Collecter les journaux Zeek (Bro)
Compatible avec:
Google SecOps
SIEM
Ce document explique comment déployer Zeek (anciennement Bro) et NXLog avec Google Security Operations pour collecter les journaux Zeek au format JSON. Ce document également explique comment les champs de journaux Zeek sont mappés à Google Security Operations Champs de modèle de données unifié (UDM).
Pour en savoir plus sur l'ingestion de données dans Google Security Operations, consultez Ingestion de données dans Google Security Operations.
Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Les informations de ce document s'appliquent à l'analyseur avec le libellé d'ingestion BRO_JSON.
Avant de commencer
Pour comprendre les composants déployés pour collecter les journaux Zeek, consultez le architecture de déploiement. Chaque déploiement client peut différer de cette représentation et être plus complexe. Le schéma suivant montre comment configurer un agent NXLog et un transfert Google Security Operations sur un serveur Linux, puis transférer les données de journal vers Google Security Operations.
Vérifiez les versions de Zeek compatibles avec l'analyseur Google Security Operations. L'analyseur Google Security Operations est compatible avec les versions Zeek suivantes :
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Avant d'utiliser l'analyseur Zeek, consultez les modifications apportées aux mappages de champs entre l'analyseur précédent et l'analyseur Zeek actuel. Lors de la migration, assurez-vous que les règles, recherches, tableaux de bord ou autres processus qui dépendent les champs d'origine utilisent les champs mis à jour.
Par exemple, dans la version précédente de l'analyseur, le champ
server_nameest mappé sur le Champ UDMtarget.hostname. Dans l'analyseur Zeek actuel, le champserver_nameest mappé au champ UDMnetwork.tls.client.server_name. Si vous migrez vers l'analyseur Zeek actuel et utiliser le champserver_namedans vos règles ; vous devez modifier les règles pour utiliser le champ UDMnetwork.tls.client.server_namede l'analyseur actuel.Vérifiez les types de journaux Zeek compatibles avec l'analyseur Google Security Operations. Le tableau suivant répertorie les types de journaux Zeek que le service Google Security Operations prend en charge:
| Type de journal | Description |
| Protocoles réseau | Inclut les fichiers journaux des protocoles réseau, tels que le protocole DHCP (Dynamic Host Configuration Protocol) et le système de noms de domaine (DNS). |
| Fichiers | Comprend les fichiers journaux suivants: résultats d'analyse de fichiers, OSP (Online Certificate Status Protocol), PE (Portable Executable) et certificat X.509. |
| NetControl | Inclut les fichiers journaux des actions NetControl et les journaux de débogage OpenFlow. |
| Détection | Comprend les fichiers journaux des correspondances de données CTI, des notifications Zeek, le flux d’alarmes, les correspondances de signature et la détection traceroute. |
| Observations sur le réseau | Inclut les fichiers journaux des certificats SSL, les hôtes ayant effectué des handshakes TCP, les instances principales et répliquées Modbus, les services exécutés sur les hôtes et les logiciels utilisés sur le réseau. |
Si vous ne l'avez pas déjà fait, installez et configurez Zeek. Pour plus d'informations, consultez Installation de Zeek.
Collectez les journaux Zeek au format JSON. Pour en savoir plus, consultez Générez les journaux Zeek au format JSON.
S'assurer que tous les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
Configurer NXLog et le forwarder Google Security Operations
- Téléchargez et installez NXLog Community Edition sur la machine Linux sur
exécuté par le redirecteur Google Security Operations.
- Pour en savoir plus sur le téléchargement de NXLog Community Edition, consultez la documentation NXLog.
- Pour en savoir plus sur l'installation des packages et des dépendances NXLog requis, consultez Installer NXLog sur un système Linux.
- Créez un fichier de configuration pour chaque instance NXLog.
Utilisez le module NXLog im_file pour lire le fichier et analyser les lignes en champs. Voici un exemple de configuration NXLog:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>Pour utiliser l'exemple de configuration précédent, procédez comme suit:
- Remplacez les valeurs
<hostname>et<port>par des informations concernant le serveur Linux de destination. - Ajoutez des éléments d'entrée, de sortie et d'itinéraire pour chaque type de journal Zeek que vous souhaitez collecter.
- Remplacez les valeurs
Configurer le redirecteur Google Security Operations auquel envoyer les journaux Google Security Operations. Pour en savoir plus, consultez la section Installer et configurer le redirecteur sous Linux. Voici un exemple de configuration du redirecteur.
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60Démarrez le service NXLog.
Documentation de référence sur le mappage de champs: Zeek consigne les champs en champs UDM
Pour comprendre comment l'analyseur Google Security Operations mappe les champs de journal Zeek avec les champs d'événement UDM de Google Security Operations pour chaque type de journal Zeek. les sections suivantes:
Protocoles de réseau
Le tableau suivant répertorie les champs de journal du type de journal des protocoles réseau et les champs UDM correspondants.
| Champ de journal d'origine | Type de journal | Champ UDM |
|---|---|---|
| ts | conn.log | metadata.event_timestamp |
| uid | conn.log | network.session_id |
| id.orig_h | conn.log | principal.ip |
| id.orig_p | conn.log | principal.port |
| id.resp_h | conn.log | target.ip |
| id.resp_p | conn.log | target.port |
| proto | conn.log | network.ip_protocol |
| service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
| duration | conn.log | network.session_duration |
| orig_bytes | conn.log | network.sent_bytes |
| resp_bytes | conn.log | network.received_bytes |
| conn_state | conn.log | metadata.description |
| local_orig | conn.log | additional.fields.key/value |
| local_resp | conn.log | additional.fields.key/value |
| missed_bytes | conn.log | additional.fields.key/value |
| history | conn.log | additional.fields.key/value |
| orig_pkts | conn.log | additional.fields.key/value |
| orig_ip_bytes | conn.log | additional.fields.key/value |
| resp_pkts | conn.log | additional.fields.key/value |
| resp_ip_bytes | conn.log | additional.fields.key/value |
| tunnel_parents | conn.log | additional.fields.key/value |
| orig_l2_addr | conn.log | additional.fields.key/value |
| resp_l2_addr | conn.log | additional.fields.key/value |
| vlan | conn.log | additional.fields.key/value |
| inner_vlan | conn.log | additional.fields.key/value |
| speculative_service | conn.log | additional.fields.key/value |
| ts | dce_rpc.log | metadata.event_timestamp |
| uid | dce_rpc.log | network.session_id |
| id.orig_h | dce_rpc.log | principal.ip |
| id.orig_p | dce_rpc.log | principal.port |
| id.resp_h | dce_rpc.log | target.ip |
| id.resp_p | dce_rpc.log | target.port |
| rtt | dce_rpc.log | additional.fields.key/value |
| named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
| endpoint | dce_rpc.log | additional.fields.key/value |
| operation | dce_rpc.log | additional.fields.key/value |
| ts | dhcp.log | metadata.event_timestamp |
| uids | dhcp.log | additional.fields.key/value |
| client_addr | dhcp.log | target.ip |
| server_addr | dhcp.log | principal.ip |
| client_port | dhcp.log | target.port |
| server_port | dhcp.log | principal.port |
| mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
| host_name | dhcp.log | network.dhcp.client_hostname |
| client_fqdn | dhcp.log | target.hostname |
| domain | dhcp.log | target.administrative_domain |
| requested_addr | dhcp.log | network.dhcp.requested_address |
| assigned_addr | dhcp.log | network.dhcp.yiaddr |
| lease_time | dhcp.log | network.dhcp.lease_time_seconds |
| client_message | dhcp.log | additional.fields.key/value |
| server_message | dhcp.log | additional.fields.key/value |
| msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
| duration | dhcp.log | network.dhcp.seconds |
| client_chaddr | dhcp.log | network.dhcp.chaddr |
| msg_orig | dhcp.log | additional.fields.key/value |
| client_software | dhcp.log | additional.fields.key/value |
| server_software | dhcp.log | additional.fields.key/value |
| circuit_id | dhcp.log | additional.fields.key/value |
| agent_remote_id | dhcp.log | additional.fields.key/value |
| subscriber_id | dhcp.log | additional.fields.key/value |
| ts | dnp3.log | metadata.event_timestamp |
| uid | dnp3.log | network.session_id |
| id.orig_h | dnp3.log | principal.ip |
| id.orig_p | dnp3.log | principal.port |
| id.resp_h | dnp3.log | target.ip |
| id.resp_p | dnp3.log | target.port |
| fc_request | dnp3.log | additional.fields.key/value |
| fc_reply | dnp3.log | additional.fields.key/value |
| iin | dnp3.log | additional.fields.key/value |
| ts | dns.log | metadata.event_timestamp |
| uid | dns.log | network.session_id |
| id.orig_h | dns.log | principal.ip |
| id.orig_p | dns.log | principal.port |
| id.resp_h | dns.log | target.ip |
| id.resp_p | dns.log | target.port |
| proto | dns.log | network.ip_protocol |
| trans_id | dns.log | network.dns.id |
| rtt | dns.log | additional.fields.key/value |
| query | dns.log | network.dns.questions.name |
| qclass | dns.log | network.dns.questions.class |
| qclass_name | dns.log | additional.fields.key/value |
| qtype | dns.log | network.dns.questions.type |
| qtype_name | dns.log | additional.fields.key/value |
| rcode | dns.log | network,dns.response_code |
| rcode_name | dns.log | additional.fields.key/value |
| AA | dns.log | network.dns.authoritative |
| TC | dns.log | network.dns.truncated |
| RD | dns.log | network.dns.recursion_desired |
| RA | dns.log | network.dns.recursion_available |
| Z | dns.log | additional.fields.key/value |
| answers | dns.log | network.dns.answers.data |
| TTLs | dns.log | network.dns.answers.ttl |
| rejected | dns.log | additional.fields.key/value |
| total_answers | dns.log | additional.fields.key/value |
| total_replies | dns.log | additional.fields.key/value |
| saw_query | dns.log | additional.fields.key/value |
| saw_reply | dns.log | additional.fields.key/value |
| auth | dns.log | network.dns.authority.data |
| addl | dns.log | network.dns.additional.data |
| original_query | dns.log | additional.fields.key/value |
| ts | ftp.log | metadata.event_timestamp |
| uid | ftp.log | network.session_id |
| id.orig_h | ftp.log | principal.ip |
| id.orig_p | ftp.log | principal.port |
| id.resp_h | ftp.log | target.ip |
| id.resp_p | ftp.log | target.port |
| user | ftp.log | principal.user.userid |
| command | ftp.log | network.ftp.command |
| arg | ftp.log | additional.fields.key/value |
| mime_type | ftp.log | src.file.mime_type |
| file_size | ftp.log | src.file.size |
| reply_code | ftp.log | additional.fields.key/value |
| reply_msg | ftp.log | additional.fields.key/value |
| data_channel.passive | ftp.log | additional.fields.key/value |
| data_channel.orig_h | ftp.log | additional.fields.key/value |
| data_channel.resp_h | ftp.log | additional.fields.key/value |
| data_channel.resp_p | ftp.log | additional.fields.key/value |
| cwd | ftp.log | src.file.full_path |
| cmdarg.ts | ftp.log | additional.fields.key/value |
| cmdarg.cmd | ftp.log | additional.fields.key/value |
| cmdarg.arg | ftp.log | additional.fields.key/value |
| cmdarg.seq | ftp.log | additional.fields.key/value |
| pending_commands | ftp.log | additional.fields.key/value |
| passive | ftp.log | additional.fields.key/value |
| capture_password | ftp.log | additional.fields.key/value |
| fuid | ftp.log | additional.fields.key/value |
| last_auth_requested | ftp.log | additional.fields.key/value |
| ts | http.log | metadata.event_timestamp |
| uid | http.log | network.session_id |
| id.orig_h | http.log | principal.ip |
| id.orig_p | http.log | principal.port |
| id.resp_h | http.log | target.ip |
| id.resp_p | http.log | target.port |
| trans_depth | http.log | additional.fields.key/value |
| method | http.log | network.http.method |
| host | http.log | target.hostname |
| uri | http.log | target.url is set to "%{host}%{uri}" |
| referrer | http.log | network.http.referral_url |
| version | http.log | additional.fields.key/value |
| user_agent | http.log | network.http.user_agent |
| origin | http.log | additional.fields.key/value |
| request_body_len | http.log | additional.fields.key/value |
| response_body_len | http.log | additional.fields.key/value |
| status_code | http.log | network.http.response_code |
| status_msg | http.log | additional.fields.key/value |
| info_code | http.log | additional.fields.key/value |
| info_msg | http.log | additional.fields.key/value |
| tags | http.log | additional.fields.key/value |
| username | http.log | principal.user.userid |
| capture_password | http.log | additional.fields.key/value |
| proxied | http.log | additional.fields.key/value |
| range_request | http.log | additional.fields.key/value |
| orig_fuids | http.log | additional.fields.key/value |
| orig_filenames | http.log | additional.fields.key/value |
| orig_mime_types | http.log | additional.fields.key/value |
| resp_fuids | http.log | additional.fields.key/value |
| resp_filenames | http.log | additional.fields.key/value |
| resp_mime_types | http.log | additional.fields.key/value |
| current_entity | http.log | additional.fields.key/value |
| orig_mime_depth | http.log | additional.fields.key/value |
| resp_mime_depth | http.log | additional.fields.key/value |
| client_header_names | http.log | additional.fields.key/value |
| server_header_names | http.log | additional.fields.key/value |
| omniture | http.log | additional.fields.key/value |
| flash_version | http.log | additional.fields.key/value |
| cookie_vars | http.log | additional.fields.key/value |
| uri_vars | http.log | additional.fields.key/value |
| ts | irc.log | metadata.event_timestamp |
| uid | irc.log | network.session_id |
| id.orig_h | irc.log | principal.ip |
| id.orig_p | irc.log | principal.port |
| id.resp_h | irc.log | target.ip |
| id.resp_p | irc.log | target.port |
| nick | irc.log | additional.fields.key/value |
| user | irc.log | principal.user.userid |
| command | irc.log | principal.process.command_line |
| value | irc.log | additional.fields.key/value |
| addl | irc.log | additional.fields.key/value |
| dcc_file_name | irc.log | additional.fields.key/value |
| dcc_file_size | irc.log | src.file.size |
| dcc_mime_type | irc.log | src.file.mime_type |
| fuid | irc.log | additional.fields.key/value |
| ts | kerberos.log | metadata.event_timestamp |
| uid | kerberos.log | network.session_id |
| id.orig_h | kerberos.log | principal.ip |
| id.orig_p | kerberos.log | principal.port |
| id.resp_h | kerberos.log | target.ip |
| id.resp_p | kerberos.log | target.port |
| request_type | kerberos.log | additional.fields.key/value |
| client | kerberos.log | additional.fields.key/value |
| service | kerberos.log | additional.fields.key/value |
| success | kerberos.log | additional.fields.key/value |
| error_code | kerberos.log | additional.fields.key/value |
| error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
| from | kerberos.log | additional.fields.key/value |
| till | kerberos.log | additional.fields.key/value |
| cipher | kerberos.log | network.tls.cipher |
| forwardable | kerberos.log | additional.fields.key/value |
| renewable | kerberos.log | additional.fields.key/value |
| logged | kerberos.log | additional.fields.key/value |
| client_cert.ts | kerberos.log | additional.fields.key/value |
| client_cert.fuid | kerberos.log | additional.fields.key/value |
| client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.conn_uids | kerberos.log | additional.fields.key/value |
| client_cert.source | kerberos.log | additional.fields.key/value |
| client_cert.depth | kerberos.log | additional.fields.key/value |
| client_cert.analyzers | kerberos.log | additional.fields.key/value |
| client_cert.mime_type | kerberos.log | additional.fields.key/value |
| client_cert.filename | kerberos.log | additional.fields.key/value |
| client_cert.duration | kerberos.log | additional.fields.key/value |
| client_cert.local_orig | kerberos.log | additional.fields.key/value |
| client_cert.is_orig | kerberos.log | additional.fields.key/value |
| client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| client_cert.total_bytes | kerberos.log | additional.fields.key/value |
| client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| client_cert.timedout | kerberos.log | additional.fields.key/value |
| client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
| client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
| client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
| client_cert.x509.ts | kerberos.log | additional.fields.key/value |
| client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
| client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
| client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
| client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| client_cert.x509.handle | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| client_cert.x509.cert | kerberos.log | additional.fields.key/value |
| client_cert.extracted | kerberos.log | additional.fields.key/value |
| client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| client_cert.extracted_size | kerberos.log | additional.fields.key/value |
| client_cert.entropy | kerberos.log | additional.fields.key/value |
| client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
| client_cert_fuid | kerberos.log | additional.fields.key/value |
| server_cert.ts | kerberos.log | additional.fields.key/value |
| server_cert.fuid | kerberos.log | additional.fields.key/value |
| server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.conn_uids | kerberos.log | additional.fields.key/value |
| server_cert.source | kerberos.log | additional.fields.key/value |
| server_cert.depth | kerberos.log | additional.fields.key/value |
| server_cert.analyzers | kerberos.log | additional.fields.key/value |
| server_cert.mime_type | kerberos.log | additional.fields.key/value |
| server_cert.filename | kerberos.log | additional.fields.key/value |
| server_cert.duration | kerberos.log | additional.fields.key/value |
| server_cert.local_orig | kerberos.log | additional.fields.key/value |
| server_cert.is_orig | kerberos.log | additional.fields.key/value |
| server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| server_cert.total_bytes | kerberos.log | additional.fields.key/value |
| server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| server_cert.timedout | kerberos.log | additional.fields.key/value |
| server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
| server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
| server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
| server_cert.x509.ts | kerberos.log | additional.fields.key/value |
| server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
| server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
| server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
| server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| server_cert.x509.handle | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| server_cert.x509.cert | kerberos.log | additional.fields.key/value |
| server_cert.extracted | kerberos.log | additional.fields.key/value |
| server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| server_cert.extracted_size | kerberos.log | additional.fields.key/value |
| server_cert.entropy | kerberos.log | additional.fields.key/value |
| server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
| server_cert_fuid | kerberos.log | additional.fields.key/value |
| auth_ticket | kerberos.log | additional.fields.key/value |
| new_ticket | kerberos.log | additional.fields.key/value |
| ts | modbus.log | metadata.event_timestamp |
| uid | modbus.log | network.session_id |
| id.orig_h | modbus.log | principal.ip |
| id.orig_p | modbus.log | principal.port |
| id.resp_h | modbus.log | target.ip |
| id.resp_p | modbus.log | target.port |
| func | modbus.log | additional.fields.key/value |
| exception | modbus.log | additional.fields.key/value |
| track_address | modbus.log | additional.fields.key/value |
| ts | modbus_register_change.log | metadata.event_timestamp |
| uid | modbus_register_change.log | network.session_id |
| id.orig_h | modbus_register_change.log | principal.ip |
| id.orig_p | modbus_register_change.log | principal.port |
| id.resp_h | modbus_register_change.log | target.ip |
| id.resp_p | modbus_register_change.log | target.port |
| register | modbus_register_change.log | additional.fields.key/value |
| old_val | modbus_register_change.log | additional.fields.key/value |
| new_val | modbus_register_change.log | additional.fields.key/value |
| delta | modbus_register_change.log | additional.fields.key/value |
| ts | mysql.log | metadata.event_timestamp |
| uid | mysql.log | network.session_id |
| id.orig_h | mysql.log | principal.ip |
| id.orig_p | mysql.log | principal.port |
| id.resp_h | mysql.log | target.ip |
| id.resp_p | mysql.log | target.port |
| cmd | mysql.log | metadata.description |
| arg | mysql.log | principal.process.command_line |
| success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
| rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
| response | mysql.log | additional.fields.key/value |
| ts | ntlm.log | metadata.event_timestamp |
| uid | ntlm.log | network.session_id |
| id.orig_h | ntlm.log | principal.ip |
| id.orig_p | ntlm.log | principal.port |
| id.resp_h | ntlm.log | target.ip |
| id.resp_p | ntlm.log | target.port |
| username | ntlm.log | principal.user.userid |
| hostname | ntlm.log | principal.hostname |
| domainname | ntlm.log | principal.administrative_domain |
| server_nb_computer_name | ntlm.log | additional.fields.key/value |
| server_dns_computer_name | ntlm.log | target.hostname |
| server_tree_name | ntlm.log | additional.fields.key/value |
| success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
| done | ntlm.log | additional.fields.key/value |
| ts | ntp.log | metadata.event_timestamp |
| uid | ntp.log | network.session_id |
| id.orig_h | ntp.log | principal.ip |
| id.orig_p | ntp.log | principal.port |
| id.resp_h | ntp.log | target.ip |
| id.resp_p | ntp.log | target.port |
| version | ntp.log | additional.fields.key/value |
| mode | ntp.log | additional.fields.key/value |
| stratum | ntp.log | additional.fields.key/value |
| poll | ntp.log | additional.fields.key/value |
| precision | ntp.log | additional.fields.key/value |
| root_delay | ntp.log | additional.fields.key/value |
| root_disp | ntp.log | additional.fields.key/value |
| ref_id | ntp.log | additional.fields.key/value |
| ref_time | ntp.log | additional.fields.key/value |
| org_time | ntp.log | additional.fields.key/value |
| rec_time | ntp.log | additional.fields.key/value |
| xmt_time | ntp.log | additional.fields.key/value |
| num_exts | ntp.log | additional.fields.key/value |
| ts | radius.log | metadata.event_timestamp |
| uid | radius.log | network.session_id |
| id.orig_h | radius.log | principal.ip |
| id.orig_p | radius.log | principal.port |
| id.resp_h | radius.log | target.ip |
| id.resp_p | radius.log | target.port |
| username | radius.log | principal.user.userid |
| mac | radius.log | principal.mac |
| framed_addr | radius.log | additional.fields.key/value |
| tunnel_client | radius.log | additional.fields.key/value |
| connect_info | radius.log | additional.fields.key/value |
| reply_msg | radius.log | additional.fields.key/value |
| result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
| ttl | radius.log | additional.fields.key/value |
| logged | radius.log | additional.fields.key/value |
| ts | rdp.log | metadata.event_timestamp |
| uid | rdp.log | network.session_id |
| id.orig_h | rdp.log | principal.ip |
| id.orig_p | rdp.log | principal.port |
| id.resp_h | rdp.log | target.ip |
| id.resp_p | rdp.log | target.port |
| cookie | rdp.log | principal.user.userid |
| result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| client_channels | rdp.log | additional.fields.key/value |
| keyboard_layout | rdp.log | additional.fields.key/value |
| client_build | rdp.log | principal.asset.platform_software.platform_version |
| client_name | rdp.log | additional.fields.key/value |
| client_dig_product_id | rdp.log | principal.asset.asset_id |
| desktop_width | rdp.log | additional.fields.key/value |
| desktop_height | rdp.log | additional.fields.key/value |
| requested_color_depth | rdp.log | additional.fields.key/value |
| cert_type | rdp.log | additional.fields.key/value |
| cert_count | rdp.log | additional.fields.key/value |
| cert_permanent | rdp.log | additional.fields.key/value |
| encryption_level | rdp.log | additional.fields.key/value |
| encryption_method | rdp.log | additional.fields.key/value |
| analyzer_id | rdp.log | additional.fields.key/value |
| done | rdp.log | additional.fields.key/value |
| ssl | rdp.log | additional.fields.key/value |
| ts | rfb.log | metadata.event_timestamp |
| uid | rfb.log | network.session_id |
| id.orig_h | rfb.log | principal.ip |
| id.orig_p | rfb.log | principal.port |
| id.resp_h | rfb.log | target.ip |
| id.resp_p | rfb.log | target.port |
| client_major_version | rfb.log | additional.fields.key/value |
| client_minor_version | rfb.log | additional.fields.key/value |
| server_major_version | rfb.log | additional.fields.key/value |
| server_minor_version | rfb.log | additional.fields.key/value |
| authentication_method | rfb.log | additional.fields.key/value |
| auth | rfb.log | additional.fields.key/value |
| share_flag | rfb.log | additional.fields.key/value |
| desktop_name | rfb.log | target.asset.hostname |
| width | rfb.log | additional.fields.key/value |
| height | rfb.log | additional.fields.key/value |
| done | rfb.log | additional.fields.key/value |
| ts | sip.log | metadata.event_timestamp |
| uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
| id.orig_h | sip.log | principal.ip |
| id.orig_p | sip.log | principal.port |
| id.resp_h | sip.log | target.ip |
| id.resp_p | sip.log | target.port |
| trans_depth | sip.log | additional.fields.key/value |
| method | sip.log | metadata.description |
| uri | sip.log | about.url |
| date | sip.log | additional.fields.key/value |
| request_from | sip.log | principal.user.userid and principal.user.user_display_name |
| request_to | sip.log | target.user.userid and target.user.user_display_name |
| response_from | sip.log | additional.fields.key/value |
| response_to | sip.log | additional.fields.key/value |
| reply_to | sip.log | additional.fields.key/value |
| call_id | sip.log | network.session_id |
| seq | sip.log | additional.fields.key/value |
| subject | sip.log | additional.fields.key/value |
| request_path | sip.log | additional.fields.key/value |
| response_path | sip.log | additional.fields.key/value |
| user_agent | sip.log | additional.fields.key/value |
| status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
| status_msg | sip.log | security_result.description |
| warning | sip.log | additional.fields.key/value |
| request_body_len | sip.log | network.sent_bytes |
| response_body_len | sip.log | network.received_bytes |
| content_type | sip.log | additional.fields.key/value |
| ts | smb_cmd.log | metadata.event_timestamp |
| uid | smb_cmd.log | network.session_id |
| id.orig_h | smb_cmd.log | principal.ip |
| id.orig_p | smb_cmd.log | principal.port |
| id.resp_h | smb_cmd.log | target.ip |
| id.resp_p | smb_cmd.log | target.port |
| command | smb_cmd.log | principal.process.command_line |
| sub_command | smb_cmd.log | additional.fields.key/value |
| argument | smb_cmd.log | additional.fields.key/value |
| status | smb_cmd.log | additional.fields.key/value |
| rtt | smb_cmd.log | additional.fields.key/value |
| version | smb_cmd.log | metadata.product_version |
| username | smb_cmd.log | principal.user.userid |
| tree | smb_cmd.log | additional.fields.key/value |
| tree_service | smb_cmd.log | additional.fields.key/value |
| smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
| smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
| ts | smb_files.log | metadata.event_timestamp |
| uid | smb_files.log | network.session_id |
| id.orig_h | smb_files.log | principal.ip |
| id.orig_p | smb_files.log | principal.port |
| id.resp_h | smb_files.log | target.ip |
| id.resp_p | smb_files.log | target.port |
| fuid | smb_files.log | additional.fields.key/value |
| action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
| path | smb_files.log | target.file.full_path |
| name | smb_files.log | additional.fields.key/value |
| size | smb_files.log | target.file.size |
| prev_name | smb_files.log | additional.fields.key/value |
| times.modified | smb_files.log | additional.fields.key/value |
| times.modified_raw | smb_files.log | additional.fields.key/value |
| times.accessed | smb_files.log | additional.fields.key/value |
| times.accessed_raw | smb_files.log | additional.fields.key/value |
| times.created | smb_files.log | additional.fields.key/value |
| times.created_raw | smb_files.log | additional.fields.key/value |
| times.changed | smb_files.log | additional.fields.key/value |
| times.changed_raw | smb_files.log | additional.fields.key/value |
| fid | smb_files.log | additional.fields.key/value |
| uuid | smb_files.log | additional.fields.key/value |
| ts | smb_mapping.log | metadata.event_timestamp |
| uid | smb_mapping.log | network.session_id |
| id.orig_h | smb_mapping.log | principal.ip |
| id.orig_p | smb_mapping.log | principal.port |
| id.resp_h | smb_mapping.log | target.ip |
| id.resp_p | smb_mapping.log | target.port |
| path | smb_mapping.log | target.file.full_path |
| service | smb_mapping.log | target.application |
| native_file_system | smb_mapping.log | additional.fields.key/value |
| share_type | smb_mapping.log | target.resource.resource_type |
| ts | smtp.log | metadata.event_timestamp |
| uid | smtp.log | network.session_id |
| id.orig_h | smtp.log | principal.ip |
| id.orig_p | smtp.log | principal.port |
| id.resp_h | smtp.log | target.ip |
| id.resp_p | smtp.log | target.port |
| trans_depth | smtp.log | additional.fields.key/value |
| helo | smtp.log | additional.fields.key/value |
| mailfrom | smtp.log | additional.fields.key/value |
| rcptto | smtp.log | additional.fields.key/value |
| date | smtp.log | additional.fields.key/value |
| from | smtp.log | network.email.from |
| to | smtp.log | email.to |
| cc | smtp.log | network.email.cc |
| reply_to | smtp.log | email.reply_to |
| msg_id | smtp.log | email.mail_id |
| in_reply_to | smtp.log | additional.fields.key/value |
| subject | smtp.log | email.subject |
| x_originating_ip | smtp.log | additional.fields.key/value |
| first_received | smtp.log | additional.fields.key/value |
| second_received | smtp.log | additional.fields.key/value |
| last_reply | smtp.log | additional.fields.key/value |
| path | smtp.log | additional.fields.key/value |
| user_agent | smtp.log | additional.fields.key/value |
| tls | smtp.log | network.tls.established |
| process_received_from | smtp.log | additional.fields.key/value |
| has_client_activity | smtp.log | additional.fields.key/value |
| process_smtp_headers | smtp.log | additional.fields.key/value |
| entity.filename | smtp.log | additional.fields.key/value |
| entity.excerpt | smtp.log | additional.fields.key/value |
| fuids | smtp.log | additional.fields.key/value |
| is_webmail | smtp.log | additional.fields.key/value |
| ts | snmp.log | metadata.event_timestamp |
| uid | snmp.log | network.session_id |
| id.orig_h | snmp.log | principal.ip |
| id.orig_p | snmp.log | principal.port |
| id.resp_h | snmp.log | target.ip |
| id.resp_p | snmp.log | target.port |
| duration | snmp.log | network.session_duration |
| version | snmp.log | metadata.product_version |
| community | snmp.log | network.community_id |
| get_requests | snmp.log | additional.fields.key/value |
| get_bulk_requests | snmp.log | additional.fields.key/value |
| get_responses | snmp.log | additional.fields.key/value |
| set_requests | snmp.log | additional.fields.key/value |
| display_string | snmp.log | metadata.description |
| up_since | snmp.log | additional.fields.key/value |
| ts | socks.log | metadata.event_timestamp |
| uid | socks.log | network.session_id |
| id.orig_h | socks.log | principal.ip |
| id.orig_p | socks.log | principal.port |
| id.resp_h | socks.log | target.ip |
| id.resp_p | socks.log | target.port |
| version | socks.log | additional.fields.key/value |
| user | socks.log | principal.user.userid |
| status | socks.log | additional.fields.key/value |
| request.host | socks.log | principal.hostname |
| request.name | socks.log | additional.fields.key/value |
| request_p | socks.log | additional.fields.key/value |
| bound.host | socks.log | additional.fields.key/value |
| bound.name | socks.log | additional.fields.key/value |
| bound_p | socks.log | additional.fields.key/value |
| capture_password | socks.log | additional.fields.key/value |
| ts | ssh.log | metadata.event_timestamp |
| uid | ssh.log | network.session_id |
| id.orig_h | ssh.log | principal.ip |
| id.orig_p | ssh.log | principal.port |
| id.resp_h | ssh.log | target.ip |
| id.resp_p | ssh.log | target.port |
| version | ssh.log | metadata.product_version |
| auth_success | ssh.log | additional.fields.key/value |
| auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
| direction | ssh.log | network.direction |
| client | ssh.log | principal.platform_version |
| server | ssh.log | target.platform_version |
| cipher_alg | ssh.log | additional.fields.key/value |
| mac_alg | ssh.log | additional.fields.key/value |
| compression_alg | ssh.log | additional.fields.key/value |
| kex_alg | ssh.log | additional.fields.key/value |
| host_key_alg | ssh.log | additional.fields.key/value |
| host_key | ssh.log | additional.fields.key/value |
| logged | ssh.log | additional.fields.key/value |
| capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
| capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
| capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
| capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
| capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
| capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
| capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
| capabilities.is_server | ssh.log | additional.fields.key/value |
| analyzer_id | ssh.log | additional.fields.key/value |
| remote_location.country_code | ssh.log | additional.fields.key/value |
| remote_location.region | ssh.log | target.asset.location.country_or_region |
| remote_location.city | ssh.log | target.asset.location.city |
| remote_location.latitude | ssh.log | additional.fields.key/value |
| remote_location.longitude | ssh.log | additional.fields.key/value |
| ts | ssl.log | metadata.event_timestamp |
| uid | ssl.log | metadata.product_log_id |
| id.orig_h | ssl.log | principal.ip |
| id.orig_p | ssl.log | principal.port |
| id.resp_h | ssl.log | target.ip |
| id.resp_p | ssl.log | target.port |
| version_num | ssl.log | additional.fields.key/value |
| version | ssl.log | network.tls.version |
| cipher | ssl.log | network.tls.cipher |
| curve | ssl.log | network.tls.curve |
| server_name | ssl.log | network.tls.client.server_name |
| session_id | ssl.log | network.session_id |
| resumed | ssl.log | network.tls.resumed |
| client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
| client_key_exchange_seen | ssl.log | additional.fields.key/value |
| client_psk_seen | ssl.log | additional.fields.key/value |
| last_alert | ssl.log | additional.fields.key/value |
| next_protocol | ssl.log | network.tls.next_protocol |
| analyzer_id | ssl.log | additional.fields.key/value |
| established | ssl.log | network.tls.established |
| logged | ssl.log | additional.fields.key/value |
| ssl_history | ssl.log | additional.fields.key/value |
| cert_chain_fps | ssl.log | additional.fields.key/value |
| client_cert_chain_fps | ssl.log | additional.fields.key/value |
| subject | ssl.log | network.tls.server.certificate.subject |
| issuer | ssl.log | network.tls.server.certificate.issuer |
| client_subject | ssl.log | network.tls.client.certificate.subject |
| client_issuer | ssl.log | network.tls.client.certificate.issuer |
| sni_matches_cert | ssl.log | additional.fields.key/value |
| server_depth | ssl.log | additional.fields.key/value |
| client_depth | ssl.log | additional.fields.key/value |
| always_raise_x509_events | ssl.log | additional.fields.key/value |
| last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
| last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
| originator_heartbeats | ssl.log | additional.fields.key/value |
| responder_heartbeats | ssl.log | additional.fields.key/value |
| heartbleed_detected | ssl.log | additional.fields.key/value |
| enc_appdata_packages | ssl.log | additional.fields.key/value |
| enc_appdata_bytes | ssl.log | additional.fields.key/value |
| server_version | ssl.log | additional.fields.key/value |
| client_version | ssl.log | additional.fields.key/value |
| client_ciphers | ssl.log | network.tls.client.supported_ciphers |
| ssl_client_exts | ssl.log | additional.fields.key/value |
| ssl_server_exts | ssl.log | additional.fields.key/value |
| ticket_lifetime_hint | ssl.log | additional.fields.key/value |
| dh_param_size | ssl.log | additional.fields.key/value |
| point_formats | ssl.log | additional.fields.key/value |
| client_curves | ssl.log | additional.fields.key/value |
| orig_alpn | ssl.log | additional.fields.key/value |
| client_supported_versions | ssl.log | additional.fields.key/value |
| server_supported_version | ssl.log | additional.fields.key/value |
| psk_key_exchange_modes | ssl.log | additional.fields.key/value |
| client_key_share_groups | ssl.log | additional.fields.key/value |
| server_key_share_group | ssl.log | additional.fields.key/value |
| client_comp_methods | ssl.log | additional.fields.key/value |
| comp_method | ssl.log | additional.fields.key/value |
| sigalgs | ssl.log | additional.fields.key/value |
| hashalgs | ssl.log | additional.fields.key/value |
| validation_status | ssl.log | additional.fields.key/value |
| validation_code | ssl.log | additional.fields.key/value |
| valid_chain | ssl.log | additional.fields.key/value |
| ocsp_status | ssl.log | additional.fields.key/value |
| ocsp_response | ssl.log | additional.fields.key/value |
| valid_scts | ssl.log | additional.fields.key/value |
| invalid_scts | ssl.log | additional.fields.key/value |
| valid_ct_logs | ssl.log | additional.fields.key/value |
| valid_ct_operators | ssl.log | additional.fields.key/value |
| valid_ct_operators_list | ssl.log | additional.fields.key/value |
| ct_proofs | ssl.log | additional.fields.key/value |
| notary.first_seen | ssl.log | additional.fields.key/value |
| notary.last_seen | ssl.log | additional.fields.key/value |
| notary.times_seen | ssl.log | additional.fields.key/value |
| notary.valid | ssl.log | additional.fields.key/value |
| ts | syslog.log | metadata.event_timestamp |
| uid | syslog.log | network.session_id |
| id.orig_h | syslog.log | principal.ip |
| id.orig_p | syslog.log | principal.port |
| id.resp_h | syslog.log | target.ip |
| id.resp_p | syslog.log | target.port |
| proto | syslog.log | network.ip_protocol |
| facility | syslog.log | additional.fields.key/value |
| severity | syslog.log | security_result.severity_details |
| message | syslog.log | metadata.description |
| ts | tunnel.log | metadata.event_timestamp |
| uid | tunnel.log | network.session_id |
| id.orig_h | tunnel.log | principal.ip |
| id.orig_p | tunnel.log | principal.port |
| id.resp_h | tunnel.log | target.ip |
| id.resp_p | tunnel.log | target.port |
| tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
| action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
Fichiers
Le tableau suivant répertorie les champs de journal correspondant au type de journal des fichiers et leurs les champs UDM correspondants.
| Champ de journal d'origine | Type de journal | Champ UDM |
|---|---|---|
| ts | files.log | metadata.event_timestamp |
| fuid | files.log | metadata.product_log_id |
| tx_hosts | files.log | principal.ip |
| rx_hosts | files.log | target.ip |
| conn_uids | files.log | additional.fields.key/value |
| source | files.log | network.application_protocol
target.file.full_path |
| depth | files.log | additional.fields.key/value |
| analyzers | files.log | additional.fields.key/value |
| mime_type | files.log | target.file.mime_type |
| filename | files.log | target.file.full_path |
| duration | files.log | additional.fields.key/value |
| local_orig | files.log | additional.fields.key/value |
| is_orig | files.log | additional.fields.key/value |
| seen_bytes | files.log | target.file.size |
| total_bytes | files.log | additional.fields.key/value |
| missing_bytes | files.log | additional.fields.key/value |
| overflow_bytes | files.log | additional.fields.key/value |
| timedout | files.log | additional.fields.key/value |
| parent_fuid | files.log | additional.fields.key/value |
| md5 | files.log | target.file.md5 |
| sha1 | files.log | target.file.sha1 |
| sha256 | files.log | target.file.sha256 |
| md5 | files.log | network.tls.client.certificate.md5 |
| sha1 | files.log | network.tls.client.certificate.sha1 |
| sha256 | files.log | network.tls.client.certificate.sha256 |
| md5 | files.log | network.tls.server.certificate.md5 |
| sha1 | files.log | network.tls.server.certificate.sha1 |
| sha256 | files.log | network.tls.server.certificate.sha256 |
| x509 | files.log | additional.fields.key/value
This field is a nested field. |
| extracted | files.log | additional.fields.key/value |
| extracted_cutoff | files.log | additional.fields.key/value |
| extracted_size | files.log | additional.fields.key/value |
| entropy | files.log | additional.fields.key/value |
| ts | ocsp.log | metadata.event_timestamp |
| id | ocsp.log | metadata.product_log_id |
| hashAlgorithm | ocsp.log | additional.fields.key/value |
| issuerNameHash | ocsp.log | additional.fields.key/value |
| issuerKeyHash | ocsp.log | additional.fields.key/value |
| serialNumber | ocsp.log | tls.server.certificate.serial |
| certStatus | ocsp.log | additional.fields.key/value |
| revoketime | ocsp.log | network.tls.server.certificate.not_after |
| revokereason | ocsp.log | security_result.summary |
| thisUpdate | ocsp.log | additional.fields.key/value |
| nextUpdate | ocsp.log | additional.fields.key/value |
| ts | pe.log | metadata.event_timestamp |
| id | pe.log | metadata.product_log_id |
| machine | pe.log | target.resource.resource_subtype |
| compile_ts | pe.log | additional.fields.key/value |
| os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
| subsystem | pe.log | target.application |
| is_exe | pe.log | additional.fields.key/value |
| is_64bit | pe.log | additional.fields.key/value |
| uses_aslr | pe.log | additional.fields.key/value |
| uses_dep | pe.log | additional.fields.key/value |
| uses_code_integrity | pe.log | additional.fields.key/value |
| uses_seh | pe.log | additional.fields.key/value |
| has_import_table | pe.log | additional.fields.key/value |
| has_export_table | pe.log | additional.fields.key/value |
| has_cert_table | pe.log | additional.fields.key/value |
| has_debug_data | pe.log | additional.fields.key/value |
| section_names | pe.log | additional.fields.key/value |
| ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
| fingerprint | x509.log | additional.fields.key/value |
| certificate.version | x509.log | network.tls.server.certificate.version |
| certificate.serial | x509.log | network.tls.server.certificate.serial |
| certificate.subject | x509.log | network.tls.server.certificate.subject |
| certificate.issuer | x509.log | network.tls.server.certificate.issuer |
| certificate.cn | x509.log | target.hostname |
| certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
| certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
| certificate.key_alg | x509.log | additional.fields.key/value |
| certificate.sig_alg | x509.log | additional.fields.key/value |
| certificate.key_type | x509.log | additional.fields.key/value |
| certificate.key_length | x509.log | additional.fields.key/value |
| certificate.exponent | x509.log | additional.fields.key/value |
| certificate.curve | x509.log | network.tls.curve |
| handle | x509.log | additional.fields.key/value |
| extensions.name | x509.log | additional.fields.key/value |
| extensions.short_name | x509.log | additional.fields.key/value |
| extensions.oid | x509.log | additional.fields.key/value |
| extensions.critical | x509.log | additional.fields.key/value |
| extensions.value | x509.log | additional.fields.key/value |
| san.dns | x509.log | additional.fields.key/value |
| san.uri | x509.log | additional.fields.key/value |
| san.email | x509.log | additional.fields.key/value |
| san.ip | x509.log | additional.fields.key/value |
| san.other_fields | x509.log | additional.fields.key/value |
| basic_constraints.ca | x509.log | additional.fields.key/value |
| basic_constraints.path_len | x509.log | additional.fields.key/value |
| extensions_cache | x509.log | additional.fields.key/value |
| host_cert | x509.log | additional.fields.key/value |
| client_cert | x509.log | additional.fields.key/value |
| deduplication_index.fingerprint | x509.log | additional.fields.key/value |
| deduplication_index.host_cert | x509.log | additional.fields.key/value |
| deduplication_index.client_cert | x509.log | additional.fields.key/value |
| always_raise_x509_events | x509.log | additional.fields.key/value |
| cert | x509.log | additional.fields.key/value |
Netcontrol
Le tableau suivant répertorie les champs de journal du type de journal netcontrol et leurs champs UDM correspondants.
| Champ de journal d'origine | Type de journal | Champ UDM |
|---|---|---|
| ts | netcontrol.log | metadata.event_timestamp |
| rule_id | netcontrol.log | security_result.rule_id |
| category | netcontrol.log | security_result.category_details |
| cmd | netcontrol.log | additional.fields.key/value |
| state | netcontrol.log | additional.fields.key/value |
| action | netcontrol.log | security_result.action_details |
| target | netcontrol.log | additional.fields.key/value |
| entity_type | netcontrol.log | additional.fields.key/value |
| entity | netcontrol.log | security_result.summary |
| mod | netcontrol.log | additional.fields.key/value |
| msg | netcontrol.log | security_result.description |
| priority | netcontrol.log | security_result.priority_details |
| expire | netcontrol.log | additional.fields.key/value |
| location | netcontrol.log | additional.fields.key/value |
| plugin | netcontrol.log | additional.fields.key/value |
| ts | netcontrol_drop.log | metadata.event_timestamp |
| rule_id | netcontrol_drop.log | security_result.rule_id |
| orig_h | netcontrol_drop.log | principal.ip |
| orig_p | netcontrol_drop.log | principal.port |
| resp_h | netcontrol_drop.log | target.ip |
| resp_p | netcontrol_drop.log | target.port |
| expire | netcontrol_drop.log | additional.fields.key/value |
| location | netcontrol_drop.log | additional.fields.key/value |
| ts | netcontrol_shunt.log | metadata.event_timestamp |
| rule_id | netcontrol_shunt.log | security_result.rule_id |
| f.src_h | netcontrol_shunt.log | principal.ip |
| f.src_p | netcontrol_shunt.log | principal.port |
| f.dst_h | netcontrol_shunt.log | target.ip |
| f.dst_p | netcontrol_shunt.log | target.port |
| expire | netcontrol_shunt.log | additional.fields.key/value |
| location | netcontrol_shunt.log | additional.fields.key/value |
| ts | netcontrol_catch_release.log | metadata.event_timestamp |
| rule_id | netcontrol_catch_release.log | security_result.rule_id |
| ip | netcontrol_catch_release.log | target.ip |
| action | netcontrol_catch_release.log | security_result.action_details |
| block_interval | netcontrol_catch_release.log | additional.fields.key/value |
| watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
| blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
| watched_until | netcontrol_catch_release.log | additional.fields.key/value |
| num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
| location | netcontrol_catch_release.log | additional.fields.key/value |
| message | netcontrol_catch_release.log | security_result.description |
| ts | openflow.log | metadata.event_timestamp |
| dpid | openflow.log | additional.fields.key/value |
| match.in_port | openflow.log | additional.fields.key/value |
| match.dl_src | openflow.log | additional.fields.key/value |
| match.dl_dst | openflow.log | additional.fields.key/value |
| match.dl_vlan | openflow.log | additional.fields.key/value |
| match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
| match.dl_type | openflow.log | additional.fields.key/value |
| match.nw_tos | openflow.log | additional.fields.key/value |
| match.nw_proto | openflow.log | additional.fields.key/value |
| match.nw_src | openflow.log | additional.fields.key/value |
| match.nw_dst | openflow.log | additional.fields.key/value |
| match.tp_src | openflow.log | additional.fields.key/value |
| match.tp_dst | openflow.log | additional.fields.key/value |
| flow_mod.cookie | openflow.log | additional.fields.key/value |
| flow_mod.table_id | openflow.log | additional.fields.key/value |
| flow_mod.command | openflow.log | additional.fields.key/value |
| flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
| flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
| flow_mod.priority | openflow.log | additional.fields.key/value |
| flow_mod.out_port | openflow.log | additional.fields.key/value |
| flow_mod.flags | openflow.log | additional.fields.key/value |
| flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
Détection
Le tableau suivant répertorie les champs de journal du type de journal de détection et leurs les champs UDM correspondants.
| Champ de journal d'origine | Type de journal | Champ UDM |
|---|---|---|
| ts | intel.log | metadata.event_timestamp |
| uid | intel.log | network.session_id |
| id.orig_h | intel.log | principal.ip |
| id.orig_p | intel.log | principal.port |
| id.resp_h | intel.log | target.ip |
| id.resp_p | intel.log | target.port |
| seen.indicator | intel.log | additional.fields.key/value |
| seen.indicator_type | intel.log | additional.fields.key/value |
| seen.host | intel.log | additional.fields.key/value |
| seen.where | intel.log | additional.fields.key/value |
| seen.node | intel.log | additional.fields.key/value |
| seen.conn.id.orig_h | intel.log | additional.fields.key/value |
| seen.conn.id.orig_p | intel.log | additional.fields.key/value |
| seen.conn.id.resp_h | intel.log | additional.fields.key/value |
| seen.conn.id.resp_p | intel.log | additional.fields.key/value |
| seen.conn.orig.size | intel.log | network.sent_bytes |
| seen.conn.orig.state | intel.log | additional.fields.key/value |
| seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
| seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.resp.size | intel.log | network.received_bytes |
| seen.conn.resp.state | intel.log | additional.fields.key/value |
| seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
| seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.start_time | intel.log | additional.fields.key/value |
| seen.conn.duration | intel.log | network.session_duration |
| seen.conn.service | intel.log | additional.fields.key/value |
| seen.conn.history | intel.log | metadata.description |
| seen.conn.uid | intel.log | network.session_id |
| seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
| seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
| seen.conn.vlan | intel.log | additional.fields.key/value |
| seen.conn.inner_vlan | intel.log | additional.fields.key/value |
| seen.conn.dpd_state | intel.log | additional.fields.key/value |
| seen.conn.removal_hooks | intel.log | additional.fields.key/value |
| seen.conn.extract_orig | intel.log | additional.fields.key/value |
| seen.conn.extract_resp | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
| seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
| seen.conn.http_state.pending | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
| seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
| seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
| seen.conn.known_services_done | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
| seen.conn.speculative_service | intel.log | additional.fields.key/value |
| seen.uid | intel.log | additional.fields.key/value |
| seen.f.id | intel.log | additional.fields.key/value |
| seen.f.parent_id | intel.log | additional.fields.key/value |
| seen.f.source | intel.log | target.file.full_path |
| seen.f.is_orig | intel.log | additional.fields.key/value |
| seen.f.conns | intel.log | additional.fields.key/value |
| seen.f.last_active | intel.log | additional.fields.key/value |
| seen.f.seen_bytes | intel.log | additional.fields.key/value |
| seen.f.total_bytes | intel.log | additional.fields.key/value |
| seen.f.missing_bytes | intel.log | additional.fields.key/value |
| seen.f.overflow_bytes | intel.log | additional.fields.key/value |
| seen.f.timeout_interval | intel.log | additional.fields.key/value |
| seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
| seen.f.bof_buffer | intel.log | additional.fields.key/value |
| seen.f.u2_events | intel.log | additional.fields.key/value |
| seen.fuid | intel.log | additional.fields.key/value |
| matched | intel.log | additional.fields.key/value |
| sources | intel.log | additional.fields.key/value |
| fuid | intel.log | additional.fields.key/value |
| file_mime_type | intel.log | target.file.mime_type |
| file_desc | intel.log | additional.fields.key/value |
| cif.tags | intel.log | additional.fields.key/value |
| cif.confidence | intel.log | additional.fields.key/value |
| cif.source | intel.log | additional.fields.key/value |
| cif.description | intel.log | additional.fields.key/value |
| cif.firstseen | intel.log | additional.fields.key/value |
| cif.lastseen | intel.log | additional.fields.key/value |
| ts | notice.log | metadata.event_timestamp |
| uid | notice.log | network.session_id |
| id.orig_h | notice.log | principal.ip |
| id.orig_p | notice.log | principal.port |
| id.resp_h | notice.log | target.ip |
| id.resp_p | notice.log | target.port |
| conn.id.orig_h | notice.log | additional.fields.key/value |
| conn.id.orig_p | notice.log | additional.fields.key/value |
| conn.id.resp_h | notice.log | additional.fields.key/value |
| conn.id.resp_p | notice.log | additional.fields.key/value |
| conn.orig.size | notice.log | network.sent_bytes |
| conn.orig.state | notice.log | additional.fields.key/value |
| conn.orig.num_pkts | notice.log | additional.fields.key/value |
| conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.orig.flow_label | notice.log | additional.fields.key/value |
| conn.orig.l2_addr | notice.log | additional.fields.key/value |
| conn.resp.size | notice.log | network.received_bytes |
| conn.resp.state | notice.log | additional.fields.key/value |
| conn.resp.num_pkts | notice.log | additional.fields.key/value |
| conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.resp.flow_label | notice.log | additional.fields.key/value |
| conn.resp.l2_addr | notice.log | additional.fields.key/value |
| conn.start_time | notice.log | additional.fields.key/value |
| conn.duration | notice.log | network.session_duration |
| conn.service | notice.log | additional.fields.key/value |
| conn.history | notice.log | metadata.description |
| conn.uid | notice.log | network.session_id |
| conn.tunnel.queued | notice.log | additional.fields.key/value |
| conn.tunnel.dispatched | notice.log | additional.fields.key/value |
| conn.vlan | notice.log | additional.fields.key/value |
| conn.inner_vlan | notice.log | additional.fields.key/value |
| conn.dpd_state.violations | notice.log | additional.fields.key/value |
| conn.removal_hooks | notice.log | additional.fields.key/value |
| conn.extract_orig | notice.log | additional.fields.key/value |
| conn.extract_resp | notice.log | additional.fields.key/value |
| conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
| conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
| conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
| conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
| conn.thresholds.duration | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_backing | notice.log | additional.fields.key/value |
| conn.dns_state.pending_query | notice.log | additional.fields.key/value |
| conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
| conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
| conn.ftp_data_reuse | notice.log | additional.fields.key/value |
| conn.http_state.pending | notice.log | additional.fields.key/value |
| conn.http_state.current_request | notice.log | additional.fields.key/value |
| conn.http_state.current_response | notice.log | additional.fields.key/value |
| conn.http_state.trans_depth | notice.log | additional.fields.key/value |
| conn.sip_state.pending | notice.log | additional.fields.key/value |
| conn.sip_state.current_request | notice.log | additional.fields.key/value |
| conn.sip_state.current_response | notice.log | additional.fields.key/value |
| conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
| conn.smb_state.fid_map | notice.log | additional.fields.key/value |
| conn.smb_state.tid_map | notice.log | additional.fields.key/value |
| conn.smb_state.uid_map | notice.log | additional.fields.key/value |
| conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
| conn.smb_state.recent_files | notice.log | additional.fields.key/value |
| conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
| conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
| conn.known_services_done | notice.log | additional.fields.key/value |
| mqtt.ts | notice.log | additional.fields.key/value |
| mqtt.uid | notice.log | additional.fields.key/value |
| mqtt.id | notice.log | additional.fields.key/value |
| mqtt.proto_name | notice.log | additional.fields.key/value |
| mqtt.proto_version | notice.log | additional.fields.key/value |
| mqtt.client_id | notice.log | additional.fields.key/value |
| mqtt.connect_status | notice.log | additional.fields.key/value |
| mqtt.will_topic | notice.log | additional.fields.key/value |
| mqtt.will_payload | notice.log | additional.fields.key/value |
| conn.mqtt_state.publish | notice.log | additional.fields.key/value |
| conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
| conn.speculative_service | notice.log | additional.fields.key/value |
| iconn.orig_h | notice.log | additional.fields.key/value |
| iconn.resp_h | notice.log | additional.fields.key/value |
| iconn.itype | notice.log | additional.fields.key/value |
| iconn.icode | notice.log | additional.fields.key/value |
| iconn.len | notice.log | additional.fields.key/value |
| iconn.hlim | notice.log | additional.fields.key/value |
| iconn.v6 | notice.log | additional.fields.key/value |
| f.id | notice.log | additional.fields.key/value |
| f.parent_id | notice.log | additional.fields.key/value |
| f.source | notice.log | target.file.full_path |
| f.is_orig | notice.log | additional.fields.key/value |
| f.conns | notice.log | additional.fields.key/value |
| f.last_active | notice.log | additional.fields.key/value |
| f.seen_bytes | notice.log | additional.fields.key/value |
| f.total_bytes | notice.log | additional.fields.key/value |
| f.missing_bytes | notice.log | additional.fields.key/value |
| f.overflow_bytes | notice.log | additional.fields.key/value |
| f.timeout_interval | notice.log | additional.fields.key/value |
| f.bof_buffer_size | notice.log | additional.fields.key/value |
| f.bof_buffer | notice.log | additional.fields.key/value |
| f.u2_events | notice.log | additional.fields.key/value |
| fuid | notice.log | additional.fields.key/value |
| file_mime_type | notice.log | target.file.mime_type |
| file_desc | notice.log | additional.fields.key/value |
| proto | notice.log | network.ip_protocol |
| note | notice.log | security_result.description |
| msg | notice.log | security_result.summary |
| sub | notice.log | additional.fields.key/value |
| src | notice.log | principal.ip |
| dst | notice.log | target.ip |
| p | notice.log | target.port |
| n | notice.log | additional.fields.key/value |
| peer_name | notice.log | additional.fields.key/value |
| peer_descr | notice.log | additional.fields.key/value |
| actions | notice.log | security_result.action_details |
| email_dest | notice.log | network.email.to (repeated) |
| email_body_sections | notice.log | network.email.subject (repeated) |
| email_delay_tokens | notice.log | additional.fields.key/value |
| identifier | notice.log | additional.fields.key/value |
| suppress_for | notice.log | additional.fields.key/value |
| remote_location.country_code | notice.log | additional.fields.key/value |
| remote_location.region | notice.log | principal.asset.location.country_or_region |
| remote_location.city | notice.log | principal.asset.location.city |
| remote_location.latitude | notice.log | additional.fields.key/value |
| remote_location.longitude | notice.log | additional.fields.key/value |
| dropped | notice.log | security_result.action_details |
| ts | signatures.log | metadata.event_timestamp |
| uid | signatures.log | network.session_id |
| src_addr | signatures.log | principal.ip |
| src_port | signatures.log | principal.port |
| dst_addr | signatures.log | target.ip |
| dst_port | signatures.log | target.port |
| note | signatures.log | security_result.summary |
| sig_id | signatures.log | additional.fields.key/value |
| event_msg | signatures.log | metadata.description |
| sub_msg | signatures.log | additional.fields.key/value |
| sig_count | signatures.log | additional.fields.key/value |
| host_count | signatures.log | additional.fields.key/value |
| ts | traceroute.log | metadata.event_timestamp |
| src | traceroute.log | principal.ip |
| dst | traceroute.log | target.ip |
| proto | traceroute.log | network.ip_protocol |
Observations sur le réseau
Le tableau suivant répertorie les champs de journal du type de journal "Network Observations" (Observations réseau) et les champs UDM correspondants.
| Champ de journal d'origine | Type de journal | Champ UDM |
|---|---|---|
| ts | known_certs.log | metadata.event_timestamp |
| host | known_certs.log | principal.ip |
| port_num | known_certs.log | principal.port |
| subject | known_certs.log | network.tls.client.certificate.subject |
| issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
| serial | known_certs.log | network.tls.client.certificate.serial |
| ts | known_hosts.log | metadata.event_timestamp |
| host | known_hosts.log | principal.ip |
| ts | known_modbus.log | metadata.event_timestamp |
| host | known_modbus.log | principal.ip |
| device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
| ts | known_services.log | metadata.event_timestamp |
| host | known_services.log | principal.ip |
| port_num | known_services.log | principal.port |
| port_proto | known_services.log | network.ip_protocol |
| service | known_services.log | target.application |
| ts | software.log | metadata.event_timestamp |
| host | software.log | principal.ip |
| host_p | software.log | principal.port |
| software_type | software.log | principal.resource.resource_subtype |
| name | software.log | principal.resource.name |
| version.major | software.log | additional.fields.key/value |
| version.minor | software.log | additional.fields.key/value |
| version.minor2 | software.log | additional.fields.key/value |
| version.minor3 | software.log | additional.fields.key/value |
| version.addl | software.log | additional.fields.key/value |
| unparsed_version | software.log | additional.fields.key/value |
| force_log | software.log | additional.fields.key/value |
| url | software.log | metadata.url_back_to_product |
Référence de mappage de champ : ID d'événement vers le type d'événement UDM
Pour comprendre comment l'analyseur mappe les noms de journaux aux types d'événements UDM, consultez les sections suivantes :
Protocoles de réseau
Le tableau suivant répertorie les noms de journaux du type de journal des protocoles réseau et les types d'événements UDM correspondants.
| Nom du journal | Description | Type d'événement UDM |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
| dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
| dhcp.log | DHCP leases | NETWORK_DHCP |
| dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
| dns.log | DNS activity | NETWORK_DNS |
| ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
| http.log | HTTP requests and replies | NETWORK_HTTP |
| irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
| kerberos.log | Kerberos | NETWORK_CONNECTION |
| modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
| modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
| mysql.log | MySQL | NETWORK_UNCATEGORIZED |
| ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
| ntp.log | Network Time Protocol | NETWORK_CONNECTION |
| radius.log | RADIUS authentication attempts | USER_LOGIN |
| rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
| rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
| sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
| smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
| smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
| smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
| smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
| snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
| socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
| ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
| ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
| syslog.log | Syslog messages | NETWORK_CONNECTION |
| tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
Fichiers
Le tableau suivant répertorie les noms de journaux correspondant au type de journal des fichiers. et les types d'événements UDM correspondants.
| Nom du journal | Description | Type d'événement UDM |
|---|---|---|
| files.log | File analysis results | NETWORK_UNCATEGORIZED |
| ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
| pe.log | Portable Executable (PE) | GENERIC_EVENT |
| x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
Le tableau suivant répertorie les noms de journaux du type de journal netcontrol et les types d'événements UDM correspondants.
| Nom du journal | Description | Type d'événement UDM |
|---|---|---|
| netcontrol.log | NetControl actions | GENERIC_EVENT |
| netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
| netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
| netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
| openflow.log | OpenFlow debug log | GENERIC_EVENT |
Détection
Le tableau suivant répertorie les noms de journaux du type de journal de détection et les types d'événements UDM correspondants.
| Nom du journal | Description | Type d'événement UDM |
|---|---|---|
| intel.log | Intelligence data matches | GENERIC_EVENT |
| notice.log | Zeek notices | NETWORK_CONNECTION |
| notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
| signatures.log | Signature matches | GENERIC_EVENT |
| traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
Observations réseau
Le tableau suivant liste les noms de journaux du type de journal "Network Observations" (Observations réseau) et les types d'événements UDM correspondants.
| Nom du journal | Description | Type d'événement UDM |
|---|---|---|
| known_certs.log | SSL certificates | GENERIC_EVENT |
| known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
| known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
| known_services.log | Services running on hosts | GENERIC_EVENT |
| software.log | Software used on the network | GENERIC_EVENT |