Recopila registros de Zeek (Bro)
Se admite en los siguientes países:
SecOps de Google
SIEM
En este documento, se describe cómo puedes implementar Zeek (anteriormente Bro) y NXLog con Google Security Operations para recopilar registros de Zeek en formato JSON. En este documento, también se explica cómo los campos de registro de Zeek se asignan a los campos del modelo de datos unificado (UDM) de Google Security Operations.
Para obtener una descripción general sobre la transferencia de datos de Google Security Operations, consulta Transferencia de datos a Google Security Operations.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato de UDM estructurado. La información de este documento se aplica al analizador con la etiqueta de transferencia BRO_JSON.
Antes de comenzar
Para comprender los componentes implementados para recopilar registros de Zeek, consulta el de implementación. Cada implementación de cliente puede diferir y podría ser más compleja. En el siguiente diagrama, se muestra cómo puedes configurar un agente de NXLog y un reenviador de Google Security Operations en un servidor Linux y reenviar datos de registro a Google Security Operations.
Verifica las versiones de Zeek que admite el analizador de Google Security Operations. El analizador de Operaciones de seguridad de Google admite las siguientes versiones de Zeek:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Antes de usar el analizador Zeek, revisa los cambios en las asignaciones de campos entre el analizador anterior y el analizador Zeek actual Como parte de la migración, asegúrate que las reglas, las búsquedas, los paneles u otros procesos que dependen del campos originales usan los campos actualizados.
Por ejemplo, en la versión anterior del analizador, el campo
server_namese asigna al Campo de UDMtarget.hostname. En el analizador de Zeek actual, el camposerver_namese asigna al campo UDMnetwork.tls.client.server_name. Si migras al analizador de Zeek actual y usas el camposerver_nameen tus reglas, debes modificarlas para usar el campo UDMnetwork.tls.client.server_namedel analizador actual.Verifica los tipos de registros de Zeek que admite el analizador de Google Security Operations. En la siguiente tabla, se enumeran los tipos de registros de Zeek que provienen de Google Security Operations el analizador admite lo siguiente:
| Tipo de registro | Descripción |
| Protocolos de red | Incluye archivos de registro de protocolos de red, como el protocolo de configuración dinámica de host (DHCP) y el sistema de nombres de dominio (DNS). |
| Archivos | Incluye los siguientes archivos de registro: resultados del análisis de archivos, protocolo de estado de certificado en línea (OCSP), Portable Executable (PE) y certificado X.509. |
| NetControl | Incluye archivos de registro de acciones de NetControl y registros de depuración de OpenFlow. |
| Detección | Incluye archivos de registro de coincidencias de datos de inteligencia, avisos de Zeek, transmisión de alarmas, coincidencias de firmas y detección de traceroute. |
| Observaciones de la red | Incluye archivos de registro de certificados SSL, hosts que han completado los protocolos de enlace TCP, Modbus principal y réplica, servicios que se ejecutan en los hosts y software utilizado en la red. |
Si aún no lo hiciste, instala y configura Zeek. Para obtener más información, consulta Instalación de Zeek.
Recopilar registros de Zeek en formato JSON Para obtener más información, consulta Envía los registros de Zeek a JSON.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados con la zona horaria UTC.
Configura el reenviador de NXLog y Google Security Operations
- Descarga e instala NXLog Community Edition en la máquina Linux en la que se ejecuta el servidor de reenvío de Google Security Operations.
- Para obtener más información sobre cómo descargar NXLog Community Edition, consulta la documentación de NXLog.
- Para obtener más información sobre la instalación de los paquetes NXLog requeridos y las dependencias, consulta cómo instalar NXLog en un sistema Linux.
- Crea un archivo de configuración para cada instancia de NXLog.
Usa el módulo im_file de NXLog para leer el archivo y analizar las líneas en campos. Aquí hay un ejemplo de configuración de NXLog:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>Para usar la configuración del ejemplo anterior, haz lo siguiente:
- Reemplaza los valores
<hostname>y<port>con información sobre el en el servidor de destino de Linux. - Agrega elementos de entrada, salida y ruta para cada tipo de registro de Zeek que quieres recopilar.
- Reemplaza los valores
Configurar el servidor de reenvío de Google Security Operations para enviar registros a Google Security Operations. Para obtener más información, consulta Cómo instalar y configurar el reenviador en Linux. Este es un ejemplo de configuración de reenvío.
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60Inicia el servicio NXLog.
Referencia de asignación de campos: Zeek registra campos en campos de UDM
Para comprender cómo el analizador de Google Security Operations asigna los campos de registro de Zeek a Los campos de eventos de UDM de Google Security Operations para cada tipo de registro de Zeek consulta el las siguientes secciones:
Protocolos de red
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de protocolos de red y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | conn.log | metadata.event_timestamp |
| uid | conn.log | network.session_id |
| id.orig_h | conn.log | principal.ip |
| id.orig_p | conn.log | principal.port |
| id.resp_h | conn.log | target.ip |
| id.resp_p | conn.log | target.port |
| proto | conn.log | network.ip_protocol |
| service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
| duration | conn.log | network.session_duration |
| orig_bytes | conn.log | network.sent_bytes |
| resp_bytes | conn.log | network.received_bytes |
| conn_state | conn.log | metadata.description |
| local_orig | conn.log | additional.fields.key/value |
| local_resp | conn.log | additional.fields.key/value |
| missed_bytes | conn.log | additional.fields.key/value |
| history | conn.log | additional.fields.key/value |
| orig_pkts | conn.log | additional.fields.key/value |
| orig_ip_bytes | conn.log | additional.fields.key/value |
| resp_pkts | conn.log | additional.fields.key/value |
| resp_ip_bytes | conn.log | additional.fields.key/value |
| tunnel_parents | conn.log | additional.fields.key/value |
| orig_l2_addr | conn.log | additional.fields.key/value |
| resp_l2_addr | conn.log | additional.fields.key/value |
| vlan | conn.log | additional.fields.key/value |
| inner_vlan | conn.log | additional.fields.key/value |
| speculative_service | conn.log | additional.fields.key/value |
| ts | dce_rpc.log | metadata.event_timestamp |
| uid | dce_rpc.log | network.session_id |
| id.orig_h | dce_rpc.log | principal.ip |
| id.orig_p | dce_rpc.log | principal.port |
| id.resp_h | dce_rpc.log | target.ip |
| id.resp_p | dce_rpc.log | target.port |
| rtt | dce_rpc.log | additional.fields.key/value |
| named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
| endpoint | dce_rpc.log | additional.fields.key/value |
| operation | dce_rpc.log | additional.fields.key/value |
| ts | dhcp.log | metadata.event_timestamp |
| uids | dhcp.log | additional.fields.key/value |
| client_addr | dhcp.log | target.ip |
| server_addr | dhcp.log | principal.ip |
| client_port | dhcp.log | target.port |
| server_port | dhcp.log | principal.port |
| mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
| host_name | dhcp.log | network.dhcp.client_hostname |
| client_fqdn | dhcp.log | target.hostname |
| domain | dhcp.log | target.administrative_domain |
| requested_addr | dhcp.log | network.dhcp.requested_address |
| assigned_addr | dhcp.log | network.dhcp.yiaddr |
| lease_time | dhcp.log | network.dhcp.lease_time_seconds |
| client_message | dhcp.log | additional.fields.key/value |
| server_message | dhcp.log | additional.fields.key/value |
| msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
| duration | dhcp.log | network.dhcp.seconds |
| client_chaddr | dhcp.log | network.dhcp.chaddr |
| msg_orig | dhcp.log | additional.fields.key/value |
| client_software | dhcp.log | additional.fields.key/value |
| server_software | dhcp.log | additional.fields.key/value |
| circuit_id | dhcp.log | additional.fields.key/value |
| agent_remote_id | dhcp.log | additional.fields.key/value |
| subscriber_id | dhcp.log | additional.fields.key/value |
| ts | dnp3.log | metadata.event_timestamp |
| uid | dnp3.log | network.session_id |
| id.orig_h | dnp3.log | principal.ip |
| id.orig_p | dnp3.log | principal.port |
| id.resp_h | dnp3.log | target.ip |
| id.resp_p | dnp3.log | target.port |
| fc_request | dnp3.log | additional.fields.key/value |
| fc_reply | dnp3.log | additional.fields.key/value |
| iin | dnp3.log | additional.fields.key/value |
| ts | dns.log | metadata.event_timestamp |
| uid | dns.log | network.session_id |
| id.orig_h | dns.log | principal.ip |
| id.orig_p | dns.log | principal.port |
| id.resp_h | dns.log | target.ip |
| id.resp_p | dns.log | target.port |
| proto | dns.log | network.ip_protocol |
| trans_id | dns.log | network.dns.id |
| rtt | dns.log | additional.fields.key/value |
| query | dns.log | network.dns.questions.name |
| qclass | dns.log | network.dns.questions.class |
| qclass_name | dns.log | additional.fields.key/value |
| qtype | dns.log | network.dns.questions.type |
| qtype_name | dns.log | additional.fields.key/value |
| rcode | dns.log | network,dns.response_code |
| rcode_name | dns.log | additional.fields.key/value |
| AA | dns.log | network.dns.authoritative |
| TC | dns.log | network.dns.truncated |
| RD | dns.log | network.dns.recursion_desired |
| RA | dns.log | network.dns.recursion_available |
| Z | dns.log | additional.fields.key/value |
| answers | dns.log | network.dns.answers.data |
| TTLs | dns.log | network.dns.answers.ttl |
| rejected | dns.log | additional.fields.key/value |
| total_answers | dns.log | additional.fields.key/value |
| total_replies | dns.log | additional.fields.key/value |
| saw_query | dns.log | additional.fields.key/value |
| saw_reply | dns.log | additional.fields.key/value |
| auth | dns.log | network.dns.authority.data |
| addl | dns.log | network.dns.additional.data |
| original_query | dns.log | additional.fields.key/value |
| ts | ftp.log | metadata.event_timestamp |
| uid | ftp.log | network.session_id |
| id.orig_h | ftp.log | principal.ip |
| id.orig_p | ftp.log | principal.port |
| id.resp_h | ftp.log | target.ip |
| id.resp_p | ftp.log | target.port |
| user | ftp.log | principal.user.userid |
| command | ftp.log | network.ftp.command |
| arg | ftp.log | additional.fields.key/value |
| mime_type | ftp.log | src.file.mime_type |
| file_size | ftp.log | src.file.size |
| reply_code | ftp.log | additional.fields.key/value |
| reply_msg | ftp.log | additional.fields.key/value |
| data_channel.passive | ftp.log | additional.fields.key/value |
| data_channel.orig_h | ftp.log | additional.fields.key/value |
| data_channel.resp_h | ftp.log | additional.fields.key/value |
| data_channel.resp_p | ftp.log | additional.fields.key/value |
| cwd | ftp.log | src.file.full_path |
| cmdarg.ts | ftp.log | additional.fields.key/value |
| cmdarg.cmd | ftp.log | additional.fields.key/value |
| cmdarg.arg | ftp.log | additional.fields.key/value |
| cmdarg.seq | ftp.log | additional.fields.key/value |
| pending_commands | ftp.log | additional.fields.key/value |
| passive | ftp.log | additional.fields.key/value |
| capture_password | ftp.log | additional.fields.key/value |
| fuid | ftp.log | additional.fields.key/value |
| last_auth_requested | ftp.log | additional.fields.key/value |
| ts | http.log | metadata.event_timestamp |
| uid | http.log | network.session_id |
| id.orig_h | http.log | principal.ip |
| id.orig_p | http.log | principal.port |
| id.resp_h | http.log | target.ip |
| id.resp_p | http.log | target.port |
| trans_depth | http.log | additional.fields.key/value |
| method | http.log | network.http.method |
| host | http.log | target.hostname |
| uri | http.log | target.url is set to "%{host}%{uri}" |
| referrer | http.log | network.http.referral_url |
| version | http.log | additional.fields.key/value |
| user_agent | http.log | network.http.user_agent |
| origin | http.log | additional.fields.key/value |
| request_body_len | http.log | additional.fields.key/value |
| response_body_len | http.log | additional.fields.key/value |
| status_code | http.log | network.http.response_code |
| status_msg | http.log | additional.fields.key/value |
| info_code | http.log | additional.fields.key/value |
| info_msg | http.log | additional.fields.key/value |
| tags | http.log | additional.fields.key/value |
| username | http.log | principal.user.userid |
| capture_password | http.log | additional.fields.key/value |
| proxied | http.log | additional.fields.key/value |
| range_request | http.log | additional.fields.key/value |
| orig_fuids | http.log | additional.fields.key/value |
| orig_filenames | http.log | additional.fields.key/value |
| orig_mime_types | http.log | additional.fields.key/value |
| resp_fuids | http.log | additional.fields.key/value |
| resp_filenames | http.log | additional.fields.key/value |
| resp_mime_types | http.log | additional.fields.key/value |
| current_entity | http.log | additional.fields.key/value |
| orig_mime_depth | http.log | additional.fields.key/value |
| resp_mime_depth | http.log | additional.fields.key/value |
| client_header_names | http.log | additional.fields.key/value |
| server_header_names | http.log | additional.fields.key/value |
| omniture | http.log | additional.fields.key/value |
| flash_version | http.log | additional.fields.key/value |
| cookie_vars | http.log | additional.fields.key/value |
| uri_vars | http.log | additional.fields.key/value |
| ts | irc.log | metadata.event_timestamp |
| uid | irc.log | network.session_id |
| id.orig_h | irc.log | principal.ip |
| id.orig_p | irc.log | principal.port |
| id.resp_h | irc.log | target.ip |
| id.resp_p | irc.log | target.port |
| nick | irc.log | additional.fields.key/value |
| user | irc.log | principal.user.userid |
| command | irc.log | principal.process.command_line |
| value | irc.log | additional.fields.key/value |
| addl | irc.log | additional.fields.key/value |
| dcc_file_name | irc.log | additional.fields.key/value |
| dcc_file_size | irc.log | src.file.size |
| dcc_mime_type | irc.log | src.file.mime_type |
| fuid | irc.log | additional.fields.key/value |
| ts | kerberos.log | metadata.event_timestamp |
| uid | kerberos.log | network.session_id |
| id.orig_h | kerberos.log | principal.ip |
| id.orig_p | kerberos.log | principal.port |
| id.resp_h | kerberos.log | target.ip |
| id.resp_p | kerberos.log | target.port |
| request_type | kerberos.log | additional.fields.key/value |
| client | kerberos.log | additional.fields.key/value |
| service | kerberos.log | additional.fields.key/value |
| success | kerberos.log | additional.fields.key/value |
| error_code | kerberos.log | additional.fields.key/value |
| error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
| from | kerberos.log | additional.fields.key/value |
| till | kerberos.log | additional.fields.key/value |
| cipher | kerberos.log | network.tls.cipher |
| forwardable | kerberos.log | additional.fields.key/value |
| renewable | kerberos.log | additional.fields.key/value |
| logged | kerberos.log | additional.fields.key/value |
| client_cert.ts | kerberos.log | additional.fields.key/value |
| client_cert.fuid | kerberos.log | additional.fields.key/value |
| client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.conn_uids | kerberos.log | additional.fields.key/value |
| client_cert.source | kerberos.log | additional.fields.key/value |
| client_cert.depth | kerberos.log | additional.fields.key/value |
| client_cert.analyzers | kerberos.log | additional.fields.key/value |
| client_cert.mime_type | kerberos.log | additional.fields.key/value |
| client_cert.filename | kerberos.log | additional.fields.key/value |
| client_cert.duration | kerberos.log | additional.fields.key/value |
| client_cert.local_orig | kerberos.log | additional.fields.key/value |
| client_cert.is_orig | kerberos.log | additional.fields.key/value |
| client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| client_cert.total_bytes | kerberos.log | additional.fields.key/value |
| client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| client_cert.timedout | kerberos.log | additional.fields.key/value |
| client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
| client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
| client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
| client_cert.x509.ts | kerberos.log | additional.fields.key/value |
| client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
| client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
| client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
| client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| client_cert.x509.handle | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| client_cert.x509.cert | kerberos.log | additional.fields.key/value |
| client_cert.extracted | kerberos.log | additional.fields.key/value |
| client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| client_cert.extracted_size | kerberos.log | additional.fields.key/value |
| client_cert.entropy | kerberos.log | additional.fields.key/value |
| client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
| client_cert_fuid | kerberos.log | additional.fields.key/value |
| server_cert.ts | kerberos.log | additional.fields.key/value |
| server_cert.fuid | kerberos.log | additional.fields.key/value |
| server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.conn_uids | kerberos.log | additional.fields.key/value |
| server_cert.source | kerberos.log | additional.fields.key/value |
| server_cert.depth | kerberos.log | additional.fields.key/value |
| server_cert.analyzers | kerberos.log | additional.fields.key/value |
| server_cert.mime_type | kerberos.log | additional.fields.key/value |
| server_cert.filename | kerberos.log | additional.fields.key/value |
| server_cert.duration | kerberos.log | additional.fields.key/value |
| server_cert.local_orig | kerberos.log | additional.fields.key/value |
| server_cert.is_orig | kerberos.log | additional.fields.key/value |
| server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| server_cert.total_bytes | kerberos.log | additional.fields.key/value |
| server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| server_cert.timedout | kerberos.log | additional.fields.key/value |
| server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
| server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
| server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
| server_cert.x509.ts | kerberos.log | additional.fields.key/value |
| server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
| server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
| server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
| server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| server_cert.x509.handle | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| server_cert.x509.cert | kerberos.log | additional.fields.key/value |
| server_cert.extracted | kerberos.log | additional.fields.key/value |
| server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| server_cert.extracted_size | kerberos.log | additional.fields.key/value |
| server_cert.entropy | kerberos.log | additional.fields.key/value |
| server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
| server_cert_fuid | kerberos.log | additional.fields.key/value |
| auth_ticket | kerberos.log | additional.fields.key/value |
| new_ticket | kerberos.log | additional.fields.key/value |
| ts | modbus.log | metadata.event_timestamp |
| uid | modbus.log | network.session_id |
| id.orig_h | modbus.log | principal.ip |
| id.orig_p | modbus.log | principal.port |
| id.resp_h | modbus.log | target.ip |
| id.resp_p | modbus.log | target.port |
| func | modbus.log | additional.fields.key/value |
| exception | modbus.log | additional.fields.key/value |
| track_address | modbus.log | additional.fields.key/value |
| ts | modbus_register_change.log | metadata.event_timestamp |
| uid | modbus_register_change.log | network.session_id |
| id.orig_h | modbus_register_change.log | principal.ip |
| id.orig_p | modbus_register_change.log | principal.port |
| id.resp_h | modbus_register_change.log | target.ip |
| id.resp_p | modbus_register_change.log | target.port |
| register | modbus_register_change.log | additional.fields.key/value |
| old_val | modbus_register_change.log | additional.fields.key/value |
| new_val | modbus_register_change.log | additional.fields.key/value |
| delta | modbus_register_change.log | additional.fields.key/value |
| ts | mysql.log | metadata.event_timestamp |
| uid | mysql.log | network.session_id |
| id.orig_h | mysql.log | principal.ip |
| id.orig_p | mysql.log | principal.port |
| id.resp_h | mysql.log | target.ip |
| id.resp_p | mysql.log | target.port |
| cmd | mysql.log | metadata.description |
| arg | mysql.log | principal.process.command_line |
| success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
| rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
| response | mysql.log | additional.fields.key/value |
| ts | ntlm.log | metadata.event_timestamp |
| uid | ntlm.log | network.session_id |
| id.orig_h | ntlm.log | principal.ip |
| id.orig_p | ntlm.log | principal.port |
| id.resp_h | ntlm.log | target.ip |
| id.resp_p | ntlm.log | target.port |
| username | ntlm.log | principal.user.userid |
| hostname | ntlm.log | principal.hostname |
| domainname | ntlm.log | principal.administrative_domain |
| server_nb_computer_name | ntlm.log | additional.fields.key/value |
| server_dns_computer_name | ntlm.log | target.hostname |
| server_tree_name | ntlm.log | additional.fields.key/value |
| success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
| done | ntlm.log | additional.fields.key/value |
| ts | ntp.log | metadata.event_timestamp |
| uid | ntp.log | network.session_id |
| id.orig_h | ntp.log | principal.ip |
| id.orig_p | ntp.log | principal.port |
| id.resp_h | ntp.log | target.ip |
| id.resp_p | ntp.log | target.port |
| version | ntp.log | additional.fields.key/value |
| mode | ntp.log | additional.fields.key/value |
| stratum | ntp.log | additional.fields.key/value |
| poll | ntp.log | additional.fields.key/value |
| precision | ntp.log | additional.fields.key/value |
| root_delay | ntp.log | additional.fields.key/value |
| root_disp | ntp.log | additional.fields.key/value |
| ref_id | ntp.log | additional.fields.key/value |
| ref_time | ntp.log | additional.fields.key/value |
| org_time | ntp.log | additional.fields.key/value |
| rec_time | ntp.log | additional.fields.key/value |
| xmt_time | ntp.log | additional.fields.key/value |
| num_exts | ntp.log | additional.fields.key/value |
| ts | radius.log | metadata.event_timestamp |
| uid | radius.log | network.session_id |
| id.orig_h | radius.log | principal.ip |
| id.orig_p | radius.log | principal.port |
| id.resp_h | radius.log | target.ip |
| id.resp_p | radius.log | target.port |
| username | radius.log | principal.user.userid |
| mac | radius.log | principal.mac |
| framed_addr | radius.log | additional.fields.key/value |
| tunnel_client | radius.log | additional.fields.key/value |
| connect_info | radius.log | additional.fields.key/value |
| reply_msg | radius.log | additional.fields.key/value |
| result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
| ttl | radius.log | additional.fields.key/value |
| logged | radius.log | additional.fields.key/value |
| ts | rdp.log | metadata.event_timestamp |
| uid | rdp.log | network.session_id |
| id.orig_h | rdp.log | principal.ip |
| id.orig_p | rdp.log | principal.port |
| id.resp_h | rdp.log | target.ip |
| id.resp_p | rdp.log | target.port |
| cookie | rdp.log | principal.user.userid |
| result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| client_channels | rdp.log | additional.fields.key/value |
| keyboard_layout | rdp.log | additional.fields.key/value |
| client_build | rdp.log | principal.asset.platform_software.platform_version |
| client_name | rdp.log | additional.fields.key/value |
| client_dig_product_id | rdp.log | principal.asset.asset_id |
| desktop_width | rdp.log | additional.fields.key/value |
| desktop_height | rdp.log | additional.fields.key/value |
| requested_color_depth | rdp.log | additional.fields.key/value |
| cert_type | rdp.log | additional.fields.key/value |
| cert_count | rdp.log | additional.fields.key/value |
| cert_permanent | rdp.log | additional.fields.key/value |
| encryption_level | rdp.log | additional.fields.key/value |
| encryption_method | rdp.log | additional.fields.key/value |
| analyzer_id | rdp.log | additional.fields.key/value |
| done | rdp.log | additional.fields.key/value |
| ssl | rdp.log | additional.fields.key/value |
| ts | rfb.log | metadata.event_timestamp |
| uid | rfb.log | network.session_id |
| id.orig_h | rfb.log | principal.ip |
| id.orig_p | rfb.log | principal.port |
| id.resp_h | rfb.log | target.ip |
| id.resp_p | rfb.log | target.port |
| client_major_version | rfb.log | additional.fields.key/value |
| client_minor_version | rfb.log | additional.fields.key/value |
| server_major_version | rfb.log | additional.fields.key/value |
| server_minor_version | rfb.log | additional.fields.key/value |
| authentication_method | rfb.log | additional.fields.key/value |
| auth | rfb.log | additional.fields.key/value |
| share_flag | rfb.log | additional.fields.key/value |
| desktop_name | rfb.log | target.asset.hostname |
| width | rfb.log | additional.fields.key/value |
| height | rfb.log | additional.fields.key/value |
| done | rfb.log | additional.fields.key/value |
| ts | sip.log | metadata.event_timestamp |
| uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
| id.orig_h | sip.log | principal.ip |
| id.orig_p | sip.log | principal.port |
| id.resp_h | sip.log | target.ip |
| id.resp_p | sip.log | target.port |
| trans_depth | sip.log | additional.fields.key/value |
| method | sip.log | metadata.description |
| uri | sip.log | about.url |
| date | sip.log | additional.fields.key/value |
| request_from | sip.log | principal.user.userid and principal.user.user_display_name |
| request_to | sip.log | target.user.userid and target.user.user_display_name |
| response_from | sip.log | additional.fields.key/value |
| response_to | sip.log | additional.fields.key/value |
| reply_to | sip.log | additional.fields.key/value |
| call_id | sip.log | network.session_id |
| seq | sip.log | additional.fields.key/value |
| subject | sip.log | additional.fields.key/value |
| request_path | sip.log | additional.fields.key/value |
| response_path | sip.log | additional.fields.key/value |
| user_agent | sip.log | additional.fields.key/value |
| status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
| status_msg | sip.log | security_result.description |
| warning | sip.log | additional.fields.key/value |
| request_body_len | sip.log | network.sent_bytes |
| response_body_len | sip.log | network.received_bytes |
| content_type | sip.log | additional.fields.key/value |
| ts | smb_cmd.log | metadata.event_timestamp |
| uid | smb_cmd.log | network.session_id |
| id.orig_h | smb_cmd.log | principal.ip |
| id.orig_p | smb_cmd.log | principal.port |
| id.resp_h | smb_cmd.log | target.ip |
| id.resp_p | smb_cmd.log | target.port |
| command | smb_cmd.log | principal.process.command_line |
| sub_command | smb_cmd.log | additional.fields.key/value |
| argument | smb_cmd.log | additional.fields.key/value |
| status | smb_cmd.log | additional.fields.key/value |
| rtt | smb_cmd.log | additional.fields.key/value |
| version | smb_cmd.log | metadata.product_version |
| username | smb_cmd.log | principal.user.userid |
| tree | smb_cmd.log | additional.fields.key/value |
| tree_service | smb_cmd.log | additional.fields.key/value |
| smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
| smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
| ts | smb_files.log | metadata.event_timestamp |
| uid | smb_files.log | network.session_id |
| id.orig_h | smb_files.log | principal.ip |
| id.orig_p | smb_files.log | principal.port |
| id.resp_h | smb_files.log | target.ip |
| id.resp_p | smb_files.log | target.port |
| fuid | smb_files.log | additional.fields.key/value |
| action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
| path | smb_files.log | target.file.full_path |
| name | smb_files.log | additional.fields.key/value |
| size | smb_files.log | target.file.size |
| prev_name | smb_files.log | additional.fields.key/value |
| times.modified | smb_files.log | additional.fields.key/value |
| times.modified_raw | smb_files.log | additional.fields.key/value |
| times.accessed | smb_files.log | additional.fields.key/value |
| times.accessed_raw | smb_files.log | additional.fields.key/value |
| times.created | smb_files.log | additional.fields.key/value |
| times.created_raw | smb_files.log | additional.fields.key/value |
| times.changed | smb_files.log | additional.fields.key/value |
| times.changed_raw | smb_files.log | additional.fields.key/value |
| fid | smb_files.log | additional.fields.key/value |
| uuid | smb_files.log | additional.fields.key/value |
| ts | smb_mapping.log | metadata.event_timestamp |
| uid | smb_mapping.log | network.session_id |
| id.orig_h | smb_mapping.log | principal.ip |
| id.orig_p | smb_mapping.log | principal.port |
| id.resp_h | smb_mapping.log | target.ip |
| id.resp_p | smb_mapping.log | target.port |
| path | smb_mapping.log | target.file.full_path |
| service | smb_mapping.log | target.application |
| native_file_system | smb_mapping.log | additional.fields.key/value |
| share_type | smb_mapping.log | target.resource.resource_type |
| ts | smtp.log | metadata.event_timestamp |
| uid | smtp.log | network.session_id |
| id.orig_h | smtp.log | principal.ip |
| id.orig_p | smtp.log | principal.port |
| id.resp_h | smtp.log | target.ip |
| id.resp_p | smtp.log | target.port |
| trans_depth | smtp.log | additional.fields.key/value |
| helo | smtp.log | additional.fields.key/value |
| mailfrom | smtp.log | additional.fields.key/value |
| rcptto | smtp.log | additional.fields.key/value |
| date | smtp.log | additional.fields.key/value |
| from | smtp.log | network.email.from |
| to | smtp.log | email.to |
| cc | smtp.log | network.email.cc |
| reply_to | smtp.log | email.reply_to |
| msg_id | smtp.log | email.mail_id |
| in_reply_to | smtp.log | additional.fields.key/value |
| subject | smtp.log | email.subject |
| x_originating_ip | smtp.log | additional.fields.key/value |
| first_received | smtp.log | additional.fields.key/value |
| second_received | smtp.log | additional.fields.key/value |
| last_reply | smtp.log | additional.fields.key/value |
| path | smtp.log | additional.fields.key/value |
| user_agent | smtp.log | additional.fields.key/value |
| tls | smtp.log | network.tls.established |
| process_received_from | smtp.log | additional.fields.key/value |
| has_client_activity | smtp.log | additional.fields.key/value |
| process_smtp_headers | smtp.log | additional.fields.key/value |
| entity.filename | smtp.log | additional.fields.key/value |
| entity.excerpt | smtp.log | additional.fields.key/value |
| fuids | smtp.log | additional.fields.key/value |
| is_webmail | smtp.log | additional.fields.key/value |
| ts | snmp.log | metadata.event_timestamp |
| uid | snmp.log | network.session_id |
| id.orig_h | snmp.log | principal.ip |
| id.orig_p | snmp.log | principal.port |
| id.resp_h | snmp.log | target.ip |
| id.resp_p | snmp.log | target.port |
| duration | snmp.log | network.session_duration |
| version | snmp.log | metadata.product_version |
| community | snmp.log | network.community_id |
| get_requests | snmp.log | additional.fields.key/value |
| get_bulk_requests | snmp.log | additional.fields.key/value |
| get_responses | snmp.log | additional.fields.key/value |
| set_requests | snmp.log | additional.fields.key/value |
| display_string | snmp.log | metadata.description |
| up_since | snmp.log | additional.fields.key/value |
| ts | socks.log | metadata.event_timestamp |
| uid | socks.log | network.session_id |
| id.orig_h | socks.log | principal.ip |
| id.orig_p | socks.log | principal.port |
| id.resp_h | socks.log | target.ip |
| id.resp_p | socks.log | target.port |
| version | socks.log | additional.fields.key/value |
| user | socks.log | principal.user.userid |
| status | socks.log | additional.fields.key/value |
| request.host | socks.log | principal.hostname |
| request.name | socks.log | additional.fields.key/value |
| request_p | socks.log | additional.fields.key/value |
| bound.host | socks.log | additional.fields.key/value |
| bound.name | socks.log | additional.fields.key/value |
| bound_p | socks.log | additional.fields.key/value |
| capture_password | socks.log | additional.fields.key/value |
| ts | ssh.log | metadata.event_timestamp |
| uid | ssh.log | network.session_id |
| id.orig_h | ssh.log | principal.ip |
| id.orig_p | ssh.log | principal.port |
| id.resp_h | ssh.log | target.ip |
| id.resp_p | ssh.log | target.port |
| version | ssh.log | metadata.product_version |
| auth_success | ssh.log | additional.fields.key/value |
| auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
| direction | ssh.log | network.direction |
| client | ssh.log | principal.platform_version |
| server | ssh.log | target.platform_version |
| cipher_alg | ssh.log | additional.fields.key/value |
| mac_alg | ssh.log | additional.fields.key/value |
| compression_alg | ssh.log | additional.fields.key/value |
| kex_alg | ssh.log | additional.fields.key/value |
| host_key_alg | ssh.log | additional.fields.key/value |
| host_key | ssh.log | additional.fields.key/value |
| logged | ssh.log | additional.fields.key/value |
| capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
| capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
| capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
| capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
| capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
| capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
| capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
| capabilities.is_server | ssh.log | additional.fields.key/value |
| analyzer_id | ssh.log | additional.fields.key/value |
| remote_location.country_code | ssh.log | additional.fields.key/value |
| remote_location.region | ssh.log | target.asset.location.country_or_region |
| remote_location.city | ssh.log | target.asset.location.city |
| remote_location.latitude | ssh.log | additional.fields.key/value |
| remote_location.longitude | ssh.log | additional.fields.key/value |
| ts | ssl.log | metadata.event_timestamp |
| uid | ssl.log | metadata.product_log_id |
| id.orig_h | ssl.log | principal.ip |
| id.orig_p | ssl.log | principal.port |
| id.resp_h | ssl.log | target.ip |
| id.resp_p | ssl.log | target.port |
| version_num | ssl.log | additional.fields.key/value |
| version | ssl.log | network.tls.version |
| cipher | ssl.log | network.tls.cipher |
| curve | ssl.log | network.tls.curve |
| server_name | ssl.log | network.tls.client.server_name |
| session_id | ssl.log | network.session_id |
| resumed | ssl.log | network.tls.resumed |
| client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
| client_key_exchange_seen | ssl.log | additional.fields.key/value |
| client_psk_seen | ssl.log | additional.fields.key/value |
| last_alert | ssl.log | additional.fields.key/value |
| next_protocol | ssl.log | network.tls.next_protocol |
| analyzer_id | ssl.log | additional.fields.key/value |
| established | ssl.log | network.tls.established |
| logged | ssl.log | additional.fields.key/value |
| ssl_history | ssl.log | additional.fields.key/value |
| cert_chain_fps | ssl.log | additional.fields.key/value |
| client_cert_chain_fps | ssl.log | additional.fields.key/value |
| subject | ssl.log | network.tls.server.certificate.subject |
| issuer | ssl.log | network.tls.server.certificate.issuer |
| client_subject | ssl.log | network.tls.client.certificate.subject |
| client_issuer | ssl.log | network.tls.client.certificate.issuer |
| sni_matches_cert | ssl.log | additional.fields.key/value |
| server_depth | ssl.log | additional.fields.key/value |
| client_depth | ssl.log | additional.fields.key/value |
| always_raise_x509_events | ssl.log | additional.fields.key/value |
| last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
| last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
| originator_heartbeats | ssl.log | additional.fields.key/value |
| responder_heartbeats | ssl.log | additional.fields.key/value |
| heartbleed_detected | ssl.log | additional.fields.key/value |
| enc_appdata_packages | ssl.log | additional.fields.key/value |
| enc_appdata_bytes | ssl.log | additional.fields.key/value |
| server_version | ssl.log | additional.fields.key/value |
| client_version | ssl.log | additional.fields.key/value |
| client_ciphers | ssl.log | network.tls.client.supported_ciphers |
| ssl_client_exts | ssl.log | additional.fields.key/value |
| ssl_server_exts | ssl.log | additional.fields.key/value |
| ticket_lifetime_hint | ssl.log | additional.fields.key/value |
| dh_param_size | ssl.log | additional.fields.key/value |
| point_formats | ssl.log | additional.fields.key/value |
| client_curves | ssl.log | additional.fields.key/value |
| orig_alpn | ssl.log | additional.fields.key/value |
| client_supported_versions | ssl.log | additional.fields.key/value |
| server_supported_version | ssl.log | additional.fields.key/value |
| psk_key_exchange_modes | ssl.log | additional.fields.key/value |
| client_key_share_groups | ssl.log | additional.fields.key/value |
| server_key_share_group | ssl.log | additional.fields.key/value |
| client_comp_methods | ssl.log | additional.fields.key/value |
| comp_method | ssl.log | additional.fields.key/value |
| sigalgs | ssl.log | additional.fields.key/value |
| hashalgs | ssl.log | additional.fields.key/value |
| validation_status | ssl.log | additional.fields.key/value |
| validation_code | ssl.log | additional.fields.key/value |
| valid_chain | ssl.log | additional.fields.key/value |
| ocsp_status | ssl.log | additional.fields.key/value |
| ocsp_response | ssl.log | additional.fields.key/value |
| valid_scts | ssl.log | additional.fields.key/value |
| invalid_scts | ssl.log | additional.fields.key/value |
| valid_ct_logs | ssl.log | additional.fields.key/value |
| valid_ct_operators | ssl.log | additional.fields.key/value |
| valid_ct_operators_list | ssl.log | additional.fields.key/value |
| ct_proofs | ssl.log | additional.fields.key/value |
| notary.first_seen | ssl.log | additional.fields.key/value |
| notary.last_seen | ssl.log | additional.fields.key/value |
| notary.times_seen | ssl.log | additional.fields.key/value |
| notary.valid | ssl.log | additional.fields.key/value |
| ts | syslog.log | metadata.event_timestamp |
| uid | syslog.log | network.session_id |
| id.orig_h | syslog.log | principal.ip |
| id.orig_p | syslog.log | principal.port |
| id.resp_h | syslog.log | target.ip |
| id.resp_p | syslog.log | target.port |
| proto | syslog.log | network.ip_protocol |
| facility | syslog.log | additional.fields.key/value |
| severity | syslog.log | security_result.severity_details |
| message | syslog.log | metadata.description |
| ts | tunnel.log | metadata.event_timestamp |
| uid | tunnel.log | network.session_id |
| id.orig_h | tunnel.log | principal.ip |
| id.orig_p | tunnel.log | principal.port |
| id.resp_h | tunnel.log | target.ip |
| id.resp_p | tunnel.log | target.port |
| tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
| action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
Archivos
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de archivos y sus los campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | files.log | metadata.event_timestamp |
| fuid | files.log | metadata.product_log_id |
| tx_hosts | files.log | principal.ip |
| rx_hosts | files.log | target.ip |
| conn_uids | files.log | additional.fields.key/value |
| source | files.log | network.application_protocol
target.file.full_path |
| depth | files.log | additional.fields.key/value |
| analyzers | files.log | additional.fields.key/value |
| mime_type | files.log | target.file.mime_type |
| filename | files.log | target.file.full_path |
| duration | files.log | additional.fields.key/value |
| local_orig | files.log | additional.fields.key/value |
| is_orig | files.log | additional.fields.key/value |
| seen_bytes | files.log | target.file.size |
| total_bytes | files.log | additional.fields.key/value |
| missing_bytes | files.log | additional.fields.key/value |
| overflow_bytes | files.log | additional.fields.key/value |
| timedout | files.log | additional.fields.key/value |
| parent_fuid | files.log | additional.fields.key/value |
| md5 | files.log | target.file.md5 |
| sha1 | files.log | target.file.sha1 |
| sha256 | files.log | target.file.sha256 |
| md5 | files.log | network.tls.client.certificate.md5 |
| sha1 | files.log | network.tls.client.certificate.sha1 |
| sha256 | files.log | network.tls.client.certificate.sha256 |
| md5 | files.log | network.tls.server.certificate.md5 |
| sha1 | files.log | network.tls.server.certificate.sha1 |
| sha256 | files.log | network.tls.server.certificate.sha256 |
| x509 | files.log | additional.fields.key/value
This field is a nested field. |
| extracted | files.log | additional.fields.key/value |
| extracted_cutoff | files.log | additional.fields.key/value |
| extracted_size | files.log | additional.fields.key/value |
| entropy | files.log | additional.fields.key/value |
| ts | ocsp.log | metadata.event_timestamp |
| id | ocsp.log | metadata.product_log_id |
| hashAlgorithm | ocsp.log | additional.fields.key/value |
| issuerNameHash | ocsp.log | additional.fields.key/value |
| issuerKeyHash | ocsp.log | additional.fields.key/value |
| serialNumber | ocsp.log | tls.server.certificate.serial |
| certStatus | ocsp.log | additional.fields.key/value |
| revoketime | ocsp.log | network.tls.server.certificate.not_after |
| revokereason | ocsp.log | security_result.summary |
| thisUpdate | ocsp.log | additional.fields.key/value |
| nextUpdate | ocsp.log | additional.fields.key/value |
| ts | pe.log | metadata.event_timestamp |
| id | pe.log | metadata.product_log_id |
| machine | pe.log | target.resource.resource_subtype |
| compile_ts | pe.log | additional.fields.key/value |
| os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
| subsystem | pe.log | target.application |
| is_exe | pe.log | additional.fields.key/value |
| is_64bit | pe.log | additional.fields.key/value |
| uses_aslr | pe.log | additional.fields.key/value |
| uses_dep | pe.log | additional.fields.key/value |
| uses_code_integrity | pe.log | additional.fields.key/value |
| uses_seh | pe.log | additional.fields.key/value |
| has_import_table | pe.log | additional.fields.key/value |
| has_export_table | pe.log | additional.fields.key/value |
| has_cert_table | pe.log | additional.fields.key/value |
| has_debug_data | pe.log | additional.fields.key/value |
| section_names | pe.log | additional.fields.key/value |
| ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
| fingerprint | x509.log | additional.fields.key/value |
| certificate.version | x509.log | network.tls.server.certificate.version |
| certificate.serial | x509.log | network.tls.server.certificate.serial |
| certificate.subject | x509.log | network.tls.server.certificate.subject |
| certificate.issuer | x509.log | network.tls.server.certificate.issuer |
| certificate.cn | x509.log | target.hostname |
| certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
| certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
| certificate.key_alg | x509.log | additional.fields.key/value |
| certificate.sig_alg | x509.log | additional.fields.key/value |
| certificate.key_type | x509.log | additional.fields.key/value |
| certificate.key_length | x509.log | additional.fields.key/value |
| certificate.exponent | x509.log | additional.fields.key/value |
| certificate.curve | x509.log | network.tls.curve |
| handle | x509.log | additional.fields.key/value |
| extensions.name | x509.log | additional.fields.key/value |
| extensions.short_name | x509.log | additional.fields.key/value |
| extensions.oid | x509.log | additional.fields.key/value |
| extensions.critical | x509.log | additional.fields.key/value |
| extensions.value | x509.log | additional.fields.key/value |
| san.dns | x509.log | additional.fields.key/value |
| san.uri | x509.log | additional.fields.key/value |
| san.email | x509.log | additional.fields.key/value |
| san.ip | x509.log | additional.fields.key/value |
| san.other_fields | x509.log | additional.fields.key/value |
| basic_constraints.ca | x509.log | additional.fields.key/value |
| basic_constraints.path_len | x509.log | additional.fields.key/value |
| extensions_cache | x509.log | additional.fields.key/value |
| host_cert | x509.log | additional.fields.key/value |
| client_cert | x509.log | additional.fields.key/value |
| deduplication_index.fingerprint | x509.log | additional.fields.key/value |
| deduplication_index.host_cert | x509.log | additional.fields.key/value |
| deduplication_index.client_cert | x509.log | additional.fields.key/value |
| always_raise_x509_events | x509.log | additional.fields.key/value |
| cert | x509.log | additional.fields.key/value |
Netcontrol
En la siguiente tabla, se enumeran los campos de registro del tipo de registro netcontrol y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | netcontrol.log | metadata.event_timestamp |
| rule_id | netcontrol.log | security_result.rule_id |
| category | netcontrol.log | security_result.category_details |
| cmd | netcontrol.log | additional.fields.key/value |
| state | netcontrol.log | additional.fields.key/value |
| action | netcontrol.log | security_result.action_details |
| target | netcontrol.log | additional.fields.key/value |
| entity_type | netcontrol.log | additional.fields.key/value |
| entity | netcontrol.log | security_result.summary |
| mod | netcontrol.log | additional.fields.key/value |
| msg | netcontrol.log | security_result.description |
| priority | netcontrol.log | security_result.priority_details |
| expire | netcontrol.log | additional.fields.key/value |
| location | netcontrol.log | additional.fields.key/value |
| plugin | netcontrol.log | additional.fields.key/value |
| ts | netcontrol_drop.log | metadata.event_timestamp |
| rule_id | netcontrol_drop.log | security_result.rule_id |
| orig_h | netcontrol_drop.log | principal.ip |
| orig_p | netcontrol_drop.log | principal.port |
| resp_h | netcontrol_drop.log | target.ip |
| resp_p | netcontrol_drop.log | target.port |
| expire | netcontrol_drop.log | additional.fields.key/value |
| location | netcontrol_drop.log | additional.fields.key/value |
| ts | netcontrol_shunt.log | metadata.event_timestamp |
| rule_id | netcontrol_shunt.log | security_result.rule_id |
| f.src_h | netcontrol_shunt.log | principal.ip |
| f.src_p | netcontrol_shunt.log | principal.port |
| f.dst_h | netcontrol_shunt.log | target.ip |
| f.dst_p | netcontrol_shunt.log | target.port |
| expire | netcontrol_shunt.log | additional.fields.key/value |
| location | netcontrol_shunt.log | additional.fields.key/value |
| ts | netcontrol_catch_release.log | metadata.event_timestamp |
| rule_id | netcontrol_catch_release.log | security_result.rule_id |
| ip | netcontrol_catch_release.log | target.ip |
| action | netcontrol_catch_release.log | security_result.action_details |
| block_interval | netcontrol_catch_release.log | additional.fields.key/value |
| watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
| blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
| watched_until | netcontrol_catch_release.log | additional.fields.key/value |
| num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
| location | netcontrol_catch_release.log | additional.fields.key/value |
| message | netcontrol_catch_release.log | security_result.description |
| ts | openflow.log | metadata.event_timestamp |
| dpid | openflow.log | additional.fields.key/value |
| match.in_port | openflow.log | additional.fields.key/value |
| match.dl_src | openflow.log | additional.fields.key/value |
| match.dl_dst | openflow.log | additional.fields.key/value |
| match.dl_vlan | openflow.log | additional.fields.key/value |
| match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
| match.dl_type | openflow.log | additional.fields.key/value |
| match.nw_tos | openflow.log | additional.fields.key/value |
| match.nw_proto | openflow.log | additional.fields.key/value |
| match.nw_src | openflow.log | additional.fields.key/value |
| match.nw_dst | openflow.log | additional.fields.key/value |
| match.tp_src | openflow.log | additional.fields.key/value |
| match.tp_dst | openflow.log | additional.fields.key/value |
| flow_mod.cookie | openflow.log | additional.fields.key/value |
| flow_mod.table_id | openflow.log | additional.fields.key/value |
| flow_mod.command | openflow.log | additional.fields.key/value |
| flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
| flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
| flow_mod.priority | openflow.log | additional.fields.key/value |
| flow_mod.out_port | openflow.log | additional.fields.key/value |
| flow_mod.flags | openflow.log | additional.fields.key/value |
| flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
Detección
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de detección y sus los campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | intel.log | metadata.event_timestamp |
| uid | intel.log | network.session_id |
| id.orig_h | intel.log | principal.ip |
| id.orig_p | intel.log | principal.port |
| id.resp_h | intel.log | target.ip |
| id.resp_p | intel.log | target.port |
| seen.indicator | intel.log | additional.fields.key/value |
| seen.indicator_type | intel.log | additional.fields.key/value |
| seen.host | intel.log | additional.fields.key/value |
| seen.where | intel.log | additional.fields.key/value |
| seen.node | intel.log | additional.fields.key/value |
| seen.conn.id.orig_h | intel.log | additional.fields.key/value |
| seen.conn.id.orig_p | intel.log | additional.fields.key/value |
| seen.conn.id.resp_h | intel.log | additional.fields.key/value |
| seen.conn.id.resp_p | intel.log | additional.fields.key/value |
| seen.conn.orig.size | intel.log | network.sent_bytes |
| seen.conn.orig.state | intel.log | additional.fields.key/value |
| seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
| seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.resp.size | intel.log | network.received_bytes |
| seen.conn.resp.state | intel.log | additional.fields.key/value |
| seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
| seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.start_time | intel.log | additional.fields.key/value |
| seen.conn.duration | intel.log | network.session_duration |
| seen.conn.service | intel.log | additional.fields.key/value |
| seen.conn.history | intel.log | metadata.description |
| seen.conn.uid | intel.log | network.session_id |
| seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
| seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
| seen.conn.vlan | intel.log | additional.fields.key/value |
| seen.conn.inner_vlan | intel.log | additional.fields.key/value |
| seen.conn.dpd_state | intel.log | additional.fields.key/value |
| seen.conn.removal_hooks | intel.log | additional.fields.key/value |
| seen.conn.extract_orig | intel.log | additional.fields.key/value |
| seen.conn.extract_resp | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
| seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
| seen.conn.http_state.pending | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
| seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
| seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
| seen.conn.known_services_done | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
| seen.conn.speculative_service | intel.log | additional.fields.key/value |
| seen.uid | intel.log | additional.fields.key/value |
| seen.f.id | intel.log | additional.fields.key/value |
| seen.f.parent_id | intel.log | additional.fields.key/value |
| seen.f.source | intel.log | target.file.full_path |
| seen.f.is_orig | intel.log | additional.fields.key/value |
| seen.f.conns | intel.log | additional.fields.key/value |
| seen.f.last_active | intel.log | additional.fields.key/value |
| seen.f.seen_bytes | intel.log | additional.fields.key/value |
| seen.f.total_bytes | intel.log | additional.fields.key/value |
| seen.f.missing_bytes | intel.log | additional.fields.key/value |
| seen.f.overflow_bytes | intel.log | additional.fields.key/value |
| seen.f.timeout_interval | intel.log | additional.fields.key/value |
| seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
| seen.f.bof_buffer | intel.log | additional.fields.key/value |
| seen.f.u2_events | intel.log | additional.fields.key/value |
| seen.fuid | intel.log | additional.fields.key/value |
| matched | intel.log | additional.fields.key/value |
| sources | intel.log | additional.fields.key/value |
| fuid | intel.log | additional.fields.key/value |
| file_mime_type | intel.log | target.file.mime_type |
| file_desc | intel.log | additional.fields.key/value |
| cif.tags | intel.log | additional.fields.key/value |
| cif.confidence | intel.log | additional.fields.key/value |
| cif.source | intel.log | additional.fields.key/value |
| cif.description | intel.log | additional.fields.key/value |
| cif.firstseen | intel.log | additional.fields.key/value |
| cif.lastseen | intel.log | additional.fields.key/value |
| ts | notice.log | metadata.event_timestamp |
| uid | notice.log | network.session_id |
| id.orig_h | notice.log | principal.ip |
| id.orig_p | notice.log | principal.port |
| id.resp_h | notice.log | target.ip |
| id.resp_p | notice.log | target.port |
| conn.id.orig_h | notice.log | additional.fields.key/value |
| conn.id.orig_p | notice.log | additional.fields.key/value |
| conn.id.resp_h | notice.log | additional.fields.key/value |
| conn.id.resp_p | notice.log | additional.fields.key/value |
| conn.orig.size | notice.log | network.sent_bytes |
| conn.orig.state | notice.log | additional.fields.key/value |
| conn.orig.num_pkts | notice.log | additional.fields.key/value |
| conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.orig.flow_label | notice.log | additional.fields.key/value |
| conn.orig.l2_addr | notice.log | additional.fields.key/value |
| conn.resp.size | notice.log | network.received_bytes |
| conn.resp.state | notice.log | additional.fields.key/value |
| conn.resp.num_pkts | notice.log | additional.fields.key/value |
| conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.resp.flow_label | notice.log | additional.fields.key/value |
| conn.resp.l2_addr | notice.log | additional.fields.key/value |
| conn.start_time | notice.log | additional.fields.key/value |
| conn.duration | notice.log | network.session_duration |
| conn.service | notice.log | additional.fields.key/value |
| conn.history | notice.log | metadata.description |
| conn.uid | notice.log | network.session_id |
| conn.tunnel.queued | notice.log | additional.fields.key/value |
| conn.tunnel.dispatched | notice.log | additional.fields.key/value |
| conn.vlan | notice.log | additional.fields.key/value |
| conn.inner_vlan | notice.log | additional.fields.key/value |
| conn.dpd_state.violations | notice.log | additional.fields.key/value |
| conn.removal_hooks | notice.log | additional.fields.key/value |
| conn.extract_orig | notice.log | additional.fields.key/value |
| conn.extract_resp | notice.log | additional.fields.key/value |
| conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
| conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
| conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
| conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
| conn.thresholds.duration | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_backing | notice.log | additional.fields.key/value |
| conn.dns_state.pending_query | notice.log | additional.fields.key/value |
| conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
| conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
| conn.ftp_data_reuse | notice.log | additional.fields.key/value |
| conn.http_state.pending | notice.log | additional.fields.key/value |
| conn.http_state.current_request | notice.log | additional.fields.key/value |
| conn.http_state.current_response | notice.log | additional.fields.key/value |
| conn.http_state.trans_depth | notice.log | additional.fields.key/value |
| conn.sip_state.pending | notice.log | additional.fields.key/value |
| conn.sip_state.current_request | notice.log | additional.fields.key/value |
| conn.sip_state.current_response | notice.log | additional.fields.key/value |
| conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
| conn.smb_state.fid_map | notice.log | additional.fields.key/value |
| conn.smb_state.tid_map | notice.log | additional.fields.key/value |
| conn.smb_state.uid_map | notice.log | additional.fields.key/value |
| conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
| conn.smb_state.recent_files | notice.log | additional.fields.key/value |
| conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
| conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
| conn.known_services_done | notice.log | additional.fields.key/value |
| mqtt.ts | notice.log | additional.fields.key/value |
| mqtt.uid | notice.log | additional.fields.key/value |
| mqtt.id | notice.log | additional.fields.key/value |
| mqtt.proto_name | notice.log | additional.fields.key/value |
| mqtt.proto_version | notice.log | additional.fields.key/value |
| mqtt.client_id | notice.log | additional.fields.key/value |
| mqtt.connect_status | notice.log | additional.fields.key/value |
| mqtt.will_topic | notice.log | additional.fields.key/value |
| mqtt.will_payload | notice.log | additional.fields.key/value |
| conn.mqtt_state.publish | notice.log | additional.fields.key/value |
| conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
| conn.speculative_service | notice.log | additional.fields.key/value |
| iconn.orig_h | notice.log | additional.fields.key/value |
| iconn.resp_h | notice.log | additional.fields.key/value |
| iconn.itype | notice.log | additional.fields.key/value |
| iconn.icode | notice.log | additional.fields.key/value |
| iconn.len | notice.log | additional.fields.key/value |
| iconn.hlim | notice.log | additional.fields.key/value |
| iconn.v6 | notice.log | additional.fields.key/value |
| f.id | notice.log | additional.fields.key/value |
| f.parent_id | notice.log | additional.fields.key/value |
| f.source | notice.log | target.file.full_path |
| f.is_orig | notice.log | additional.fields.key/value |
| f.conns | notice.log | additional.fields.key/value |
| f.last_active | notice.log | additional.fields.key/value |
| f.seen_bytes | notice.log | additional.fields.key/value |
| f.total_bytes | notice.log | additional.fields.key/value |
| f.missing_bytes | notice.log | additional.fields.key/value |
| f.overflow_bytes | notice.log | additional.fields.key/value |
| f.timeout_interval | notice.log | additional.fields.key/value |
| f.bof_buffer_size | notice.log | additional.fields.key/value |
| f.bof_buffer | notice.log | additional.fields.key/value |
| f.u2_events | notice.log | additional.fields.key/value |
| fuid | notice.log | additional.fields.key/value |
| file_mime_type | notice.log | target.file.mime_type |
| file_desc | notice.log | additional.fields.key/value |
| proto | notice.log | network.ip_protocol |
| note | notice.log | security_result.description |
| msg | notice.log | security_result.summary |
| sub | notice.log | additional.fields.key/value |
| src | notice.log | principal.ip |
| dst | notice.log | target.ip |
| p | notice.log | target.port |
| n | notice.log | additional.fields.key/value |
| peer_name | notice.log | additional.fields.key/value |
| peer_descr | notice.log | additional.fields.key/value |
| actions | notice.log | security_result.action_details |
| email_dest | notice.log | network.email.to (repeated) |
| email_body_sections | notice.log | network.email.subject (repeated) |
| email_delay_tokens | notice.log | additional.fields.key/value |
| identifier | notice.log | additional.fields.key/value |
| suppress_for | notice.log | additional.fields.key/value |
| remote_location.country_code | notice.log | additional.fields.key/value |
| remote_location.region | notice.log | principal.asset.location.country_or_region |
| remote_location.city | notice.log | principal.asset.location.city |
| remote_location.latitude | notice.log | additional.fields.key/value |
| remote_location.longitude | notice.log | additional.fields.key/value |
| dropped | notice.log | security_result.action_details |
| ts | signatures.log | metadata.event_timestamp |
| uid | signatures.log | network.session_id |
| src_addr | signatures.log | principal.ip |
| src_port | signatures.log | principal.port |
| dst_addr | signatures.log | target.ip |
| dst_port | signatures.log | target.port |
| note | signatures.log | security_result.summary |
| sig_id | signatures.log | additional.fields.key/value |
| event_msg | signatures.log | metadata.description |
| sub_msg | signatures.log | additional.fields.key/value |
| sig_count | signatures.log | additional.fields.key/value |
| host_count | signatures.log | additional.fields.key/value |
| ts | traceroute.log | metadata.event_timestamp |
| src | traceroute.log | principal.ip |
| dst | traceroute.log | target.ip |
| proto | traceroute.log | network.ip_protocol |
Observaciones sobre la red
En la siguiente tabla, se muestran los campos de registro del tipo de registro de observaciones de red y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | known_certs.log | metadata.event_timestamp |
| host | known_certs.log | principal.ip |
| port_num | known_certs.log | principal.port |
| subject | known_certs.log | network.tls.client.certificate.subject |
| issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
| serial | known_certs.log | network.tls.client.certificate.serial |
| ts | known_hosts.log | metadata.event_timestamp |
| host | known_hosts.log | principal.ip |
| ts | known_modbus.log | metadata.event_timestamp |
| host | known_modbus.log | principal.ip |
| device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
| ts | known_services.log | metadata.event_timestamp |
| host | known_services.log | principal.ip |
| port_num | known_services.log | principal.port |
| port_proto | known_services.log | network.ip_protocol |
| service | known_services.log | target.application |
| ts | software.log | metadata.event_timestamp |
| host | software.log | principal.ip |
| host_p | software.log | principal.port |
| software_type | software.log | principal.resource.resource_subtype |
| name | software.log | principal.resource.name |
| version.major | software.log | additional.fields.key/value |
| version.minor | software.log | additional.fields.key/value |
| version.minor2 | software.log | additional.fields.key/value |
| version.minor3 | software.log | additional.fields.key/value |
| version.addl | software.log | additional.fields.key/value |
| unparsed_version | software.log | additional.fields.key/value |
| force_log | software.log | additional.fields.key/value |
| url | software.log | metadata.url_back_to_product |
Referencia de la asignación de campos: ID de evento para tipo de evento UDM
Para comprender cómo el analizador asigna nombres de registro a tipos de eventos de la UDM, consulta las siguientes secciones:
Protocolos de red
La siguiente tabla incluye los nombres de registro del tipo de registro de protocolos de red y sus correspondientes tipos de eventos de UDM.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
| dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
| dhcp.log | DHCP leases | NETWORK_DHCP |
| dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
| dns.log | DNS activity | NETWORK_DNS |
| ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
| http.log | HTTP requests and replies | NETWORK_HTTP |
| irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
| kerberos.log | Kerberos | NETWORK_CONNECTION |
| modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
| modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
| mysql.log | MySQL | NETWORK_UNCATEGORIZED |
| ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
| ntp.log | Network Time Protocol | NETWORK_CONNECTION |
| radius.log | RADIUS authentication attempts | USER_LOGIN |
| rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
| rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
| sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
| smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
| smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
| smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
| smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
| snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
| socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
| ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
| ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
| syslog.log | Syslog messages | NETWORK_CONNECTION |
| tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
Archivos
En la siguiente tabla, se indican los nombres de registro para el tipo de registro de archivos y sus correspondientes tipos de eventos de UDM.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| files.log | File analysis results | NETWORK_UNCATEGORIZED |
| ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
| pe.log | Portable Executable (PE) | GENERIC_EVENT |
| x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
En la siguiente tabla, se enumeran los nombres de los registros del tipo de registro netcontrol y sus correspondientes tipos de eventos de la AUA.
| Nombre del registro | Descripción | Tipo de evento de UDM |
|---|---|---|
| netcontrol.log | NetControl actions | GENERIC_EVENT |
| netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
| netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
| netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
| openflow.log | OpenFlow debug log | GENERIC_EVENT |
Detección
En la siguiente tabla, se enumeran los nombres de registro del tipo de registro de detección y sus tipos de eventos de la AUA correspondientes.
| Nombre del registro | Descripción | Tipo de evento de UDM |
|---|---|---|
| intel.log | Intelligence data matches | GENERIC_EVENT |
| notice.log | Zeek notices | NETWORK_CONNECTION |
| notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
| signatures.log | Signature matches | GENERIC_EVENT |
| traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
Observaciones de red
En la siguiente tabla, se indican los nombres de registro del tipo de registro de observaciones de red. y sus correspondientes tipos de eventos de UDM.
| Nombre del registro | Descripción | Tipo de evento de UDM |
|---|---|---|
| known_certs.log | SSL certificates | GENERIC_EVENT |
| known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
| known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
| known_services.log | Services running on hosts | GENERIC_EVENT |
| software.log | Software used on the network | GENERIC_EVENT |