Zeek- (Bro-) Protokolle erfassen
Unterstützt in:
Google SecOps
SIEM
In diesem Dokument wird beschrieben, wie Sie Zeek (früher Bro) und NXLog mit Google Security Operations bereitstellen, um Zeek-Logs im JSON-Format zu erfassen. Außerdem wird beschrieben, wie Zeek-Protokollfelder den Feldern des einheitlichen Datenmodells (Unified Data Model, UDM) von Google Security Operations zugeordnet werden.
Eine Übersicht über die Datenaufnahme in Google Security Operations finden Sie unter Datenaufnahme in Google Security Operations.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Datenaufnahmelabel BRO_JSON.
Hinweise
Informationen zu den Komponenten, die zum Erfassen von Zeek-Logs bereitgestellt werden, finden Sie in der Deployment-Architektur. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein. Das folgende Diagramm zeigt, wie Sie einen NXLog-Agenten und einen Google Security Operations-Weiterleiter auf einem Linux-Server konfigurieren und Protokolldaten an Google Security Operations weiterleiten.
Prüfen Sie, welche Zeek-Versionen vom Google Security Operations-Parser unterstützt werden. Der Google Security Operations-Parser unterstützt die folgenden Zeek-Versionen:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Bevor Sie den Zeek-Parser verwenden, sollten Sie sich die Änderungen bei den Feldzuordnungen zwischen dem vorherigen Parser und dem aktuellen Zeek-Parser ansehen. Achten Sie bei der Migration darauf, dass die Regeln, Suchanfragen, Dashboards oder anderen Prozesse, die von den ursprünglichen Feldern abhängen, die aktualisierten Felder verwenden.
In der vorherigen Parserversion wird das Feld
server_namebeispielsweise dem UDM-Feldtarget.hostnamezugeordnet. Im aktuellen Zeek-Parser wird das Feldserver_namedem UDM-Feldnetwork.tls.client.server_namezugeordnet. Wenn Sie zum aktuellen Zeek-Parser migrieren und das Feldserver_namein Ihren Regeln verwenden, müssen Sie die Regeln so ändern, dass das UDM-Feldnetwork.tls.client.server_namedes aktuellen Parsers verwendet wird.Prüfen Sie, welche Zeek-Logtypen vom Google Security Operations-Parser unterstützt werden. In der folgenden Tabelle sind die Zeek-Logtypen aufgeführt, die vom Google Security Operations-Parser unterstützt werden:
| Logtyp | Beschreibung |
| Netzwerkprotokolle | Enthält Protokolldateien von Netzwerkprotokollen wie Dynamic Host Configuration Protocol (DHCP) und Domain Name System (DNS). |
| Dateien | Enthält die folgenden Protokolldateien: Ergebnisse der Dateianalyse, Online Certificate Status Protocol (OCSP), Portable Executable (PE) und X.509-Zertifikat. |
| NetControl | Enthält Logdateien von NetControl-Aktionen und OpenFlow-Debug-Logs. |
| Erkennung | Enthält Protokolldateien mit Übereinstimmungen von Intelligence-Daten, Zeek-Benachrichtigungen, Alarmstream, Signaturübereinstimmungen und Traceroute-Erkennung. |
| Netzwerkbeobachtungen | Enthält Protokolldateien von SSL-Zertifikaten, Hosts, die TCP-Handshakes abgeschlossen haben, Modbus-Primär- und ‑Replikate, auf Hosts ausgeführte Dienste und im Netzwerk verwendete Software. |
Installieren und konfigurieren Sie Zeek, falls noch nicht geschehen. Weitere Informationen finden Sie unter Zeek-Installation.
Zeek-Protokolle im JSON-Format erfassen Weitere Informationen finden Sie unter Zeek-Logs in JSON ausgeben.
Alle Systeme in der Bereitstellungsarchitektur müssen mit der Zeitzone UTC konfiguriert sein.
NXLog und Google Security Operations-Weiterleiter konfigurieren
- Laden Sie NXLog Community Edition auf den Linux-Rechner herunter, auf dem der Google Security Operations-Weiterleiter ausgeführt wird, und installieren Sie sie.
- Weitere Informationen zum Herunterladen der NXLog Community Edition finden Sie in der NXLog-Dokumentation.
- Weitere Informationen zum Installieren der erforderlichen NXLog-Pakete und ‑Abhängigkeiten finden Sie unter NXLog auf einem Linux-System installieren.
- Erstellen Sie eine Konfigurationsdatei für jede NXLog-Instanz.
Verwenden Sie das NXLog-Modul im_file, um die Datei zu lesen und die Zeilen in Felder zu parsen. Hier ein Beispiel für eine NXLog-Konfiguration:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>So verwenden Sie die vorherige Beispielkonfiguration:
- Ersetzen Sie die Werte
<hostname>und<port>durch Informationen zum Ziel-Linux-Server. - Fügen Sie für jeden Zeek-Logtyp, den Sie erfassen möchten, Eingabe-, Ausgabe- und Routenelemente hinzu.
- Ersetzen Sie die Werte
Konfigurieren Sie den Google Security Operations-Weiterleiter so, dass Protokolle an Google Security Operations gesendet werden. Weitere Informationen finden Sie unter Weiterleitung unter Linux installieren und konfigurieren. Hier ist ein Beispiel für eine Weiterleitungskonfiguration.
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60Starten Sie den NXLog-Dienst.
Referenz zur Feldzuordnung: Zeek-Protokollfelder zu UDM-Feldern
In den folgenden Abschnitten erfahren Sie, wie der Google Security Operations-Parser Zeek-Logfelder den UDM-Ereignisfeldern von Google Security Operations für jeden Zeek-Logtyp zuordnet:
Netzwerkprotokolle
In der folgenden Tabelle sind die Protokollfelder des Protokolltyps „Netzwerkprotokolle“ und die entsprechenden UDM-Felder aufgeführt.
| Original-Log-Feld | Logtyp | UDM-Feld |
|---|---|---|
| ts | conn.log | metadata.event_timestamp |
| uid | conn.log | network.session_id |
| id.orig_h | conn.log | principal.ip |
| id.orig_p | conn.log | principal.port |
| id.resp_h | conn.log | target.ip |
| id.resp_p | conn.log | target.port |
| proto | conn.log | network.ip_protocol |
| service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
| duration | conn.log | network.session_duration |
| orig_bytes | conn.log | network.sent_bytes |
| resp_bytes | conn.log | network.received_bytes |
| conn_state | conn.log | metadata.description |
| local_orig | conn.log | additional.fields.key/value |
| local_resp | conn.log | additional.fields.key/value |
| missed_bytes | conn.log | additional.fields.key/value |
| history | conn.log | additional.fields.key/value |
| orig_pkts | conn.log | additional.fields.key/value |
| orig_ip_bytes | conn.log | additional.fields.key/value |
| resp_pkts | conn.log | additional.fields.key/value |
| resp_ip_bytes | conn.log | additional.fields.key/value |
| tunnel_parents | conn.log | additional.fields.key/value |
| orig_l2_addr | conn.log | additional.fields.key/value |
| resp_l2_addr | conn.log | additional.fields.key/value |
| vlan | conn.log | additional.fields.key/value |
| inner_vlan | conn.log | additional.fields.key/value |
| speculative_service | conn.log | additional.fields.key/value |
| ts | dce_rpc.log | metadata.event_timestamp |
| uid | dce_rpc.log | network.session_id |
| id.orig_h | dce_rpc.log | principal.ip |
| id.orig_p | dce_rpc.log | principal.port |
| id.resp_h | dce_rpc.log | target.ip |
| id.resp_p | dce_rpc.log | target.port |
| rtt | dce_rpc.log | additional.fields.key/value |
| named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
| endpoint | dce_rpc.log | additional.fields.key/value |
| operation | dce_rpc.log | additional.fields.key/value |
| ts | dhcp.log | metadata.event_timestamp |
| uids | dhcp.log | additional.fields.key/value |
| client_addr | dhcp.log | target.ip |
| server_addr | dhcp.log | principal.ip |
| client_port | dhcp.log | target.port |
| server_port | dhcp.log | principal.port |
| mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
| host_name | dhcp.log | network.dhcp.client_hostname |
| client_fqdn | dhcp.log | target.hostname |
| domain | dhcp.log | target.administrative_domain |
| requested_addr | dhcp.log | network.dhcp.requested_address |
| assigned_addr | dhcp.log | network.dhcp.yiaddr |
| lease_time | dhcp.log | network.dhcp.lease_time_seconds |
| client_message | dhcp.log | additional.fields.key/value |
| server_message | dhcp.log | additional.fields.key/value |
| msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
| duration | dhcp.log | network.dhcp.seconds |
| client_chaddr | dhcp.log | network.dhcp.chaddr |
| msg_orig | dhcp.log | additional.fields.key/value |
| client_software | dhcp.log | additional.fields.key/value |
| server_software | dhcp.log | additional.fields.key/value |
| circuit_id | dhcp.log | additional.fields.key/value |
| agent_remote_id | dhcp.log | additional.fields.key/value |
| subscriber_id | dhcp.log | additional.fields.key/value |
| ts | dnp3.log | metadata.event_timestamp |
| uid | dnp3.log | network.session_id |
| id.orig_h | dnp3.log | principal.ip |
| id.orig_p | dnp3.log | principal.port |
| id.resp_h | dnp3.log | target.ip |
| id.resp_p | dnp3.log | target.port |
| fc_request | dnp3.log | additional.fields.key/value |
| fc_reply | dnp3.log | additional.fields.key/value |
| iin | dnp3.log | additional.fields.key/value |
| ts | dns.log | metadata.event_timestamp |
| uid | dns.log | network.session_id |
| id.orig_h | dns.log | principal.ip |
| id.orig_p | dns.log | principal.port |
| id.resp_h | dns.log | target.ip |
| id.resp_p | dns.log | target.port |
| proto | dns.log | network.ip_protocol |
| trans_id | dns.log | network.dns.id |
| rtt | dns.log | additional.fields.key/value |
| query | dns.log | network.dns.questions.name |
| qclass | dns.log | network.dns.questions.class |
| qclass_name | dns.log | additional.fields.key/value |
| qtype | dns.log | network.dns.questions.type |
| qtype_name | dns.log | additional.fields.key/value |
| rcode | dns.log | network,dns.response_code |
| rcode_name | dns.log | additional.fields.key/value |
| AA | dns.log | network.dns.authoritative |
| TC | dns.log | network.dns.truncated |
| RD | dns.log | network.dns.recursion_desired |
| RA | dns.log | network.dns.recursion_available |
| Z | dns.log | additional.fields.key/value |
| answers | dns.log | network.dns.answers.data |
| TTLs | dns.log | network.dns.answers.ttl |
| rejected | dns.log | additional.fields.key/value |
| total_answers | dns.log | additional.fields.key/value |
| total_replies | dns.log | additional.fields.key/value |
| saw_query | dns.log | additional.fields.key/value |
| saw_reply | dns.log | additional.fields.key/value |
| auth | dns.log | network.dns.authority.data |
| addl | dns.log | network.dns.additional.data |
| original_query | dns.log | additional.fields.key/value |
| ts | ftp.log | metadata.event_timestamp |
| uid | ftp.log | network.session_id |
| id.orig_h | ftp.log | principal.ip |
| id.orig_p | ftp.log | principal.port |
| id.resp_h | ftp.log | target.ip |
| id.resp_p | ftp.log | target.port |
| user | ftp.log | principal.user.userid |
| command | ftp.log | network.ftp.command |
| arg | ftp.log | additional.fields.key/value |
| mime_type | ftp.log | src.file.mime_type |
| file_size | ftp.log | src.file.size |
| reply_code | ftp.log | additional.fields.key/value |
| reply_msg | ftp.log | additional.fields.key/value |
| data_channel.passive | ftp.log | additional.fields.key/value |
| data_channel.orig_h | ftp.log | additional.fields.key/value |
| data_channel.resp_h | ftp.log | additional.fields.key/value |
| data_channel.resp_p | ftp.log | additional.fields.key/value |
| cwd | ftp.log | src.file.full_path |
| cmdarg.ts | ftp.log | additional.fields.key/value |
| cmdarg.cmd | ftp.log | additional.fields.key/value |
| cmdarg.arg | ftp.log | additional.fields.key/value |
| cmdarg.seq | ftp.log | additional.fields.key/value |
| pending_commands | ftp.log | additional.fields.key/value |
| passive | ftp.log | additional.fields.key/value |
| capture_password | ftp.log | additional.fields.key/value |
| fuid | ftp.log | additional.fields.key/value |
| last_auth_requested | ftp.log | additional.fields.key/value |
| ts | http.log | metadata.event_timestamp |
| uid | http.log | network.session_id |
| id.orig_h | http.log | principal.ip |
| id.orig_p | http.log | principal.port |
| id.resp_h | http.log | target.ip |
| id.resp_p | http.log | target.port |
| trans_depth | http.log | additional.fields.key/value |
| method | http.log | network.http.method |
| host | http.log | target.hostname |
| uri | http.log | target.url is set to "%{host}%{uri}" |
| referrer | http.log | network.http.referral_url |
| version | http.log | additional.fields.key/value |
| user_agent | http.log | network.http.user_agent |
| origin | http.log | additional.fields.key/value |
| request_body_len | http.log | additional.fields.key/value |
| response_body_len | http.log | additional.fields.key/value |
| status_code | http.log | network.http.response_code |
| status_msg | http.log | additional.fields.key/value |
| info_code | http.log | additional.fields.key/value |
| info_msg | http.log | additional.fields.key/value |
| tags | http.log | additional.fields.key/value |
| username | http.log | principal.user.userid |
| capture_password | http.log | additional.fields.key/value |
| proxied | http.log | additional.fields.key/value |
| range_request | http.log | additional.fields.key/value |
| orig_fuids | http.log | additional.fields.key/value |
| orig_filenames | http.log | additional.fields.key/value |
| orig_mime_types | http.log | additional.fields.key/value |
| resp_fuids | http.log | additional.fields.key/value |
| resp_filenames | http.log | additional.fields.key/value |
| resp_mime_types | http.log | additional.fields.key/value |
| current_entity | http.log | additional.fields.key/value |
| orig_mime_depth | http.log | additional.fields.key/value |
| resp_mime_depth | http.log | additional.fields.key/value |
| client_header_names | http.log | additional.fields.key/value |
| server_header_names | http.log | additional.fields.key/value |
| omniture | http.log | additional.fields.key/value |
| flash_version | http.log | additional.fields.key/value |
| cookie_vars | http.log | additional.fields.key/value |
| uri_vars | http.log | additional.fields.key/value |
| ts | irc.log | metadata.event_timestamp |
| uid | irc.log | network.session_id |
| id.orig_h | irc.log | principal.ip |
| id.orig_p | irc.log | principal.port |
| id.resp_h | irc.log | target.ip |
| id.resp_p | irc.log | target.port |
| nick | irc.log | additional.fields.key/value |
| user | irc.log | principal.user.userid |
| command | irc.log | principal.process.command_line |
| value | irc.log | additional.fields.key/value |
| addl | irc.log | additional.fields.key/value |
| dcc_file_name | irc.log | additional.fields.key/value |
| dcc_file_size | irc.log | src.file.size |
| dcc_mime_type | irc.log | src.file.mime_type |
| fuid | irc.log | additional.fields.key/value |
| ts | kerberos.log | metadata.event_timestamp |
| uid | kerberos.log | network.session_id |
| id.orig_h | kerberos.log | principal.ip |
| id.orig_p | kerberos.log | principal.port |
| id.resp_h | kerberos.log | target.ip |
| id.resp_p | kerberos.log | target.port |
| request_type | kerberos.log | additional.fields.key/value |
| client | kerberos.log | additional.fields.key/value |
| service | kerberos.log | additional.fields.key/value |
| success | kerberos.log | additional.fields.key/value |
| error_code | kerberos.log | additional.fields.key/value |
| error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
| from | kerberos.log | additional.fields.key/value |
| till | kerberos.log | additional.fields.key/value |
| cipher | kerberos.log | network.tls.cipher |
| forwardable | kerberos.log | additional.fields.key/value |
| renewable | kerberos.log | additional.fields.key/value |
| logged | kerberos.log | additional.fields.key/value |
| client_cert.ts | kerberos.log | additional.fields.key/value |
| client_cert.fuid | kerberos.log | additional.fields.key/value |
| client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.conn_uids | kerberos.log | additional.fields.key/value |
| client_cert.source | kerberos.log | additional.fields.key/value |
| client_cert.depth | kerberos.log | additional.fields.key/value |
| client_cert.analyzers | kerberos.log | additional.fields.key/value |
| client_cert.mime_type | kerberos.log | additional.fields.key/value |
| client_cert.filename | kerberos.log | additional.fields.key/value |
| client_cert.duration | kerberos.log | additional.fields.key/value |
| client_cert.local_orig | kerberos.log | additional.fields.key/value |
| client_cert.is_orig | kerberos.log | additional.fields.key/value |
| client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| client_cert.total_bytes | kerberos.log | additional.fields.key/value |
| client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| client_cert.timedout | kerberos.log | additional.fields.key/value |
| client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
| client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
| client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
| client_cert.x509.ts | kerberos.log | additional.fields.key/value |
| client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
| client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
| client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
| client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| client_cert.x509.handle | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| client_cert.x509.cert | kerberos.log | additional.fields.key/value |
| client_cert.extracted | kerberos.log | additional.fields.key/value |
| client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| client_cert.extracted_size | kerberos.log | additional.fields.key/value |
| client_cert.entropy | kerberos.log | additional.fields.key/value |
| client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
| client_cert_fuid | kerberos.log | additional.fields.key/value |
| server_cert.ts | kerberos.log | additional.fields.key/value |
| server_cert.fuid | kerberos.log | additional.fields.key/value |
| server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.conn_uids | kerberos.log | additional.fields.key/value |
| server_cert.source | kerberos.log | additional.fields.key/value |
| server_cert.depth | kerberos.log | additional.fields.key/value |
| server_cert.analyzers | kerberos.log | additional.fields.key/value |
| server_cert.mime_type | kerberos.log | additional.fields.key/value |
| server_cert.filename | kerberos.log | additional.fields.key/value |
| server_cert.duration | kerberos.log | additional.fields.key/value |
| server_cert.local_orig | kerberos.log | additional.fields.key/value |
| server_cert.is_orig | kerberos.log | additional.fields.key/value |
| server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| server_cert.total_bytes | kerberos.log | additional.fields.key/value |
| server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| server_cert.timedout | kerberos.log | additional.fields.key/value |
| server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
| server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
| server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
| server_cert.x509.ts | kerberos.log | additional.fields.key/value |
| server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
| server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
| server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
| server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| server_cert.x509.handle | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| server_cert.x509.cert | kerberos.log | additional.fields.key/value |
| server_cert.extracted | kerberos.log | additional.fields.key/value |
| server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| server_cert.extracted_size | kerberos.log | additional.fields.key/value |
| server_cert.entropy | kerberos.log | additional.fields.key/value |
| server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
| server_cert_fuid | kerberos.log | additional.fields.key/value |
| auth_ticket | kerberos.log | additional.fields.key/value |
| new_ticket | kerberos.log | additional.fields.key/value |
| ts | modbus.log | metadata.event_timestamp |
| uid | modbus.log | network.session_id |
| id.orig_h | modbus.log | principal.ip |
| id.orig_p | modbus.log | principal.port |
| id.resp_h | modbus.log | target.ip |
| id.resp_p | modbus.log | target.port |
| func | modbus.log | additional.fields.key/value |
| exception | modbus.log | additional.fields.key/value |
| track_address | modbus.log | additional.fields.key/value |
| ts | modbus_register_change.log | metadata.event_timestamp |
| uid | modbus_register_change.log | network.session_id |
| id.orig_h | modbus_register_change.log | principal.ip |
| id.orig_p | modbus_register_change.log | principal.port |
| id.resp_h | modbus_register_change.log | target.ip |
| id.resp_p | modbus_register_change.log | target.port |
| register | modbus_register_change.log | additional.fields.key/value |
| old_val | modbus_register_change.log | additional.fields.key/value |
| new_val | modbus_register_change.log | additional.fields.key/value |
| delta | modbus_register_change.log | additional.fields.key/value |
| ts | mysql.log | metadata.event_timestamp |
| uid | mysql.log | network.session_id |
| id.orig_h | mysql.log | principal.ip |
| id.orig_p | mysql.log | principal.port |
| id.resp_h | mysql.log | target.ip |
| id.resp_p | mysql.log | target.port |
| cmd | mysql.log | metadata.description |
| arg | mysql.log | principal.process.command_line |
| success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
| rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
| response | mysql.log | additional.fields.key/value |
| ts | ntlm.log | metadata.event_timestamp |
| uid | ntlm.log | network.session_id |
| id.orig_h | ntlm.log | principal.ip |
| id.orig_p | ntlm.log | principal.port |
| id.resp_h | ntlm.log | target.ip |
| id.resp_p | ntlm.log | target.port |
| username | ntlm.log | principal.user.userid |
| hostname | ntlm.log | principal.hostname |
| domainname | ntlm.log | principal.administrative_domain |
| server_nb_computer_name | ntlm.log | additional.fields.key/value |
| server_dns_computer_name | ntlm.log | target.hostname |
| server_tree_name | ntlm.log | additional.fields.key/value |
| success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
| done | ntlm.log | additional.fields.key/value |
| ts | ntp.log | metadata.event_timestamp |
| uid | ntp.log | network.session_id |
| id.orig_h | ntp.log | principal.ip |
| id.orig_p | ntp.log | principal.port |
| id.resp_h | ntp.log | target.ip |
| id.resp_p | ntp.log | target.port |
| version | ntp.log | additional.fields.key/value |
| mode | ntp.log | additional.fields.key/value |
| stratum | ntp.log | additional.fields.key/value |
| poll | ntp.log | additional.fields.key/value |
| precision | ntp.log | additional.fields.key/value |
| root_delay | ntp.log | additional.fields.key/value |
| root_disp | ntp.log | additional.fields.key/value |
| ref_id | ntp.log | additional.fields.key/value |
| ref_time | ntp.log | additional.fields.key/value |
| org_time | ntp.log | additional.fields.key/value |
| rec_time | ntp.log | additional.fields.key/value |
| xmt_time | ntp.log | additional.fields.key/value |
| num_exts | ntp.log | additional.fields.key/value |
| ts | radius.log | metadata.event_timestamp |
| uid | radius.log | network.session_id |
| id.orig_h | radius.log | principal.ip |
| id.orig_p | radius.log | principal.port |
| id.resp_h | radius.log | target.ip |
| id.resp_p | radius.log | target.port |
| username | radius.log | principal.user.userid |
| mac | radius.log | principal.mac |
| framed_addr | radius.log | additional.fields.key/value |
| tunnel_client | radius.log | additional.fields.key/value |
| connect_info | radius.log | additional.fields.key/value |
| reply_msg | radius.log | additional.fields.key/value |
| result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
| ttl | radius.log | additional.fields.key/value |
| logged | radius.log | additional.fields.key/value |
| ts | rdp.log | metadata.event_timestamp |
| uid | rdp.log | network.session_id |
| id.orig_h | rdp.log | principal.ip |
| id.orig_p | rdp.log | principal.port |
| id.resp_h | rdp.log | target.ip |
| id.resp_p | rdp.log | target.port |
| cookie | rdp.log | principal.user.userid |
| result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| client_channels | rdp.log | additional.fields.key/value |
| keyboard_layout | rdp.log | additional.fields.key/value |
| client_build | rdp.log | principal.asset.platform_software.platform_version |
| client_name | rdp.log | additional.fields.key/value |
| client_dig_product_id | rdp.log | principal.asset.asset_id |
| desktop_width | rdp.log | additional.fields.key/value |
| desktop_height | rdp.log | additional.fields.key/value |
| requested_color_depth | rdp.log | additional.fields.key/value |
| cert_type | rdp.log | additional.fields.key/value |
| cert_count | rdp.log | additional.fields.key/value |
| cert_permanent | rdp.log | additional.fields.key/value |
| encryption_level | rdp.log | additional.fields.key/value |
| encryption_method | rdp.log | additional.fields.key/value |
| analyzer_id | rdp.log | additional.fields.key/value |
| done | rdp.log | additional.fields.key/value |
| ssl | rdp.log | additional.fields.key/value |
| ts | rfb.log | metadata.event_timestamp |
| uid | rfb.log | network.session_id |
| id.orig_h | rfb.log | principal.ip |
| id.orig_p | rfb.log | principal.port |
| id.resp_h | rfb.log | target.ip |
| id.resp_p | rfb.log | target.port |
| client_major_version | rfb.log | additional.fields.key/value |
| client_minor_version | rfb.log | additional.fields.key/value |
| server_major_version | rfb.log | additional.fields.key/value |
| server_minor_version | rfb.log | additional.fields.key/value |
| authentication_method | rfb.log | additional.fields.key/value |
| auth | rfb.log | additional.fields.key/value |
| share_flag | rfb.log | additional.fields.key/value |
| desktop_name | rfb.log | target.asset.hostname |
| width | rfb.log | additional.fields.key/value |
| height | rfb.log | additional.fields.key/value |
| done | rfb.log | additional.fields.key/value |
| ts | sip.log | metadata.event_timestamp |
| uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
| id.orig_h | sip.log | principal.ip |
| id.orig_p | sip.log | principal.port |
| id.resp_h | sip.log | target.ip |
| id.resp_p | sip.log | target.port |
| trans_depth | sip.log | additional.fields.key/value |
| method | sip.log | metadata.description |
| uri | sip.log | about.url |
| date | sip.log | additional.fields.key/value |
| request_from | sip.log | principal.user.userid and principal.user.user_display_name |
| request_to | sip.log | target.user.userid and target.user.user_display_name |
| response_from | sip.log | additional.fields.key/value |
| response_to | sip.log | additional.fields.key/value |
| reply_to | sip.log | additional.fields.key/value |
| call_id | sip.log | network.session_id |
| seq | sip.log | additional.fields.key/value |
| subject | sip.log | additional.fields.key/value |
| request_path | sip.log | additional.fields.key/value |
| response_path | sip.log | additional.fields.key/value |
| user_agent | sip.log | additional.fields.key/value |
| status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
| status_msg | sip.log | security_result.description |
| warning | sip.log | additional.fields.key/value |
| request_body_len | sip.log | network.sent_bytes |
| response_body_len | sip.log | network.received_bytes |
| content_type | sip.log | additional.fields.key/value |
| ts | smb_cmd.log | metadata.event_timestamp |
| uid | smb_cmd.log | network.session_id |
| id.orig_h | smb_cmd.log | principal.ip |
| id.orig_p | smb_cmd.log | principal.port |
| id.resp_h | smb_cmd.log | target.ip |
| id.resp_p | smb_cmd.log | target.port |
| command | smb_cmd.log | principal.process.command_line |
| sub_command | smb_cmd.log | additional.fields.key/value |
| argument | smb_cmd.log | additional.fields.key/value |
| status | smb_cmd.log | additional.fields.key/value |
| rtt | smb_cmd.log | additional.fields.key/value |
| version | smb_cmd.log | metadata.product_version |
| username | smb_cmd.log | principal.user.userid |
| tree | smb_cmd.log | additional.fields.key/value |
| tree_service | smb_cmd.log | additional.fields.key/value |
| smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
| smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
| ts | smb_files.log | metadata.event_timestamp |
| uid | smb_files.log | network.session_id |
| id.orig_h | smb_files.log | principal.ip |
| id.orig_p | smb_files.log | principal.port |
| id.resp_h | smb_files.log | target.ip |
| id.resp_p | smb_files.log | target.port |
| fuid | smb_files.log | additional.fields.key/value |
| action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
| path | smb_files.log | target.file.full_path |
| name | smb_files.log | additional.fields.key/value |
| size | smb_files.log | target.file.size |
| prev_name | smb_files.log | additional.fields.key/value |
| times.modified | smb_files.log | additional.fields.key/value |
| times.modified_raw | smb_files.log | additional.fields.key/value |
| times.accessed | smb_files.log | additional.fields.key/value |
| times.accessed_raw | smb_files.log | additional.fields.key/value |
| times.created | smb_files.log | additional.fields.key/value |
| times.created_raw | smb_files.log | additional.fields.key/value |
| times.changed | smb_files.log | additional.fields.key/value |
| times.changed_raw | smb_files.log | additional.fields.key/value |
| fid | smb_files.log | additional.fields.key/value |
| uuid | smb_files.log | additional.fields.key/value |
| ts | smb_mapping.log | metadata.event_timestamp |
| uid | smb_mapping.log | network.session_id |
| id.orig_h | smb_mapping.log | principal.ip |
| id.orig_p | smb_mapping.log | principal.port |
| id.resp_h | smb_mapping.log | target.ip |
| id.resp_p | smb_mapping.log | target.port |
| path | smb_mapping.log | target.file.full_path |
| service | smb_mapping.log | target.application |
| native_file_system | smb_mapping.log | additional.fields.key/value |
| share_type | smb_mapping.log | target.resource.resource_type |
| ts | smtp.log | metadata.event_timestamp |
| uid | smtp.log | network.session_id |
| id.orig_h | smtp.log | principal.ip |
| id.orig_p | smtp.log | principal.port |
| id.resp_h | smtp.log | target.ip |
| id.resp_p | smtp.log | target.port |
| trans_depth | smtp.log | additional.fields.key/value |
| helo | smtp.log | additional.fields.key/value |
| mailfrom | smtp.log | additional.fields.key/value |
| rcptto | smtp.log | additional.fields.key/value |
| date | smtp.log | additional.fields.key/value |
| from | smtp.log | network.email.from |
| to | smtp.log | email.to |
| cc | smtp.log | network.email.cc |
| reply_to | smtp.log | email.reply_to |
| msg_id | smtp.log | email.mail_id |
| in_reply_to | smtp.log | additional.fields.key/value |
| subject | smtp.log | email.subject |
| x_originating_ip | smtp.log | additional.fields.key/value |
| first_received | smtp.log | additional.fields.key/value |
| second_received | smtp.log | additional.fields.key/value |
| last_reply | smtp.log | additional.fields.key/value |
| path | smtp.log | additional.fields.key/value |
| user_agent | smtp.log | additional.fields.key/value |
| tls | smtp.log | network.tls.established |
| process_received_from | smtp.log | additional.fields.key/value |
| has_client_activity | smtp.log | additional.fields.key/value |
| process_smtp_headers | smtp.log | additional.fields.key/value |
| entity.filename | smtp.log | additional.fields.key/value |
| entity.excerpt | smtp.log | additional.fields.key/value |
| fuids | smtp.log | additional.fields.key/value |
| is_webmail | smtp.log | additional.fields.key/value |
| ts | snmp.log | metadata.event_timestamp |
| uid | snmp.log | network.session_id |
| id.orig_h | snmp.log | principal.ip |
| id.orig_p | snmp.log | principal.port |
| id.resp_h | snmp.log | target.ip |
| id.resp_p | snmp.log | target.port |
| duration | snmp.log | network.session_duration |
| version | snmp.log | metadata.product_version |
| community | snmp.log | network.community_id |
| get_requests | snmp.log | additional.fields.key/value |
| get_bulk_requests | snmp.log | additional.fields.key/value |
| get_responses | snmp.log | additional.fields.key/value |
| set_requests | snmp.log | additional.fields.key/value |
| display_string | snmp.log | metadata.description |
| up_since | snmp.log | additional.fields.key/value |
| ts | socks.log | metadata.event_timestamp |
| uid | socks.log | network.session_id |
| id.orig_h | socks.log | principal.ip |
| id.orig_p | socks.log | principal.port |
| id.resp_h | socks.log | target.ip |
| id.resp_p | socks.log | target.port |
| version | socks.log | additional.fields.key/value |
| user | socks.log | principal.user.userid |
| status | socks.log | additional.fields.key/value |
| request.host | socks.log | principal.hostname |
| request.name | socks.log | additional.fields.key/value |
| request_p | socks.log | additional.fields.key/value |
| bound.host | socks.log | additional.fields.key/value |
| bound.name | socks.log | additional.fields.key/value |
| bound_p | socks.log | additional.fields.key/value |
| capture_password | socks.log | additional.fields.key/value |
| ts | ssh.log | metadata.event_timestamp |
| uid | ssh.log | network.session_id |
| id.orig_h | ssh.log | principal.ip |
| id.orig_p | ssh.log | principal.port |
| id.resp_h | ssh.log | target.ip |
| id.resp_p | ssh.log | target.port |
| version | ssh.log | metadata.product_version |
| auth_success | ssh.log | additional.fields.key/value |
| auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
| direction | ssh.log | network.direction |
| client | ssh.log | principal.platform_version |
| server | ssh.log | target.platform_version |
| cipher_alg | ssh.log | additional.fields.key/value |
| mac_alg | ssh.log | additional.fields.key/value |
| compression_alg | ssh.log | additional.fields.key/value |
| kex_alg | ssh.log | additional.fields.key/value |
| host_key_alg | ssh.log | additional.fields.key/value |
| host_key | ssh.log | additional.fields.key/value |
| logged | ssh.log | additional.fields.key/value |
| capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
| capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
| capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
| capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
| capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
| capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
| capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
| capabilities.is_server | ssh.log | additional.fields.key/value |
| analyzer_id | ssh.log | additional.fields.key/value |
| remote_location.country_code | ssh.log | additional.fields.key/value |
| remote_location.region | ssh.log | target.asset.location.country_or_region |
| remote_location.city | ssh.log | target.asset.location.city |
| remote_location.latitude | ssh.log | additional.fields.key/value |
| remote_location.longitude | ssh.log | additional.fields.key/value |
| ts | ssl.log | metadata.event_timestamp |
| uid | ssl.log | metadata.product_log_id |
| id.orig_h | ssl.log | principal.ip |
| id.orig_p | ssl.log | principal.port |
| id.resp_h | ssl.log | target.ip |
| id.resp_p | ssl.log | target.port |
| version_num | ssl.log | additional.fields.key/value |
| version | ssl.log | network.tls.version |
| cipher | ssl.log | network.tls.cipher |
| curve | ssl.log | network.tls.curve |
| server_name | ssl.log | network.tls.client.server_name |
| session_id | ssl.log | network.session_id |
| resumed | ssl.log | network.tls.resumed |
| client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
| client_key_exchange_seen | ssl.log | additional.fields.key/value |
| client_psk_seen | ssl.log | additional.fields.key/value |
| last_alert | ssl.log | additional.fields.key/value |
| next_protocol | ssl.log | network.tls.next_protocol |
| analyzer_id | ssl.log | additional.fields.key/value |
| established | ssl.log | network.tls.established |
| logged | ssl.log | additional.fields.key/value |
| ssl_history | ssl.log | additional.fields.key/value |
| cert_chain_fps | ssl.log | additional.fields.key/value |
| client_cert_chain_fps | ssl.log | additional.fields.key/value |
| subject | ssl.log | network.tls.server.certificate.subject |
| issuer | ssl.log | network.tls.server.certificate.issuer |
| client_subject | ssl.log | network.tls.client.certificate.subject |
| client_issuer | ssl.log | network.tls.client.certificate.issuer |
| sni_matches_cert | ssl.log | additional.fields.key/value |
| server_depth | ssl.log | additional.fields.key/value |
| client_depth | ssl.log | additional.fields.key/value |
| always_raise_x509_events | ssl.log | additional.fields.key/value |
| last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
| last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
| originator_heartbeats | ssl.log | additional.fields.key/value |
| responder_heartbeats | ssl.log | additional.fields.key/value |
| heartbleed_detected | ssl.log | additional.fields.key/value |
| enc_appdata_packages | ssl.log | additional.fields.key/value |
| enc_appdata_bytes | ssl.log | additional.fields.key/value |
| server_version | ssl.log | additional.fields.key/value |
| client_version | ssl.log | additional.fields.key/value |
| client_ciphers | ssl.log | network.tls.client.supported_ciphers |
| ssl_client_exts | ssl.log | additional.fields.key/value |
| ssl_server_exts | ssl.log | additional.fields.key/value |
| ticket_lifetime_hint | ssl.log | additional.fields.key/value |
| dh_param_size | ssl.log | additional.fields.key/value |
| point_formats | ssl.log | additional.fields.key/value |
| client_curves | ssl.log | additional.fields.key/value |
| orig_alpn | ssl.log | additional.fields.key/value |
| client_supported_versions | ssl.log | additional.fields.key/value |
| server_supported_version | ssl.log | additional.fields.key/value |
| psk_key_exchange_modes | ssl.log | additional.fields.key/value |
| client_key_share_groups | ssl.log | additional.fields.key/value |
| server_key_share_group | ssl.log | additional.fields.key/value |
| client_comp_methods | ssl.log | additional.fields.key/value |
| comp_method | ssl.log | additional.fields.key/value |
| sigalgs | ssl.log | additional.fields.key/value |
| hashalgs | ssl.log | additional.fields.key/value |
| validation_status | ssl.log | additional.fields.key/value |
| validation_code | ssl.log | additional.fields.key/value |
| valid_chain | ssl.log | additional.fields.key/value |
| ocsp_status | ssl.log | additional.fields.key/value |
| ocsp_response | ssl.log | additional.fields.key/value |
| valid_scts | ssl.log | additional.fields.key/value |
| invalid_scts | ssl.log | additional.fields.key/value |
| valid_ct_logs | ssl.log | additional.fields.key/value |
| valid_ct_operators | ssl.log | additional.fields.key/value |
| valid_ct_operators_list | ssl.log | additional.fields.key/value |
| ct_proofs | ssl.log | additional.fields.key/value |
| notary.first_seen | ssl.log | additional.fields.key/value |
| notary.last_seen | ssl.log | additional.fields.key/value |
| notary.times_seen | ssl.log | additional.fields.key/value |
| notary.valid | ssl.log | additional.fields.key/value |
| ts | syslog.log | metadata.event_timestamp |
| uid | syslog.log | network.session_id |
| id.orig_h | syslog.log | principal.ip |
| id.orig_p | syslog.log | principal.port |
| id.resp_h | syslog.log | target.ip |
| id.resp_p | syslog.log | target.port |
| proto | syslog.log | network.ip_protocol |
| facility | syslog.log | additional.fields.key/value |
| severity | syslog.log | security_result.severity_details |
| message | syslog.log | metadata.description |
| ts | tunnel.log | metadata.event_timestamp |
| uid | tunnel.log | network.session_id |
| id.orig_h | tunnel.log | principal.ip |
| id.orig_p | tunnel.log | principal.port |
| id.resp_h | tunnel.log | target.ip |
| id.resp_p | tunnel.log | target.port |
| tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
| action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
Dateien
In der folgenden Tabelle sind die Protokollfelder des Dateiprotokolltyps und die entsprechenden UDM-Felder aufgeführt.
| Original-Log-Feld | Logtyp | UDM-Feld |
|---|---|---|
| ts | files.log | metadata.event_timestamp |
| fuid | files.log | metadata.product_log_id |
| tx_hosts | files.log | principal.ip |
| rx_hosts | files.log | target.ip |
| conn_uids | files.log | additional.fields.key/value |
| source | files.log | network.application_protocol
target.file.full_path |
| depth | files.log | additional.fields.key/value |
| analyzers | files.log | additional.fields.key/value |
| mime_type | files.log | target.file.mime_type |
| filename | files.log | target.file.full_path |
| duration | files.log | additional.fields.key/value |
| local_orig | files.log | additional.fields.key/value |
| is_orig | files.log | additional.fields.key/value |
| seen_bytes | files.log | target.file.size |
| total_bytes | files.log | additional.fields.key/value |
| missing_bytes | files.log | additional.fields.key/value |
| overflow_bytes | files.log | additional.fields.key/value |
| timedout | files.log | additional.fields.key/value |
| parent_fuid | files.log | additional.fields.key/value |
| md5 | files.log | target.file.md5 |
| sha1 | files.log | target.file.sha1 |
| sha256 | files.log | target.file.sha256 |
| md5 | files.log | network.tls.client.certificate.md5 |
| sha1 | files.log | network.tls.client.certificate.sha1 |
| sha256 | files.log | network.tls.client.certificate.sha256 |
| md5 | files.log | network.tls.server.certificate.md5 |
| sha1 | files.log | network.tls.server.certificate.sha1 |
| sha256 | files.log | network.tls.server.certificate.sha256 |
| x509 | files.log | additional.fields.key/value
This field is a nested field. |
| extracted | files.log | additional.fields.key/value |
| extracted_cutoff | files.log | additional.fields.key/value |
| extracted_size | files.log | additional.fields.key/value |
| entropy | files.log | additional.fields.key/value |
| ts | ocsp.log | metadata.event_timestamp |
| id | ocsp.log | metadata.product_log_id |
| hashAlgorithm | ocsp.log | additional.fields.key/value |
| issuerNameHash | ocsp.log | additional.fields.key/value |
| issuerKeyHash | ocsp.log | additional.fields.key/value |
| serialNumber | ocsp.log | tls.server.certificate.serial |
| certStatus | ocsp.log | additional.fields.key/value |
| revoketime | ocsp.log | network.tls.server.certificate.not_after |
| revokereason | ocsp.log | security_result.summary |
| thisUpdate | ocsp.log | additional.fields.key/value |
| nextUpdate | ocsp.log | additional.fields.key/value |
| ts | pe.log | metadata.event_timestamp |
| id | pe.log | metadata.product_log_id |
| machine | pe.log | target.resource.resource_subtype |
| compile_ts | pe.log | additional.fields.key/value |
| os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
| subsystem | pe.log | target.application |
| is_exe | pe.log | additional.fields.key/value |
| is_64bit | pe.log | additional.fields.key/value |
| uses_aslr | pe.log | additional.fields.key/value |
| uses_dep | pe.log | additional.fields.key/value |
| uses_code_integrity | pe.log | additional.fields.key/value |
| uses_seh | pe.log | additional.fields.key/value |
| has_import_table | pe.log | additional.fields.key/value |
| has_export_table | pe.log | additional.fields.key/value |
| has_cert_table | pe.log | additional.fields.key/value |
| has_debug_data | pe.log | additional.fields.key/value |
| section_names | pe.log | additional.fields.key/value |
| ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
| fingerprint | x509.log | additional.fields.key/value |
| certificate.version | x509.log | network.tls.server.certificate.version |
| certificate.serial | x509.log | network.tls.server.certificate.serial |
| certificate.subject | x509.log | network.tls.server.certificate.subject |
| certificate.issuer | x509.log | network.tls.server.certificate.issuer |
| certificate.cn | x509.log | target.hostname |
| certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
| certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
| certificate.key_alg | x509.log | additional.fields.key/value |
| certificate.sig_alg | x509.log | additional.fields.key/value |
| certificate.key_type | x509.log | additional.fields.key/value |
| certificate.key_length | x509.log | additional.fields.key/value |
| certificate.exponent | x509.log | additional.fields.key/value |
| certificate.curve | x509.log | network.tls.curve |
| handle | x509.log | additional.fields.key/value |
| extensions.name | x509.log | additional.fields.key/value |
| extensions.short_name | x509.log | additional.fields.key/value |
| extensions.oid | x509.log | additional.fields.key/value |
| extensions.critical | x509.log | additional.fields.key/value |
| extensions.value | x509.log | additional.fields.key/value |
| san.dns | x509.log | additional.fields.key/value |
| san.uri | x509.log | additional.fields.key/value |
| san.email | x509.log | additional.fields.key/value |
| san.ip | x509.log | additional.fields.key/value |
| san.other_fields | x509.log | additional.fields.key/value |
| basic_constraints.ca | x509.log | additional.fields.key/value |
| basic_constraints.path_len | x509.log | additional.fields.key/value |
| extensions_cache | x509.log | additional.fields.key/value |
| host_cert | x509.log | additional.fields.key/value |
| client_cert | x509.log | additional.fields.key/value |
| deduplication_index.fingerprint | x509.log | additional.fields.key/value |
| deduplication_index.host_cert | x509.log | additional.fields.key/value |
| deduplication_index.client_cert | x509.log | additional.fields.key/value |
| always_raise_x509_events | x509.log | additional.fields.key/value |
| cert | x509.log | additional.fields.key/value |
Netcontrol
In der folgenden Tabelle sind die Protokollfelder des Protokolltyps „netcontrol“ und die zugehörigen UDM-Felder aufgeführt.
| Original-Log-Feld | Logtyp | UDM-Feld |
|---|---|---|
| ts | netcontrol.log | metadata.event_timestamp |
| rule_id | netcontrol.log | security_result.rule_id |
| category | netcontrol.log | security_result.category_details |
| cmd | netcontrol.log | additional.fields.key/value |
| state | netcontrol.log | additional.fields.key/value |
| action | netcontrol.log | security_result.action_details |
| target | netcontrol.log | additional.fields.key/value |
| entity_type | netcontrol.log | additional.fields.key/value |
| entity | netcontrol.log | security_result.summary |
| mod | netcontrol.log | additional.fields.key/value |
| msg | netcontrol.log | security_result.description |
| priority | netcontrol.log | security_result.priority_details |
| expire | netcontrol.log | additional.fields.key/value |
| location | netcontrol.log | additional.fields.key/value |
| plugin | netcontrol.log | additional.fields.key/value |
| ts | netcontrol_drop.log | metadata.event_timestamp |
| rule_id | netcontrol_drop.log | security_result.rule_id |
| orig_h | netcontrol_drop.log | principal.ip |
| orig_p | netcontrol_drop.log | principal.port |
| resp_h | netcontrol_drop.log | target.ip |
| resp_p | netcontrol_drop.log | target.port |
| expire | netcontrol_drop.log | additional.fields.key/value |
| location | netcontrol_drop.log | additional.fields.key/value |
| ts | netcontrol_shunt.log | metadata.event_timestamp |
| rule_id | netcontrol_shunt.log | security_result.rule_id |
| f.src_h | netcontrol_shunt.log | principal.ip |
| f.src_p | netcontrol_shunt.log | principal.port |
| f.dst_h | netcontrol_shunt.log | target.ip |
| f.dst_p | netcontrol_shunt.log | target.port |
| expire | netcontrol_shunt.log | additional.fields.key/value |
| location | netcontrol_shunt.log | additional.fields.key/value |
| ts | netcontrol_catch_release.log | metadata.event_timestamp |
| rule_id | netcontrol_catch_release.log | security_result.rule_id |
| ip | netcontrol_catch_release.log | target.ip |
| action | netcontrol_catch_release.log | security_result.action_details |
| block_interval | netcontrol_catch_release.log | additional.fields.key/value |
| watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
| blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
| watched_until | netcontrol_catch_release.log | additional.fields.key/value |
| num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
| location | netcontrol_catch_release.log | additional.fields.key/value |
| message | netcontrol_catch_release.log | security_result.description |
| ts | openflow.log | metadata.event_timestamp |
| dpid | openflow.log | additional.fields.key/value |
| match.in_port | openflow.log | additional.fields.key/value |
| match.dl_src | openflow.log | additional.fields.key/value |
| match.dl_dst | openflow.log | additional.fields.key/value |
| match.dl_vlan | openflow.log | additional.fields.key/value |
| match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
| match.dl_type | openflow.log | additional.fields.key/value |
| match.nw_tos | openflow.log | additional.fields.key/value |
| match.nw_proto | openflow.log | additional.fields.key/value |
| match.nw_src | openflow.log | additional.fields.key/value |
| match.nw_dst | openflow.log | additional.fields.key/value |
| match.tp_src | openflow.log | additional.fields.key/value |
| match.tp_dst | openflow.log | additional.fields.key/value |
| flow_mod.cookie | openflow.log | additional.fields.key/value |
| flow_mod.table_id | openflow.log | additional.fields.key/value |
| flow_mod.command | openflow.log | additional.fields.key/value |
| flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
| flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
| flow_mod.priority | openflow.log | additional.fields.key/value |
| flow_mod.out_port | openflow.log | additional.fields.key/value |
| flow_mod.flags | openflow.log | additional.fields.key/value |
| flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
Erkennung
In der folgenden Tabelle sind die Protokollfelder des Typs „Erkennungsprotokoll“ und die zugehörigen UDM-Felder aufgeführt.
| Original-Log-Feld | Logtyp | UDM-Feld |
|---|---|---|
| ts | intel.log | metadata.event_timestamp |
| uid | intel.log | network.session_id |
| id.orig_h | intel.log | principal.ip |
| id.orig_p | intel.log | principal.port |
| id.resp_h | intel.log | target.ip |
| id.resp_p | intel.log | target.port |
| seen.indicator | intel.log | additional.fields.key/value |
| seen.indicator_type | intel.log | additional.fields.key/value |
| seen.host | intel.log | additional.fields.key/value |
| seen.where | intel.log | additional.fields.key/value |
| seen.node | intel.log | additional.fields.key/value |
| seen.conn.id.orig_h | intel.log | additional.fields.key/value |
| seen.conn.id.orig_p | intel.log | additional.fields.key/value |
| seen.conn.id.resp_h | intel.log | additional.fields.key/value |
| seen.conn.id.resp_p | intel.log | additional.fields.key/value |
| seen.conn.orig.size | intel.log | network.sent_bytes |
| seen.conn.orig.state | intel.log | additional.fields.key/value |
| seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
| seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.resp.size | intel.log | network.received_bytes |
| seen.conn.resp.state | intel.log | additional.fields.key/value |
| seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
| seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.start_time | intel.log | additional.fields.key/value |
| seen.conn.duration | intel.log | network.session_duration |
| seen.conn.service | intel.log | additional.fields.key/value |
| seen.conn.history | intel.log | metadata.description |
| seen.conn.uid | intel.log | network.session_id |
| seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
| seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
| seen.conn.vlan | intel.log | additional.fields.key/value |
| seen.conn.inner_vlan | intel.log | additional.fields.key/value |
| seen.conn.dpd_state | intel.log | additional.fields.key/value |
| seen.conn.removal_hooks | intel.log | additional.fields.key/value |
| seen.conn.extract_orig | intel.log | additional.fields.key/value |
| seen.conn.extract_resp | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
| seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
| seen.conn.http_state.pending | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
| seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
| seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
| seen.conn.known_services_done | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
| seen.conn.speculative_service | intel.log | additional.fields.key/value |
| seen.uid | intel.log | additional.fields.key/value |
| seen.f.id | intel.log | additional.fields.key/value |
| seen.f.parent_id | intel.log | additional.fields.key/value |
| seen.f.source | intel.log | target.file.full_path |
| seen.f.is_orig | intel.log | additional.fields.key/value |
| seen.f.conns | intel.log | additional.fields.key/value |
| seen.f.last_active | intel.log | additional.fields.key/value |
| seen.f.seen_bytes | intel.log | additional.fields.key/value |
| seen.f.total_bytes | intel.log | additional.fields.key/value |
| seen.f.missing_bytes | intel.log | additional.fields.key/value |
| seen.f.overflow_bytes | intel.log | additional.fields.key/value |
| seen.f.timeout_interval | intel.log | additional.fields.key/value |
| seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
| seen.f.bof_buffer | intel.log | additional.fields.key/value |
| seen.f.u2_events | intel.log | additional.fields.key/value |
| seen.fuid | intel.log | additional.fields.key/value |
| matched | intel.log | additional.fields.key/value |
| sources | intel.log | additional.fields.key/value |
| fuid | intel.log | additional.fields.key/value |
| file_mime_type | intel.log | target.file.mime_type |
| file_desc | intel.log | additional.fields.key/value |
| cif.tags | intel.log | additional.fields.key/value |
| cif.confidence | intel.log | additional.fields.key/value |
| cif.source | intel.log | additional.fields.key/value |
| cif.description | intel.log | additional.fields.key/value |
| cif.firstseen | intel.log | additional.fields.key/value |
| cif.lastseen | intel.log | additional.fields.key/value |
| ts | notice.log | metadata.event_timestamp |
| uid | notice.log | network.session_id |
| id.orig_h | notice.log | principal.ip |
| id.orig_p | notice.log | principal.port |
| id.resp_h | notice.log | target.ip |
| id.resp_p | notice.log | target.port |
| conn.id.orig_h | notice.log | additional.fields.key/value |
| conn.id.orig_p | notice.log | additional.fields.key/value |
| conn.id.resp_h | notice.log | additional.fields.key/value |
| conn.id.resp_p | notice.log | additional.fields.key/value |
| conn.orig.size | notice.log | network.sent_bytes |
| conn.orig.state | notice.log | additional.fields.key/value |
| conn.orig.num_pkts | notice.log | additional.fields.key/value |
| conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.orig.flow_label | notice.log | additional.fields.key/value |
| conn.orig.l2_addr | notice.log | additional.fields.key/value |
| conn.resp.size | notice.log | network.received_bytes |
| conn.resp.state | notice.log | additional.fields.key/value |
| conn.resp.num_pkts | notice.log | additional.fields.key/value |
| conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.resp.flow_label | notice.log | additional.fields.key/value |
| conn.resp.l2_addr | notice.log | additional.fields.key/value |
| conn.start_time | notice.log | additional.fields.key/value |
| conn.duration | notice.log | network.session_duration |
| conn.service | notice.log | additional.fields.key/value |
| conn.history | notice.log | metadata.description |
| conn.uid | notice.log | network.session_id |
| conn.tunnel.queued | notice.log | additional.fields.key/value |
| conn.tunnel.dispatched | notice.log | additional.fields.key/value |
| conn.vlan | notice.log | additional.fields.key/value |
| conn.inner_vlan | notice.log | additional.fields.key/value |
| conn.dpd_state.violations | notice.log | additional.fields.key/value |
| conn.removal_hooks | notice.log | additional.fields.key/value |
| conn.extract_orig | notice.log | additional.fields.key/value |
| conn.extract_resp | notice.log | additional.fields.key/value |
| conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
| conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
| conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
| conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
| conn.thresholds.duration | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_backing | notice.log | additional.fields.key/value |
| conn.dns_state.pending_query | notice.log | additional.fields.key/value |
| conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
| conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
| conn.ftp_data_reuse | notice.log | additional.fields.key/value |
| conn.http_state.pending | notice.log | additional.fields.key/value |
| conn.http_state.current_request | notice.log | additional.fields.key/value |
| conn.http_state.current_response | notice.log | additional.fields.key/value |
| conn.http_state.trans_depth | notice.log | additional.fields.key/value |
| conn.sip_state.pending | notice.log | additional.fields.key/value |
| conn.sip_state.current_request | notice.log | additional.fields.key/value |
| conn.sip_state.current_response | notice.log | additional.fields.key/value |
| conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
| conn.smb_state.fid_map | notice.log | additional.fields.key/value |
| conn.smb_state.tid_map | notice.log | additional.fields.key/value |
| conn.smb_state.uid_map | notice.log | additional.fields.key/value |
| conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
| conn.smb_state.recent_files | notice.log | additional.fields.key/value |
| conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
| conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
| conn.known_services_done | notice.log | additional.fields.key/value |
| mqtt.ts | notice.log | additional.fields.key/value |
| mqtt.uid | notice.log | additional.fields.key/value |
| mqtt.id | notice.log | additional.fields.key/value |
| mqtt.proto_name | notice.log | additional.fields.key/value |
| mqtt.proto_version | notice.log | additional.fields.key/value |
| mqtt.client_id | notice.log | additional.fields.key/value |
| mqtt.connect_status | notice.log | additional.fields.key/value |
| mqtt.will_topic | notice.log | additional.fields.key/value |
| mqtt.will_payload | notice.log | additional.fields.key/value |
| conn.mqtt_state.publish | notice.log | additional.fields.key/value |
| conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
| conn.speculative_service | notice.log | additional.fields.key/value |
| iconn.orig_h | notice.log | additional.fields.key/value |
| iconn.resp_h | notice.log | additional.fields.key/value |
| iconn.itype | notice.log | additional.fields.key/value |
| iconn.icode | notice.log | additional.fields.key/value |
| iconn.len | notice.log | additional.fields.key/value |
| iconn.hlim | notice.log | additional.fields.key/value |
| iconn.v6 | notice.log | additional.fields.key/value |
| f.id | notice.log | additional.fields.key/value |
| f.parent_id | notice.log | additional.fields.key/value |
| f.source | notice.log | target.file.full_path |
| f.is_orig | notice.log | additional.fields.key/value |
| f.conns | notice.log | additional.fields.key/value |
| f.last_active | notice.log | additional.fields.key/value |
| f.seen_bytes | notice.log | additional.fields.key/value |
| f.total_bytes | notice.log | additional.fields.key/value |
| f.missing_bytes | notice.log | additional.fields.key/value |
| f.overflow_bytes | notice.log | additional.fields.key/value |
| f.timeout_interval | notice.log | additional.fields.key/value |
| f.bof_buffer_size | notice.log | additional.fields.key/value |
| f.bof_buffer | notice.log | additional.fields.key/value |
| f.u2_events | notice.log | additional.fields.key/value |
| fuid | notice.log | additional.fields.key/value |
| file_mime_type | notice.log | target.file.mime_type |
| file_desc | notice.log | additional.fields.key/value |
| proto | notice.log | network.ip_protocol |
| note | notice.log | security_result.description |
| msg | notice.log | security_result.summary |
| sub | notice.log | additional.fields.key/value |
| src | notice.log | principal.ip |
| dst | notice.log | target.ip |
| p | notice.log | target.port |
| n | notice.log | additional.fields.key/value |
| peer_name | notice.log | additional.fields.key/value |
| peer_descr | notice.log | additional.fields.key/value |
| actions | notice.log | security_result.action_details |
| email_dest | notice.log | network.email.to (repeated) |
| email_body_sections | notice.log | network.email.subject (repeated) |
| email_delay_tokens | notice.log | additional.fields.key/value |
| identifier | notice.log | additional.fields.key/value |
| suppress_for | notice.log | additional.fields.key/value |
| remote_location.country_code | notice.log | additional.fields.key/value |
| remote_location.region | notice.log | principal.asset.location.country_or_region |
| remote_location.city | notice.log | principal.asset.location.city |
| remote_location.latitude | notice.log | additional.fields.key/value |
| remote_location.longitude | notice.log | additional.fields.key/value |
| dropped | notice.log | security_result.action_details |
| ts | signatures.log | metadata.event_timestamp |
| uid | signatures.log | network.session_id |
| src_addr | signatures.log | principal.ip |
| src_port | signatures.log | principal.port |
| dst_addr | signatures.log | target.ip |
| dst_port | signatures.log | target.port |
| note | signatures.log | security_result.summary |
| sig_id | signatures.log | additional.fields.key/value |
| event_msg | signatures.log | metadata.description |
| sub_msg | signatures.log | additional.fields.key/value |
| sig_count | signatures.log | additional.fields.key/value |
| host_count | signatures.log | additional.fields.key/value |
| ts | traceroute.log | metadata.event_timestamp |
| src | traceroute.log | principal.ip |
| dst | traceroute.log | target.ip |
| proto | traceroute.log | network.ip_protocol |
Netzwerkbeobachtungen
In der folgenden Tabelle sind die Logfelder des Protokolltyps „Netzwerkbeobachtungen“ und die zugehörigen UDM-Felder aufgeführt.
| Original-Log-Feld | Logtyp | UDM-Feld |
|---|---|---|
| ts | known_certs.log | metadata.event_timestamp |
| host | known_certs.log | principal.ip |
| port_num | known_certs.log | principal.port |
| subject | known_certs.log | network.tls.client.certificate.subject |
| issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
| serial | known_certs.log | network.tls.client.certificate.serial |
| ts | known_hosts.log | metadata.event_timestamp |
| host | known_hosts.log | principal.ip |
| ts | known_modbus.log | metadata.event_timestamp |
| host | known_modbus.log | principal.ip |
| device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
| ts | known_services.log | metadata.event_timestamp |
| host | known_services.log | principal.ip |
| port_num | known_services.log | principal.port |
| port_proto | known_services.log | network.ip_protocol |
| service | known_services.log | target.application |
| ts | software.log | metadata.event_timestamp |
| host | software.log | principal.ip |
| host_p | software.log | principal.port |
| software_type | software.log | principal.resource.resource_subtype |
| name | software.log | principal.resource.name |
| version.major | software.log | additional.fields.key/value |
| version.minor | software.log | additional.fields.key/value |
| version.minor2 | software.log | additional.fields.key/value |
| version.minor3 | software.log | additional.fields.key/value |
| version.addl | software.log | additional.fields.key/value |
| unparsed_version | software.log | additional.fields.key/value |
| force_log | software.log | additional.fields.key/value |
| url | software.log | metadata.url_back_to_product |
Referenz für die Feldzuordnung: Ereignis-ID zu UDM-Ereignistyp
In den folgenden Abschnitten wird beschrieben, wie der Parser Lognamen UDM-Ereignistypen zuordnet:
Netzwerkprotokolle
In der folgenden Tabelle sind die Lognamen des Protokolltyps „Netzwerkprotokolle“ und die zugehörigen UDM-Ereignistypen aufgeführt.
| Logname | Beschreibung | UDM-Ereignistyp |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
| dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
| dhcp.log | DHCP leases | NETWORK_DHCP |
| dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
| dns.log | DNS activity | NETWORK_DNS |
| ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
| http.log | HTTP requests and replies | NETWORK_HTTP |
| irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
| kerberos.log | Kerberos | NETWORK_CONNECTION |
| modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
| modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
| mysql.log | MySQL | NETWORK_UNCATEGORIZED |
| ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
| ntp.log | Network Time Protocol | NETWORK_CONNECTION |
| radius.log | RADIUS authentication attempts | USER_LOGIN |
| rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
| rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
| sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
| smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
| smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
| smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
| smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
| snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
| socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
| ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
| ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
| syslog.log | Syslog messages | NETWORK_CONNECTION |
| tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
Dateien
In der folgenden Tabelle sind die Lognamen des Dateiprotokolltyps und die zugehörigen UDM-Ereignistypen aufgeführt.
| Logname | Beschreibung | UDM-Ereignistyp |
|---|---|---|
| files.log | File analysis results | NETWORK_UNCATEGORIZED |
| ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
| pe.log | Portable Executable (PE) | GENERIC_EVENT |
| x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
In der folgenden Tabelle sind die Lognamen des Logtyps „netcontrol“ und die zugehörigen UDM-Ereignistypen aufgeführt.
| Logname | Beschreibung | UDM-Ereignistyp |
|---|---|---|
| netcontrol.log | NetControl actions | GENERIC_EVENT |
| netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
| netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
| netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
| openflow.log | OpenFlow debug log | GENERIC_EVENT |
Erkennung
In der folgenden Tabelle sind die Lognamen des Typs „Detection Log“ und die zugehörigen UDM-Ereignistypen aufgeführt.
| Logname | Beschreibung | UDM-Ereignistyp |
|---|---|---|
| intel.log | Intelligence data matches | GENERIC_EVENT |
| notice.log | Zeek notices | NETWORK_CONNECTION |
| notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
| signatures.log | Signature matches | GENERIC_EVENT |
| traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
Netzwerkbeobachtungen
In der folgenden Tabelle sind die Lognamen des Protokolltyps „Netzwerkbeobachtungen“ und die zugehörigen UDM-Ereignistypen aufgeführt.
| Logname | Beschreibung | UDM-Ereignistyp |
|---|---|---|
| known_certs.log | SSL certificates | GENERIC_EVENT |
| known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
| known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
| known_services.log | Services running on hosts | GENERIC_EVENT |
| software.log | Software used on the network | GENERIC_EVENT |
Nächste Schritte
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten