipv4_opt_malformed]`
`stats.decoder.event.ipv4.opt_pad_required(integer)`	`about.labels [stats_decoder_event_ipv4_opt_pad_required]`
`stats.decoder.event.ipv4.opt_eol_required(integer)`	`about.labels [stats_decoder_event_ipv4_opt_eol_required]`
`stats.decoder.event.ipv4.opt_duplicate(integer)`	`about.labels [stats_decoder_event_ipv4_opt_duplicate]`
`stats.decoder.event.ipv4.opt_unknown(integer)`	`about.labels [stats_decoder_event_ipv4_opt_unknown]`
`stats.decoder.event.ipv4.wrong_ip_version(integer)`	`about.labels [stats_decoder_event_ipv4_wrong_ip_version]`
`stats.decoder.event.ipv4.icmpv6(integer)`	`about.labels [stats_decoder_event_ipv4_icmpv6]`
`stats.decoder.event.ipv4.frag_pkt_too_large(integer)`	`about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]`
`stats.decoder.event.ipv4.frag_overlap(integer)`	`about.labels [stats_decoder_event_ipv4_frag_overlap]`
`stats.decoder.event.ipv4.frag_ignored(integer)`	`about.labels [stats_decoder_event_ipv4_frag_ignored]`
`stats.decoder.event.icmpv4.pkt_too_small(integer)`	`about.labels [stats_decoder_event_icmpv4_pkt_too_small]`
`stats.decoder.event.icmpv4.unknown_type(integer)`	`about.labels [stats_decoder_event_icmpv4_unknown_type]`
`stats.decoder.event.icmpv4.unknown_code(integer)`	`about.labels [stats_decoder_event_icmpv4_unknown_code]`
`stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer)`	`about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]`
`stats.decoder.event.icmpv4.ipv4_unknown_ver(integer)`	`about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]`
`stats.decoder.event.icmpv6.unknown_type(integer)`	`about.labels [stats_decoder_event_icmpv6_unknown_type]`
`stats.decoder.event.icmpv6.unknown_code(integer)`	`about.labels [stats_decoder_event_icmpv6_unknown_code]`
`stats.decoder.event.icmpv6.pkt_too_small(integer)`	`about.labels [stats_decoder_event_icmpv6_pkt_too_small]`
`stats.decoder.event.icmpv6.ipv6_unknown_version(integer)`	`about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]`
`stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer)`	`about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]`
`stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer)`	`about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]`
`stats.decoder.event.icmpv6.unassigned_type(integer)`	`about.labels [stats_decoder_event_icmpv6_unassigned_type]`
`stats.decoder.event.icmpv6.experimentation_type(integer)`	`about.labels [stats_decoder_event_icmpv6_experimentation_type]`
`stats.decoder.event.ipv6.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_pkt_too_small]`
`stats.decoder.event.ipv6.trunc_pkt(integer)`	`about.labels [stats_decoder_event_ipv6_trunc_pkt]`
`stats.decoder.event.ipv6.trunc_exthdr(integer)`	`about.labels [stats_decoder_event_ipv6_trunc_exthdr]`
`stats.decoder.event.ipv6.exthdr_dupl_fh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]`
`stats.decoder.event.ipv6.exthdr_useless_fh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]`
`stats.decoder.event.ipv6.exthdr_dupl_rh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]`
`stats.decoder.event.ipv6.exthdr_dupl_hh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]`
`stats.decoder.event.ipv6.exthdr_dupl_dh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]`
`stats.decoder.event.ipv6.exthdr_dupl_ah(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]`
`stats.decoder.event.ipv6.exthdr_dupl_eh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]`
`stats.decoder.event.ipv6.exthdr_invalid_optlen(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]`
`stats.decoder.event.ipv6.wrong_ip_version(integer)`	`about.labels [stats_decoder_event_ipv6_wrong_ip_version]`
`stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]`
`stats.decoder.event.ipv6.hopopts_unknown_opt(integer)`	`about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]`
`stats.decoder.event.ipv6.hopopts_only_padding(integer)`	`about.labels [stats_decoder_event_ipv6_hopopts_only_padding]`
`stats.decoder.event.ipv6.dstopts_unknown_opt(integer)`	`about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]`
`stats.decoder.event.ipv6.dstopts_only_padding(integer)`	`about.labels [stats_decoder_event_ipv6_dstopts_only_padding]`
`stats.decoder.event.ipv6.rh_type_0(integer)`	`about.labels [stats_decoder_event_ipv6_rh_type_0]`
`stats.decoder.event.ipv6.zero_len_padn(integer)`	`about.labels [stats_decoder_event_ipv6_zero_len_padn]`
`stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer)`	`about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]`
`stats.decoder.event.ipv6.data_after_none_header(integer)`	`about.labels [stats_decoder_event_ipv6_data_after_none_header]`
`stats.decoder.event.ipv6.unknown_next_header(integer)`	`about.labels [stats_decoder_event_ipv6_unknown_next_header]`
`stats.decoder.event.ipv6.icmpv4(integer)`	`about.labels [stats_decoder_event_ipv6_icmpv4]`
`stats.decoder.event.ipv6.frag_pkt_too_large(integer)`	`about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]`
`stats.decoder.event.ipv6.frag_overlap(integer)`	`about.labels [stats_decoder_event_ipv6_frag_overlap]`
`stats.decoder.event.ipv6.frag_invalid_length(integer)`	`about.labels [stats_decoder_event_ipv6_frag_invalid_length]`
`stats.decoder.event.ipv6.frag_ignored(integer)`	`about.labels [stats_decoder_event_ipv6_frag_ignored]`
`stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]`
`stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer)`	`about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]`
`stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]`
`stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer)`	`about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]`
`stats.decoder.event.tcp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_tcp_pkt_too_small]`
`stats.decoder.event.tcp.hlen_too_small(integer)`	`about.labels [stats_decoder_event_tcp_hlen_too_small]`
`stats.decoder.event.tcp.invalid_optlen(integer)`	`about.labels [stats_decoder_event_tcp_invalid_optlen]`
`stats.decoder.event.tcp.opt_invalid_len(integer)`	`about.labels [stats_decoder_event_tcp_opt_invalid_len]`
`stats.decoder.event.tcp.opt_duplicate(integer)`	`about.labels [stats_decoder_event_tcp_opt_duplicate]`
`stats.decoder.event.udp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_udp_pkt_too_small]`
`stats.decoder.event.udp.hlen_too_small(integer)`	`about.labels [stats_decoder_event_udp_hlen_too_small]`
`stats.decoder.event.udp.hlen_invalid(integer)`	`about.labels [stats_decoder_event_udp_hlen_invalid]`
`stats.decoder.event.udp.len_invalid(integer)`	`about.labels [stats_decoder_event_udp_len_invalid]`
`stats.decoder.event.sll.pkt_too_small(integer)`	`about.labels [stats_decoder_event_sll_pkt_too_small]`
`stats.decoder.event.ethernet.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ethernet_pkt_too_small]`
`stats.decoder.event.ppp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_pkt_too_small]`
`stats.decoder.event.ppp.vju_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_vju_pkt_too_small]`
`stats.decoder.event.ppp.ip4_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]`
`stats.decoder.event.ppp.ip6_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]`
`stats.decoder.event.ppp.wrong_type(integer)`	`about.labels [stats_decoder_event_ppp_wrong_type]`
`stats.decoder.event.ppp.unsup_proto(integer)`	`about.labels [stats_decoder_event_ppp_unsup_proto]`
`stats.decoder.event.pppoe.pkt_too_small(integer)`	`about.labels [stats_decoder_event_pppoe_pkt_too_small]`
`stats.decoder.event.pppoe.wrong_code(integer)`	`about.labels [stats_decoder_event_pppoe_wrong_code]`
`stats.decoder.event.pppoe.malformed_tags(integer)`	`about.labels [stats_decoder_event_pppoe_malformed_tags]`
`stats.decoder.event.gre.pkt_too_small(integer)`	`about.labels [stats_decoder_event_gre_pkt_too_small]`
`stats.decoder.event.gre.wrong_version(integer)`	`about.labels [stats_decoder_event_gre_wrong_version]`
`stats.decoder.event.gre.version0_recur(integer)`	`about.labels [stats_decoder_event_gre_version0_recur]`
`stats.decoder.event.gre.version0_flags(integer)`	`about.labels [stats_decoder_event_gre_version0_flags]`
`stats.decoder.event.gre.version0_hdr_too_big(integer)`	`about.labels [stats_decoder_event_gre_version0_hdr_too_big]`
`stats.decoder.event.gre.version0_malformed_sre_hdr(integer)`	`about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]`
`stats.decoder.event.gre.version1_chksum(integer)`	`about.labels [stats_decoder_event_gre_version1_chksum]`
`stats.decoder.event.gre.version1_route(integer)`	`about.labels [stats_decoder_event_gre_version1_route]`
`stats.decoder.event.gre.version1_ssr(integer)`	`about.labels [stats_decoder_event_gre_version1_ssr]`
`stats.decoder.event.gre.version1_recur(integer)`	`about.labels [stats_decoder_event_gre_version1_recur]`
`stats.decoder.event.gre.version1_flags(integer)`	`about.labels [stats_decoder_event_gre_version1_flags]`
`stats.decoder.event.gre.version1_no_key(integer)`	`about.labels [stats_decoder_event_gre_version1_no_key]`
`stats.decoder.event.gre.version1_wrong_protocol(integer)`	`about.labels [stats_decoder_event_gre_version1_wrong_protocol]`
`stats.decoder.event.gre.version1_malformed_sre_hdr(integer)`	`about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]`
`stats.decoder.event.gre.version1_hdr_too_big(integer)`	`about.labels [stats_decoder_event_gre_version1_hdr_too_big]`
`stats.decoder.event.vlan.header_too_small(integer)`	`about.labels [stats_decoder_event_vlan_header_too_small]`
`stats.decoder.event.vlan.unknown_type(integer)`	`about.labels [stats_decoder_event_vlan_unknown_type]`
`stats.decoder.event.vlan.too_many_layers(integer)`	`about.labels [stats_decoder_event_vlan_too_many_layers]`
`stats.decoder.event.ieee8021ah.header_too_small(integer)`	`about.labels [stats_decoder_event_ieee8021ah_header_too_small]`
`stats.decoder.event.vntag.header_too_small(integer)`	`about.labels [stats_decoder_event_vntag_header_too_small]`
`stats.decoder.event.vntag.unknown_type(integer)`	`about.labels [stats_decoder_event_vntag_unknown_type]`
`stats.decoder.event.ipraw.invalid_ip_version(integer)`	`about.labels [stats_decoder_event_ipraw_invalid_ip_version]`
`stats.decoder.event.ltnull.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ltnull_pkt_too_small]`
`stats.decoder.event.ltnull.unsupported_type(integer)`	`about.labels [stats_decoder_event_ltnull_unsupported_type]`
`stats.decoder.event.sctp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_sctp_pkt_too_small]`
`stats.decoder.event.mpls.header_too_small(integer)`	`about.labels [stats_decoder_event_mpls_header_too_small]`
`stats.decoder.event.mpls.pkt_too_small(integer)`	`about.labels [stats_decoder_event_mpls_pkt_too_small]`
`stats.decoder.event.mpls.bad_label_router_alert(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_router_alert]`
`stats.decoder.event.mpls.bad_label_implicit_null(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_implicit_null]`
`stats.decoder.event.mpls.bad_label_reserved(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_reserved]`
`stats.decoder.event.mpls.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_mpls_unknown_payload_type]`
`stats.decoder.event.vxlan.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_vxlan_unknown_payload_type]`
`stats.decoder.event.geneve.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_geneve_unknown_payload_type]`
`stats.decoder.event.erspan.header_too_small(integer)`	`about.labels [stats_decoder_event_erspan_header_too_small]`
`stats.decoder.event.erspan.unsupported_version(integer)`	`about.labels [stats_decoder_event_erspan_unsupported_version]`
`stats.decoder.event.erspan.too_many_vlan_layers(integer)`	`about.labels [stats_decoder_event_erspan_too_many_vlan_layers]`
`stats.decoder.event.dce.pkt_too_small(integer)`	`about.labels [stats_decoder_event_dce_pkt_too_small]`
`stats.decoder.event.chdlc.pkt_too_small(integer)`	`about.labels [stats_decoder_event_chdlc_pkt_too_small]`
`stats.decoder.too_many_layers(integer)`	`about.labels [stats_decoder_too_many_layers]`
`stats.flow.memcap(integer)`	`about.labels [stats_flow_memcap]`
`stats.flow.tcp(integer)`	`about.labels [stats_flow_tcp]`
`stats.flow.udp(integer)`	`about.labels [stats_flow_udp]`
`stats.flow.icmpv4(integer)`	`about.labels [stats_flow_icmpv4]`
`stats.flow.icmpv6(integer)`	`about.labels [stats_flow_icmpv6]`
`stats.flow.tcp_reuse(integer)`	`about.labels [stats_flow_tcp_reuse]`
`stats.flow.get_used(integer)`	`about.labels [stats_flow_get_used]`
`stats.flow.get_used_eval(integer)`	`about.labels [stats_flow_get_used_eval]`
`stats.flow.get_used_eval_reject(integer)`	`about.labels [stats_flow_get_used_eval_reject]`
`stats.flow.get_used_eval_busy(integer)`	`about.labels [stats_flow_get_used_eval_busy]`
`stats.flow.get_used_failed(integer)`	`about.labels [stats_flow_get_used_failed]`
`stats.flow.wrk.spare_sync_avg(integer)`	`about.labels [stats_flow_wrk_spare_sync_avg]`
`stats.flow.wrk.spare_sync(integer)`	`about.labels [stats_flow_wrk_spare_sync]`
`stats.flow.wrk.spare_sync_incomplete(integer)`	`about.labels [stats_flow_wrk_spare_sync_incomplete]`
`stats.flow.wrk.spare_sync_empty(integer)`	`about.labels [stats_flow_wrk_spare_sync_empty]`
`stats.flow.wrk.flows_evicted_needs_work(integer)`	`about.labels [stats_flow_wrk_flows_evicted_needs_work]`
`stats.flow.wrk.flows_evicted_pkt_inject(integer)`	`about.labels [stats_flow_wrk_flows_evicted_pkt_inject]`
`stats.flow.wrk.flows_evicted(integer)`	`about.labels [stats_flow_wrk_flows_evicted]`
`stats.flow.wrk.flows_injected(integer)`	`about.labels [stats_flow_wrk_flows_injected]`
`stats.flow.mgr.full_hash_pass(integer)`	`about.labels [stats_flow_mgr_full_hash_pass]`
`stats.flow.mgr.closed_pruned(integer)`	`about.labels [stats_flow_mgr_closed_pruned]`
`stats.flow.mgr.new_pruned(integer)`	`about.labels [stats_flow_mgr_new_pruned]`
`stats.flow.mgr.est_pruned(integer)`	`about.labels [stats_flow_mgr_est_pruned]`
`stats.flow.mgr.bypassed_pruned(integer)`	`about.labels [stats_flow_mgr_bypassed_pruned]`
`stats.flow.mgr.rows_maxlen(integer)`	`about.labels [stats_flow_mgr_rows_maxlen]`
`stats.flow.mgr.flows_checked(integer)`	`about.labels [stats_flow_mgr_flows_checked]`
`stats.flow.mgr.flows_notimeout(integer)`	`about.labels [stats_flow_mgr_flows_notimeout]`
`stats.flow.mgr.flows_timeout(integer)`	`about.labels [stats_flow_mgr_flows_timeout]`
`stats.flow.mgr.flows_timeout_inuse(integer)`	`about.labels [stats_flow_mgr_flows_timeout_inuse]`
`stats.flow.mgr.flows_evicted(integer)`	`about.labels [stats_flow_mgr_flows_evicted]`
`stats.flow.mgr.flows_evicted_needs_work(integer)`	`about.labels [stats_flow_mgr_flows_evicted_needs_work]`
`stats.flow.spare(integer)`	`about.labels [stats_flow_spare]`
`stats.flow.emerg_mode_entered(integer)`	`about.labels [stats_flow_emerg_mode_entered]`
`stats.flow.emerg_mode_over(integer)`	`about.labels [stats_flow_emerg_mode_over]`
`stats.flow.memuse(integer)`	`about.labels [stats_flow_memuse]`
`stats.defrag.ipv4.fragments(integer)`	`about.labels [stats_defrag_ipv4_fragments]`
`stats.defrag.ipv4.reassembled(integer)`	`about.labels [stats_defrag_ipv4_reassembled]`
`stats.defrag.ipv4.timeouts(integer)`	`about.labels [stats_defrag_ipv4_timeouts]`
`stats.defrag.ipv6.fragments(integer)`	`about.labels [stats_defrag_ipv6_fragments]`
`stats.defrag.ipv6.reassembled(integer)`	`about.labels [stats_defrag_ipv6_reassembled]`
`stats.defrag.ipv6.timeouts(integer)`	`about.labels [stats_defrag_ipv6_timeouts]`
`stats.defrag.max_frag_hits(integer)`	`about.labels [stats_defrag_max_frag_hits]`
`stats.flow_bypassed.local_pkts(integer)`	`about.labels [stats_flow_bypassed_local_pkts]`
`stats.flow_bypassed.local_bytes(integer)`	`about.labels [stats_flow_bypassed_local_bytes]`
`stats.flow_bypassed.local_capture_pkts(integer)`	`about.labels [stats_flow_bypassed_local_capture_pkts]`
`stats.flow_bypassed.local_capture_bytes(integer)`	`about.labels [stats_flow_bypassed_local_capture_bytes]`
`stats.flow_bypassed.closed(integer)`	`about.labels [stats_flow_bypassed_closed]`
`stats.flow_bypassed.pkts(integer)`	`about.labels [stats_flow_bypassed_pkts]`
`stats.flow_bypassed.bytes(integer)`	`about.labels [stats_flow_bypassed_bytes]`
`stats.tcp.sessions(integer)`	`about.labels [stats_tcp_sessions]`
`stats.tcp.ssn_memcap_drop(integer)`	`about.labels [stats_tcp_ssn_memcap_drop]`
`stats.tcp.pseudo(integer)`	`about.labels [stats_tcp_pseudo]`
`stats.tcp.pseudo_failed(integer)`	`about.labels [stats_tcp_pseudo_failed]`
`stats.tcp.invalid_checksum(integer)`	`about.labels [stats_tcp_invalid_checksum]`
`stats.tcp.no_flow(integer)`	`about.labels [stats_tcp_no_flow]`
`stats.tcp.syn(integer)`	`about.labels [stats_tcp_syn]`
`stats.tcp.synack(integer)`	`about.labels [stats_tcp_synack]`
`stats.tcp.rst(integer)`	`about.labels [stats_tcp_rst]`
`stats.tcp.midstream_pickups(integer)`	`about.labels [stats_tcp_midstream_pickups]`
`stats.tcp.pkt_on_wrong_thread(integer)`	`about.labels [stats_tcp_pkt_on_wrong_thread]`
`stats.tcp.segment_memcap_drop(integer)`	`about.labels [stats_tcp_segment_memcap_drop]`
`stats.tcp.stream_depth_reached(integer)`	`about.labels [stats_tcp_stream_depth_reached]`
`stats.tcp.reassembly_gap(integer)`	`about.labels [stats_tcp_reassembly_gap]`
`stats.tcp.overlap(integer)`	`about.labels [stats_tcp_overlap]`
`stats.tcp.overlap_diff_data(integer)`	`about.labels [stats_tcp_overlap_diff_data]`
`stats.tcp.insert_data_normal_fail(integer)`	`about.labels [stats_tcp_insert_data_normal_fail]`
`stats.tcp.insert_data_overlap_fail(integer)`	`about.labels [stats_tcp_insert_data_overlap_fail]`
`stats.tcp.insert_list_fail(integer)`	`about.labels [stats_tcp_insert_list_fail]`
`stats.tcp.memuse(integer)`	`about.labels [stats_tcp_memuse]`
`stats.tcp.reassembly_memuse(integer)`	`about.labels [stats_tcp_reassembly_memuse]`
`stats.detect.engines.id(array)`	`about.labels [stats_detect_engines_id]`
`stats.detect.engines.last_reload(array)`	`about.labels [stats_detect_engines_last_reload]`
`stats.detect.engines.rules_loaded(array)`	`about.labels [stats_detect_engines_rules_loaded]`
`stats.detect.engines.rules_failed(array)`	`about.labels [stats_detect_engines_rules_failed]`
`stats.detect.alert(integer)`	`about.labels [stats_detect_alert]`
`stats.detect.alert_queue_overflow(integer)`	`about.labels [stats_detect_alert_queue_overflow]`
`stats.detect.alerts_suppressed(integer)`	`about.labels [stats_detect_alerts_suppressed]`
`stats.app_layer.flow.http(integer)`	`about.labels [stats_app_layer_flow_http]`
`stats.app_layer.flow.ftp(integer)`	`about.labels [stats_app_layer_flow_ftp]`
`stats.app_layer.flow.smtp(integer)`	`about.labels [stats_app_layer_flow_smtp]`
`stats.app_layer.flow.tls(integer)`	`about.labels [stats_app_layer_flow_tls]`
`stats.app_layer.flow.ssh(integer)`	`about.labels [stats_app_layer_flow_ssh]`
`stats.app_layer.flow.imap(integer)`	`about.labels [stats_app_layer_flow_imap]`
`stats.app_layer.flow.smb(integer)`	`about.labels [stats_app_layer_flow_smb]`
`stats.app_layer.flow.dcerpc_tcp(integer)`	`about.labels [stats_app_layer_flow_dcerpc_tcp]`
`stats.app_layer.flow.dns_tcp(integer)`	`about.labels [stats_app_layer_flow_dns_tcp]`
`stats.app_layer.flow.nfs_tcp(integer)`	`about.labels [stats_app_layer_flow_nfs_tcp]`
`stats.app_layer.flow.ntp(integer)`	`about.labels [stats_app_layer_flow_ntp]`
`stats.app_layer.flow.ftp-data(integer)`	`about.labels [stats_app_layer_flow_ftp-data]`
`stats.app_layer.flow.tftp(integer)`	`about.labels [stats_app_layer_flow_tftp]`
`stats.app_layer.flow.ikev2(integer)`	`about.labels [stats_app_layer_flow_ikev2]`
`stats.app_layer.flow.krb5_tcp(integer)`	`about.labels [stats_app_layer_flow_krb5_tcp]`
`stats.app_layer.flow.dhcp(integer)`	`about.labels [stats_app_layer_flow_dhcp]`
`stats.app_layer.flow.rfb(integer)`	`about.labels [stats_app_layer_flow_rfb]`
`stats.app_layer.flow.rdp(integer)`	`about.labels [stats_app_layer_flow_rdp]`
`stats.app_layer.flow.failed_tcp(integer)`	`about.labels [stats_app_layer_flow_failed_tcp]`
`stats.app_layer.flow.dcerpc_udp(integer)`	`about.labels [stats_app_layer_flow_dcerpc_udp]`
`stats.app_layer.flow.dns_udp(integer)`	`about.labels [stats_app_layer_flow_dns_udp]`
`stats.app_layer.flow.nfs_udp(integer)`	`about.labels [stats_app_layer_flow_nfs_udp]`
`stats.app_layer.flow.krb5_udp(integer)`	`about.labels [stats_app_layer_flow_krb5_udp]`
`stats.app_layer.flow.failed_udp(integer)`	`about.labels [stats_app_layer_flow_failed_udp]`
`stats.app_layer.tx.http(integer)`	`about.labels [stats_app_layer_tx_http]`
`stats.app_layer.tx.ftp(integer)`	`about.labels [stats_app_layer_tx_ftp]`
`stats.app_layer.tx.smtp(integer)`	`about.labels [stats_app_layer_tx_smtp]`
`stats.app_layer.tx.tls(integer)`	`about.labels [stats_app_layer_tx_tls]`
`stats.app_layer.tx.ssh(integer)`	`about.labels [stats_app_layer_tx_ssh]`
`stats.app_layer.tx.imap(integer)`	`about.labels [stats_app_layer_tx_imap]`
`stats.app_layer.tx.smb(integer)`	`about.labels [stats_app_layer_tx_smb]`
`stats.app_layer.tx.dcerpc_tcp(integer)`	`about.labels [stats_app_layer_tx_dcerpc_tcp]`
`stats.app_layer.tx.dns_tcp(integer)`	`about.labels [stats_app_layer_tx_dns_tcp]`
`stats.app_layer.tx.nfs_tcp(integer)`	`about.labels [stats_app_layer_tx_nfs_tcp]`
`stats.app_layer.tx.ntp(integer)`	`about.labels [stats_app_layer_tx_ntp]`
`stats.app_layer.tx.ftp-data(integer)`	`about.labels [stats_app_layer_tx_ftp-data]`
`stats.app_layer.tx.tftp(integer)`	`about.labels [stats_app_layer_tx_tftp]`
`stats.app_layer.tx.ikev2(integer)`	`about.labels [stats_app_layer_tx_ikev2]`
`stats.app_layer.tx.krb5_tcp(integer)`	`about.labels [stats_app_layer_tx_krb5_tcp]`
`stats.app_layer.tx.dhcp(integer)`	`about.labels [stats_app_layer_tx_dhcp]`
`stats.app_layer.tx.rfb(integer)`	`about.labels [stats_app_layer_tx_rfb]`
`stats.app_layer.tx.rdp(integer)`	`about.labels [stats_app_layer_tx_rdp]`
`stats.app_layer.tx.dcerpc_udp(integer)`	`about.labels [stats_app_layer_tx_dcerpc_udp]`
`stats.app_layer.tx.dns_udp(integer)`	`about.labels [stats_app_layer_tx_dns_udp]`
`stats.app_layer.tx.nfs_udp(integer)`	`about.labels [stats_app_layer_tx_nfs_udp]`
`stats.app_layer.tx.krb5_udp(integer)`	`about.labels [stats_app_layer_tx_krb5_udp]`
`stats.app_layer.expectations(integer)`	`about.labels [stats_app_layer_expectations]`
`stats.http.memuse(integer)`	`about.labels [stats_http_memuse]`
`stats.http.memcap(integer)`	`about.labels [stats_http_memcap]`
`stats.ftp.memuse(integer)`	`about.labels [stats_ftp_memuse]`
`stats.ftp.memcap(integer)`	`about.labels [stats_ftp_memcap]`

Referência de mapeamento de campo: CORELIGHT - logschema

A tabela a seguir lista os campos de registro do tipo logschema e os campos correspondentes do UDM.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`name(string)`	`about.labels [name]`
`text(string)`	`about.labels [text]`
`schema(string)`	`about.labels [schema]`
`avro(string)`	`about.labels [avro]`

A seguir

Ingestão de dados para as Operações de segurança do Google