이 페이지는 Cloud Translation API를 통해 번역되었습니다.

Corelight 센서 로그 수집

다음에서 지원:

Google SecOps SIEM

이 문서에서는 Corelight 센서 및 Google Security Operations 전달자를 구성하여 Corelight 센서 로그를 수집하는 방법을 설명합니다. 이 문서에는 Corelight 센서에서 생성되는 지원되는 로그 유형과 지원되는 Corelight 버전도 나와 있습니다.

자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.

시작하기 전에

Corelight 센서의 버전을 확인합니다. Corelight Google SecOps 파서는 버전 27.12 이하용으로 설계되었습니다. 이후 버전의 Corelight 센서에는 파서가 인식하지 못하는 추가 로그가 있을 수 있으며, 이러한 로그는 필드 파싱이 제한되거나 받지 못할 수 있습니다. 하지만 로그 콘텐츠는 Google SecOps에서 원시 로그 형식으로 계속 사용할 수 있습니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Corelight 문서의 사용자 인증 정보가 있는지 확인합니다.

배포 및 로그 수집 방법

다음 배포 아키텍처 다이어그램은 두 가지 다른 수집 아키텍처를 사용하여 Google Security Operations로 로그를 전송하도록 Corelight 센서를 설정하는 방법을 보여줍니다. 각 고객 배포는 이 표현과 다를 수 있고 더 복잡할 수 있습니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 CORELIGHT 수집 라벨이 있는 파서에 적용됩니다.

Corelight 내보내기 도구를 사용하여 Google SecOps에 로그 수집

배포 아키텍처

이 아키텍처 다이어그램은 다음 구성요소를 보여줍니다.

Corelight 센서: Corelight 센서를 실행하는 시스템입니다.
Corelight 센서 내보내기: Corelight 센서 내보내기는 센서에서 로그 데이터를 수집하여 Google Security Operations로 전달합니다.
Google Security Operations: Google Security Operations는 Corelight 센서의 로그를 보관하고 분석합니다.

Google SecOps용 Corelight 로그 내보내기 도구 구성

관리자로 Corelight Sensor에 로그인합니다.
내보내기 도구 (동적) 탭을 선택하고 Google SecOps를 선택합니다.
다음 입력 매개변수를 구성합니다.
- 내보내기 도구 이름: 내보내기 도구의 이름입니다.
- Google SecOps 고객 ID: Google SecOps의 고객 ID입니다.
- Google SecOps 네임스페이스: 데이터를 정리하고 관리하기 위해 Google SecOps와 연결된 고유한 네임스페이스입니다.
- Google SecOps 라벨: 라벨을 나타내는 키-값 쌍의 집합입니다.
- 리전: Google SecOps가 배포된 지리적 리전입니다.
- 사용자 인증 정보: Google SecOps에 안전하게 연결하고 데이터를 내보내는 데 필요한 인증 세부정보입니다.
- 프록시 URL: 내보내기 도구와 Google SecOps 간에 트래픽을 라우팅하는 데 사용되는 프록시 서버의 URL입니다.
- 로그 유형 필터: 특정 로그 유형을 포함할지 제외할지 지정합니다.
- Zeek 로그: 적용 가능한 옵션을 모두 선택하여 포함하거나 제외할 로그 유형을 선택합니다.
완료를 클릭합니다.

포워더를 사용하여 Google SecOps에 로그 수집

배포 아키텍처

이 아키텍처 다이어그램은 다음 구성요소를 보여줍니다.

Corelight 센서: Corelight 센서를 실행하는 시스템입니다.
Corelight 센서 내보내기: Corelight 센서 내보내기는 센서에서 로그 데이터를 수집하여 Google Security Operations 전달자에게 전달합니다.
Google Security Operations 전달자: Google Security Operations 전달자는 syslog를 지원하는 고객의 네트워크에 배포된 경량 소프트웨어 구성요소입니다. Google Security Operations 전달자는 로그를 Google Security Operations로 전달합니다.
Google Security Operations: Google Security Operations는 Corelight 센서의 로그를 보관하고 분석합니다.

Google Security Operations 전달자 구성

Google Security Operations 전달자를 구성하려면 다음을 수행합니다.

Google Security Operations 전달자를 설정합니다. Linux에서 전달자 설치 및 구성을 참조하세요.

Google Security Operations 전달자를 구성하여 로그를 Google Security Operations에 전송합니다.

  collectors:
    - syslog:
        common:
          enabled: true
          data_type:  CORELIGHT
          data_hint:
          batch_n_seconds: 10
          batch_n_bytes: 1048576
        tcp_address: <Chronicle forwarder listening IP:Port>
        tcp_buffer_size: 524288
        udp_address: <Chronicle forwarder listening IP:Port>
        connection_timeout_sec: 60

Corelight 센서 내보내기 도구 구성

관리자로 Corelight Sensor에 로그인합니다.
Export 탭을 선택합니다.
EXPORT TO SYSLOG 옵션을 찾아 사용 설정합니다.
EXPORT TO SYSLOG에서 다음 필드를 구성합니다.
- SYSLOG SERVER: Google Security Operations 전달자 syslog 리스너의 IP 주소와 포트를 지정합니다.
- Advanced Settings > SYSLOG FORMAT으로 이동하고 설정을 Legacy로 변경합니다.
Apply Changes를 클릭합니다.

지원되는 Corelight 로그 유형

Corelight 파서는 Corelight 센서에서 생성된 다음 로그 유형을 지원합니다.

Log Type

conn
conn_long
conn_red
dce_rpc
dns
dns_red
files
files_red
http
http2
http_red
intel
irc
notice
rdp
sip
smb_files
smb_mapping
smtp
smtp_links
ssh
ssl
ssl_red
suricata_corelight
bacnet
cip
corelight_burst
corelight_overall_capture_loss
corelight_profiling
datared
dga
dhcp
dnp3
dpd
encrypted_dns
enip
enip_debug
enip_list_identity
etc_viz
ftp
generic_dns_tunnels
generic_icmp_tunnels
icmp_specific_tunnels
ipsec
iso_cotp
kerberos
known_certs
known_devices
known_domains
known_hosts
known_names
known_remotes
known_services
known_users
ldap
ldap_search
local_subnets
local_subnets_dj
local_subnets_graphs
log4shell
modbus
mqtt_connect
mqtt_publish
mqtt_subscribe
mysql
napatech_shunting
ntlm
ntp
pe
profinet
profinet_dce_rpc
profinet_debug
radius
reporter
rfb
s7comm
smartpcap
snmp
socks
software
specific_dns_tunnels
stepping
stun
stun_nat
suricata_eve
suricata_stats
syslog
tds
tds_rpc
tds_sql_batch
traceroute
tunnel
unknown-smartpcap
vpn
weird
weird_red
wireguard
x509
x509_red
conn_agg
dns_agg
files_agg
http_agg
ssl_agg
weird_agg

필드 매핑 참조

이 섹션에서는 Google Security Operations 파서에서 Corelight 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.

필드 매핑 참조: CORELIGHT - 공통 필드

다음 표에는 CORELIGHT 로그의 공통 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Corelight`.
`_path (string)`	`metadata.product_event_type`
`_system_name (string)`	`observer.hostname`
`ts (time)`	`metadata.event_timestamp`
`uid (string)`	`about.labels [uid], additional.fields [uid]`
`id.orig_h (string - addr)`	`principal.ip`
`id.orig_p (integer - port)`	`principal.port`
`id.resp_h (string - addr)`	`target.ip`
`id.resp_p (integer - port)`	`target.port`
`_write_ts`	`metadata.collected_timestamp`
`id.vlan (integer - int)`	`additional.fields [id_vlan]`
`id.vlan_inner (integer - int)`	`additional.fields [id_vlan_inner]`
`id.orig_ep_cid (string)`	`additional.fields [id_orig_ep_cid]`
`id.orig_ep_source (string)`	`additional.fields [id_orig_ep_source]`
`id.orig_ep_status (string)`	`additional.fields [id_orig_ep_status]`
`id.orig_ep_uid (string)`	`additional.fields [id_orig_ep_uid]`
`id.resp_ep_cid (string)`	`additional.fields [id_resp_ep_cid]`
`id.resp_ep_source (string)`	`additional.fields [id_resp_ep_source]`
`id.resp_ep_status (string)`	`additional.fields [id_resp_ep_status]`
`id.resp_ep_uid (string)`	`additional.fields [id_resp_ep_uid]`
`uids (array[string] - vector of string)`	`additional.fields [uid]`
`count (integer - int)`	`additional.fields [count]`
`ts_last`	`additional.fields [ts_last]`

필드 매핑 참조: CORELIGHT - conn, conn_red, conn_long, conn_agg

다음 표에는 conn, conn_red, conn_long, conn_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`service (string)`	`network.application_protocol`
`duration (number - interval)`	`network.session_duration`
`orig_bytes (integer - count)`	`network.sent_bytes`
`resp_bytes (integer - count)`	`network.received_bytes`
`conn_state (string)`	`metadata.description`	If the `conn_state` log field value is equal to `S0`, then the `metadata.description` UDM field is set to `S0: Connection attempt seen, no reply`. Else, if the `conn_state` log field value is equal to `S1`, then the `metadata.description` UDM field is set to `S1: Connection established, not terminated`. Else, if the `conn_state` log field value is equal to `S2`, then the `metadata.description` UDM field is set to `S2: Connection established and close attempt by originator seen (but no reply from responder)`. Else, if the `conn_state` log field value is equal to `S3`, then the `metadata.description` UDM field is set to `S3: Connection established and close attempt by responder seen (but no reply from originator)`. Else, if the `conn_state` log field value is equal to `SF`, then the `metadata.description` UDM field is set to `SF: Normal SYN/FIN completion`. Else, if the `conn_state` log field value is equal to `REJ`, then the `metadata.description` UDM field is set to `REJ: Connection attempt rejected`. Else, if the `conn_state` log field value is equal to `RSTO`, then the `metadata.description` UDM field is set to `RSTO: Connection established, originator aborted (sent a RST)`. Else, if the `conn_state` log field value is equal to `RSTOS0`, then the `metadata.description` UDM field is set to `RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder`. Else, if the `conn_state` log field value is equal to `RSTOSH`, then the `metadata.description` UDM field is set to `RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator`. Else, if the `conn_state` log field value is equal to `RSTR`, then the `metadata.description` UDM field is set to `RSTR: Established, responder aborted`. Else, if the `conn_state` log field value is equal to `SH`, then the `metadata.description` UDM field is set to `SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open)`. Else, if the `conn_state` log field value is equal to `SHR`, then the `metadata.description` UDM field is set to `SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator`. Else, if the `conn_state` log field value is equal to `OTH`, then the `metadata.description` UDM field is set to `OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed)`.
`local_orig (boolean - bool)`	`about.labels [local_orig]`
`local_resp (boolean - bool)`	`about.labels [local_resp]`
`missed_bytes (integer - count)`	`about.labels [missed_bytes]`
`history (string)`	`about.labels [history]`
`orig_pkts (integer - count)`	`network.sent_packets`
`orig_ip_bytes (integer - count)`	`principal.labels [orig_ip_bytes]`
`resp_pkts (integer - count)`	`network.received_packets`
`resp_ip_bytes (integer - count)`	`target.labels [resp_ip_bytes]`
`tunnel_parents (array[string] - set[string])`	`intermediary.labels [tunnel_parent]`
`orig_cc (string)`	`principal.ip_geo_artifact.location.country_or_region`
`resp_cc (string)`	`target.ip_geo_artifact.location.country_or_region`
`suri_ids (array[string] - set[string])`	`security_result.rule_id`
`spcap.url (string)`	`security_result.url_back_to_product`
`spcap.rule (integer - count)`	`security_result.rule_labels [spcap_rule]`
`spcap.trigger (string)`	`security_result.detection_fields [spcap_trigger]`
`app (array[string] - vector of string)`	`about.application`
`corelight_shunted (boolean - bool)`	`about.labels [corelight_shunted]`
`orig_shunted_pkts (integer - count)`	`principal.labels [orig_shunted_pkts]`
`orig_shunted_bytes (integer - count)`	`principal.labels [orig_shunted_bytes]`
`resp_shunted_pkts (integer - count)`	`target.labels [resp_shunted_pkts]`
`resp_shunted_bytes (integer - count)`	`target.labels [resp_shunted_bytes]`
`orig_l2_addr (string)`	`principal.mac`
`resp_l2_addr (string)`	`target.mac`
`id_orig_h_n.src (string)`	`principal.labels [id_orig_h_n_src]`
`id_orig_h_n.vals (array[string] - set[string])`	`principal.labels [id_orig_h_n_val]`
`id_resp_h_n.src (string)`	`target.labels [id_resp_h_n_src]`
`id_resp_h_n.vals (array[string] - set[string])`	`target.labels [id_resp_h_n_val]`
`vlan (integer - int)`	`intermediary.labels [vlan]`
`inner_vlan (integer - int)`	`intermediary.labels [inner_vlan]`
`community_id (string)`	`network.community_id`
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
`service (string)`	`about.labels [service]`
`orig_ep_cid (string)`	`additional.fields [orig_ep_cid]`
`orig_ep_source (string)`	`additional.fields [orig_ep_source]`
`orig_ep_status (string)`	`additional.fields [orig_ep_status]`
`orig_ep_uid (string)`	`additional.fields [orig_ep_uid]`
`resp_ep_cid (string)`	`additional.fields [resp_ep_cid]`
`resp_ep_source (string)`	`additional.fields [resp_ep_source]`
`resp_ep_status (string)`	`additional.fields [resp_ep_status]`
`resp_ep_uid (string)`	`additional.fields [resp_ep_uid]`
`id_orig_h_n`	`principal.ip`
`id_resp_h_n`	`target.ip`
`netskope_site_ids`	`additional.fields[netskope_site_ids]`	Iterate through log field `netskope_site_ids`, then `netskope_site_id_%{index}` log field is mapped to the `additional.fields.key` UDM field and `netskope_site_id` log field is mapped to the `additional.fields.value` UDM field.
`netskope_user_ids`	`additional.fields[netskope_user_ids]`	Iterate through log field `netskope_user_ids`, then `netskope_user_id_%{index}` log field is mapped to the `additional.fields.key` UDM field and `netskope_user_id` log field is mapped to the `additional.fields.value` UDM field.
`write_ts`	`additional.fields[write_ts]`
`spcap.urls (array[string] - vector of string)`	`security_result.url_back_to_product`	Iterate through log field `spcap.urls`, then `spcap.urls` log field is mapped to the `security_result.url_back_to_product` UDM field.
`community_ids (array[string] - vector of string)`	`network.community_id`	Iterate through log field `community_ids`, then if index is equal to `0` then, `community_id` log field is mapped to the `network.community_id` UDM field. Else, `community_id_%{index}` log field is mapped to the `additional.fields.key` UDM field and `community_id` log field is mapped to the `additional.fields.value` UDM field.

필드 매핑 참조: CORELIGHT - dce_rpc

다음 표에는 dce_rpc 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`rtt (number - interval)`	`network.session_duration`
`named_pipe (string)`	`intermediary.resource.name`
	`intermediary.resource.resource_type`	If the `named_pipe` log field value is not empty, then the `intermediary.resource.resource_type` UDM field is set to `PIPE`.
`endpoint (string)`	`target.labels [endpoint]`
`operation (string)`	`target.labels [operation]`
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DCERPC`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
`operation, endpoint, named_pipe (string)`	`metadata.description`	The `metadata.description` UDM field is set with `operation`, `endpoint`, `named_pipe` log fields as "operation `operation` on `endpoint` using named pipe `named_pipe`".
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.

필드 매핑 참조: CORELIGHT - dns, dns_red, dns_agg

다음 표에는 dns, dns_red, dns_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`proto (string - enum)`	`network.ip_protocol`
`trans_id (integer - count)`	`network.dns.id`
`rtt (number - interval)`	`network.session_duration`
`query (string)`	`network.dns.questions.name`
`qclass (integer - count)`	`network.dns.questions.class`
`qclass_name (string)`	`about.labels [qclass_name]`
`qtype (integer - count)`	`network.dns.questions.type`
`qtype_name (string)`	`about.labels [qtype_name]`
`rcode (integer - count)`	`network.dns.response_code`
`rcode (integer - count)`	`network.dns.response`	If the `rcode` log field value is not empty, then the `network.dns.response` UDM field is set to `true`.
`rcode_name (string)`	`about.labels [rcode_name]`
`AA (boolean - bool)`	`network.dns.authoritative`
`TC (boolean - bool)`	`network.dns.truncated`
`RD (boolean - bool)`	`network.dns.recursion_desired`
`RA (boolean - bool)`	`network.dns.recursion_available`
`Z (integer - count)`	`about.labels [Z]`
`answers (array[string] - vector of string)`	`network.dns.answers.name`
`TTLs (array[number] - vector of interval)`	`network.dns.answers.ttl`
`rejected (boolean - bool)`	`about.labels [rejected]`
`is_trusted_domain (string)`	`about.labels [is_trusted_domain]`
`icann_host_subdomain (string)`	`about.labels [icann_host_subdomain]`
`icann_domain (string)`	`network.dns_domain`
`icann_tld (string)`	`about.labels [icann_tld]`
`num (integer - count)`	`security_result.detection_fields [num]`

필드 매핑 참조: CORELIGHT - http, http_red, http2, http_agg

다음 표에는 http, http_red, http2, http_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_HTTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`method (string)`	`network.http.method`
`host (string)`	`target.hostname`
`uri (string)`	`target.url`
`referrer (string)`	`network.http.referral_url`
`version (string)`	`network.application_protocol_version`
`user_agent (string)`	`network.http.user_agent`
`origin (string)`	`principal.hostname`
`request_body_len (integer - count)`	`network.sent_bytes`
`response_body_len (integer - count)`	`network.received_bytes`
`status_code (integer - count)`	`network.http.response_code`
`status_msg (string)`	`about.labels [status_msg]`
`info_code (integer - count)`	`about.labels [info_code]`
`info_msg (string)`	`about.labels [info_msg]`
`tags (array[string] - set[enum])`	`about.labels [tags]`
`username (string)`	`principal.user.user_display_name`
`password (string)`	`extensions.auth.auth_details`
`proxied (array[string] - set[string])`	`intermediary.hostname`
`orig_fuids (array[string] - vector of string)`	`about.labels [orig_fuid]`
`orig_filenames (array[string] - vector of string)`	`src.file.names`	The `orig_filenames` log field is mapped to `src.file.names` UDM field when index value in `orig_filenames` is equal to `0`. For every other index value, `orig_filenames` log field is mapped to the `about.file.names`.
`orig_mime_types (array[string] - vector of string)`	`src.file.mime_type`	The `orig_mime_types` log field is mapped to `src.file.mime_type` UDM field when index value in `orig_mime_types` is equal to `0`. For every other index value, `orig_mime_types` log field is mapped to the `about.file.mime_type`.
`resp_fuids (array[string] - vector of string)`	`about.labels [resp_fuid]`
`resp_filenames (array[string] - vector of string)`	`target.file.names`	The `resp_filenames` log field is mapped to `target.file.names` UDM field when index value in `resp_filenames` is equal to `0`. For every other index value, `resp_filenames` log field is mapped to the `about.file.names`.
`resp_mime_types (array[string] - vector of string)`	`target.file.mime_type`	The `resp_mime_types` log field is mapped to `target.file.mime_type` UDM field when index value in `resp_mime_types` is equal to `0`. For every other index value, `resp_mime_types` log field is mapped to the `about.file.mime_type`.
`post_body (string)`	`about.labels [post_body]`
`stream_id (integer - count)`	`about.labels [stream_id]`
`encoding (string)`	`about.labels [encoding]`
`push (boolean - bool)`	`about.labels [push]`
`versions (array[float] - vector of float)`	`network.application_protocol_version`	Iterate through log field `versions`, then if index is equal to `0` then, `version` log field is mapped to the `network.application_protocol_version` UDM field. Else, `version_%{index}` log field is mapped to the `additional.fields.key` UDM field and `version` log field is mapped to the `additional.fields.value` UDM field.
`user_agents (array[string] - vector of string)`	`network.http.user_agent`	Iterate through log field `user_agents`, then if index is equal to `0` then, `user_agent` log field is mapped to the `network.http.user_agent` UDM field. Else, `user_agent_%{index}` log field is mapped to the `additional.fields.key` UDM field and `user_agent` log field is mapped to the `additional.fields.value` UDM field.

필드 매핑 참조: CORELIGHT - smtp_links

다음 표에는 smtp_links 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_SMTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMTP`.
`fuid (string)`	`about.labels [fuid]`
`link (string)`	`about.url`
`domain (string)`	`about.domain.name`

필드 매핑 참조: CORELIGHT - irc

다음 표에는 irc 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`nick (string)`	`principal.user.user_display_name`
`user (string)`	`principal.user.userid`	If the `user` log field value is less than or equal to 255, then the `user` log field is mapped to the `principal.user.userid` UDM field. Else, the `user` log field is mapped to the `about.labels` UDM field.
`command, value, addl`	`principal.process.command_line`
`dcc_file_name (string)`	`src.file.names`
`dcc_file_size (integer - count)`	`src.file.size`
`dcc_mime_type (string)`	`src.file.mime_type`
`fuid (string)`	`about.labels [fuid]`

필드 매핑 참조: CORELIGHT - files, files_red, files_agg

다음 표에는 files, files_red, files_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fuid (string)`	`about.labels [fuid]`
`tx_hosts (array[string] - set[addr])`	`principal.ip`
`rx_hosts (array[string] - set[addr])`	`target.ip`
`conn_uids (array[string] - set[string])`	`about.labels [conn_uid]`
`source (string)`	`about.labels [source]`
`depth (integer - count)`	`about.labels [depth]`
`analyzers (array[string] - set[string])`	`about.labels [analyzer]`
`mime_type (string)`	`about.file.mime_type`
`filename (string)`	`about.file.names`
`duration (number - interval)`	`about.labels [duration]`
`local_orig (boolean - bool)`	`about.labels [local_orig]`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`seen_bytes (integer - count)`	`about.file.size`
`total_bytes (integer - count)`	`about.labels [total_bytes]`
`missing_bytes (integer - count)`	`about.labels [missing_bytes]`
`overflow_bytes (integer - count)`	`about.labels [overflow_bytes]`
`timedout (boolean - bool)`	`about.labels [timedout]`
`parent_fuid (string)`	`about.labels [parent_fuid]`
`md5 (string)`	`about.file.md5`
`sha1 (string)`	`about.file.sha1`
`sha256 (string)`	`about.file.sha256`
`md5 (string)`	`network.tls.client.certificate.md5`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.md5` UDM field is set to `md5`.
`sha1 (string)`	`network.tls.client.certificate.sha1`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.sha1` UDM field is set to `sha1`.
`sha256 (string)`	`network.tls.client.certificate.sha256`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-user-cert` and the `_path` log field value is equal to `files`, then the `network.tls.client.certificate.sha256` UDM field is set to `sha256`.
`md5 (string)`	`network.tls.server.certificate.md5`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.md5` UDM field is set to `md5`.
`sha1 (string)`	`network.tls.server.certificate.sha1`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.sha1` UDM field is set to `sha1`.
`sha256 (string)`	`network.tls.server.certificate.sha256`	If the `source` log field value is equal to `ssl` and the `mime_type` log field value is equal to `application/x-x509-ca-cert` and the `_path` log field value is equal to `files`, then the `network.tls.server.certificate.sha256` UDM field is set to `sha256`.
`extracted (array[string] - set[string])`	`about.file.names`
`extracted_cutoff (boolean - bool)`	`about.labels [extracted_cutoff]`
`extracted_size (integer - count)`	`about.labels [extracted_size]`
`num (integer - count)`	`about.labels [num]`
`vlan (integer - int)`	`additional.fields [vlan]`
`vlan_inner (integer - int)`	`additional.fields [vlan_inner]`
`mime_types (array[string] - vector of string)`	`target.file.mime_type`	Iterate through log field `mime_type`, then if index is equal to `0` then, `mime_type` log field is mapped to the `target.file.mime_type` UDM field. Else, `mime_type_%{index}` log field is mapped to the `additional.fields.key` UDM field and `mime_type` log field is mapped to the `additional.fields.value` UDM field.
`timedouts (array[boolean] - vector of bool)`	`additional.fields[timedouts]`	Iterate through log field `timedouts`, then `timedout_%{index}` log field is mapped to the `additional.fields.key` UDM field and `timedouts` log field is mapped to the `additional.fields.value` UDM field.

필드 매핑 참조: CORELIGHT - notice

다음 표에는 notice 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fuid (string)`	`about.labels [fuid]`
`file_mime_type (string)`	`target.file.mime_type`
`file_desc (string)`	`about.labels [file_desc]`
`proto (string - enum)`	`network.ip_protocol`
`note (string - enum)`	`security_result.description`
`msg (string)`	`metadata.description`
`sub (string)`	`about.labels [sub]`
`src (string - addr)`	`principal.ip`
`dst (string - addr)`	`target.ip`
`p (integer - port)`	`about.port`
`n (integer - count)`	`about.labels [n]`
`peer_descr (string)`	`about.labels [peer_descr]`
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`actions (array[string] - set[enum])`	`security_result.action_details`
`suppress_for (number - interval)`	`about.labels [suppress_for]`
`remote_location.country_code (string)`	`about.location.country_or_region`	The `about.location.country_or_region` UDM field is set with `remote_location.country_code`, `remote_location.region` log fields as "`remote_location.country_code`: `remote_location.region`".
`remote_location.region (string)`	`about.location.country_or_region`	The `about.location.country_or_region` UDM field is set with `remote_location.country_code`, `remote_location.region` log fields as "`remote_location.country_code`: `remote_location.region`".
`remote_location.city (string)`	`about.location.city`
`remote_location.latitude (number - double)`	`about.location.region_coordinates.latitude`
`remote_location.longitude (number - double)`	`about.location.region_coordinates.longitude`
	`security_result.severity`	If the `severity.level` log field value contain one of the following values `0` `1` then, the `security_result.severity` UDM field is set to `HIGH`. Else, If `severity.level` log field value is equal to `2` then, the `security_result.severity` UDM field is set to `CRITICAL`. Else, If `severity.level` log field value is equal to `3` then, the `security_result.severity` UDM field is set to `ERROR`. Else, If `severity.level` log field value contain one of the following values `4` `5` `6` then, the `security_result.severity` UDM field is set to `INFORMATIONAL`. Else, If `severity.level` log field value is equal to `7` then, the `security_result.severity` UDM field is set to `LOW`. Else The `security_result.severity` UDM field is set to `UNKNOWN_SEVERITY`.
`severity.name`	`security_result.severity_details`
`severity.level`	`security_result.detection_fields [severity_level]`
`resp_vulnerable_host.criticality (string)`	`target.asset.vulnerabilities.severity`	If the `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `CRITICAL`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `HIGH`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `LOW`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `MEDIUM`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Unknown_Severity"` or the `resp_vulnerable_host.criticality` log field value is equal to `"0` " then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `UNKNOWN_SEVERITY`.
`resp_vulnerable_host.criticality (string)`	`target.asset.vulnerabilities.severity_details`
`resp_vulnerable_host.cve (string)`	`target.asset.vulnerabilities.cve_id`
`resp_vulnerable_host.host_uid (string)`	`additional.fields [resp_vulnerable_host_uid]`
`resp_vulnerable_host.hostname (string)`	`target.asset.hostname`
`resp_vulnerable_host.machine_domain (string)`	`target.asset.network_domain`
`resp_vulnerable_host.os_version (string)`	`target.asset.platform_software.platform_version`
`resp_vulnerable_host.source (string)`	`target.asset.vulnerabilities.cve_description`
`orig_vulnerable_host.criticality (string)`	`principal.asset.vulnerabilities.severity`	If the `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4 "` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `CRITICAL`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3 "` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `HIGH`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1 "` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `LOW`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2 "` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `MEDIUM`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Unknown_Severity"` or the `orig_vulnerable_host.criticality` log field value is equal to `"0` " then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `UNKNOWN_SEVERITY`.
`orig_vulnerable_host.criticality (string)`	`principal.asset.vulnerabilities.severity_details`
`orig_vulnerable_host.cve (array[string] - vector of string)`	`principal.asset.vulnerabilities.cve_id`
`orig_vulnerable_host.host_uid (string)`	`additional.fields [orig_vulnerable_host_uid]`
`orig_vulnerable_host.hostname (string)`	`principal.asset.hostname`
`orig_vulnerable_host.machine_domain (string)`	`principal.asset.network_domain`
`orig_vulnerable_host.os_version (string)`	`principal.asset.platform_software.platform_version`
`orig_vulnerable_host.source (string)`	`principal.asset.vulnerabilities.cve_description`

필드 매핑 참조: CORELIGHT - smb_files

다음 표에는 smb_files 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	If the `action` log field value is equal to `SMB::FILE_READ`, then the `metadata.event_type` UDM field is set to `FILE_READ`. Else, if the `action` log field value is equal to `SMB::FILE_WRITE`, then the `metadata.event_type` UDM field is set to `FILE_MODIFICATION`. Else, if the `action` log field value is equal to `SMB::FILE_OPEN`, then the `metadata.event_type` UDM field is set to `FILE_OPEN`. Else, if the `action` log field value is equal to `SMB::FILE_CLOSE`, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`. Else, if the `action` log field value is equal to `SMB::FILE_DELETE`, then the `metadata.event_type` UDM field is set to `FILE_DELETION`. Else, if the `action` log field value is equal to `SMB::FILE_RENAME`, then the `metadata.event_type` UDM field is set to `FILE_MOVE`. Else, if the `action` log field value is equal to `SMB::FILE_SET_ATTRIBUTE`, then the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`. Else, the `metadata.event_type` UDM field is set to `FILE_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMB`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
`action, name`	`metadata.description`	The `metadata.description` UDM field is set with `action`, `name` log fields as "action: `action` on: `name`".
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`fuid (string)`	`about.labels [fuid]`
`action (string - enum)`	`target.labels [action]`
`path (string)`	`target.file.full_path`
`name (string)`	`target.file.names`
`size (integer - count)`	`target.file.size`
`prev_name (string)`	`src.file.names`
`times.modified (time)`	`target.file.last_modification_time`
`times.accessed (time)`	`target.file.last_seen_time`
`times.created (time)`	`target.file.first_seen_time`
`times.changed (time)`	`target.labels [times_changed]`
`data_offset_req (integer - count)`	`target.labels [data_offset_req]`
`data_len_req (integer - count)`	`target.labels [data_len_req]`
`data_len_rsp (integer - count)`	`target.labels [data_len_rsp]`

필드 매핑 참조: CORELIGHT - smb_mapping

다음 표에는 smb_mapping 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMB`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`path (string)`	`target.resource.attribute.labels [path]`
`service (string)`	`target.application`
`native_file_system (string)`	`target.resource.attribute.labels [native_file_system]`
`share_type (string)`	`target.resource.resource_type`	If the `share_type` log field value is equal to `DISK`, then the `target.resource.resource_type` UDM field is set to `STORAGE_OBJECT`. Else, if the `share_type` log field value is equal to `PIPE`, then the `target.resource.resource_type` UDM field is set to `PIPE`. Else, the `target.resource.resource_type` UDM field is set to `UNSPECIFIED`.
`share_type (string)`	`target.resource.resource_subtype`

필드 매핑 참조: CORELIGHT - ssl, ssl_red, ssl_agg

다음 표에는 ssl, ssl_red, ssl_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `HTTPS`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.
	`security_result.action`	The `security_result.action` UDM field is set to `ALLOW`.
`version (string)`	`network.tls.version`
`cipher (string)`	`network.tls.cipher`
`curve (string)`	`network.tls.curve`
`server_name (string)`	`network.tls.client.server_name`
`resumed (boolean - bool)`	`network.tls.resumed`
`last_alert (string)`	`security_result.description`
`next_protocol (string)`	`network.tls.next_protocol`
`established (boolean - bool)`	`network.tls.established`
`ssl_history (string)`	`about.labels [ssl_history]`
`cert_chain_fps (array[string] - vector of string)`	`target.labels [cert_chain_fps]`
`client_cert_chain_fps (array[string] - vector of string)`	`principal.labels [client_cert_chain_fps]`
`sni_matches_cert (boolean - bool)`	`about.labels [sni_matches_cert]`
`validation_status (string)`	`security_result.detection_fields [validation_status]`
`ja3 (string)`	`network.tls.client.ja3`
`ja3s (string)`	`network.tls.server.ja3s`

필드 매핑 참조: CORELIGHT - rdp

다음 표에는 rdp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`cookie (string)`	`about.labels [cookie]`
`result (string)`	`about.labels [result]`
`security_protocol (string)`	`target.labels [security_protocol]`
`client_channels (array[string] - vector of string)`	`intermediary.labels [client_channels]`
`keyboard_layout (string)`	`principal.labels [keyboard_layout]`
`client_build (string)`	`principal.labels [client_build]`
`client_name (string)`	`principal.hostname`
`client_dig_product_id (string)`	`principal.labels [client_dig_product_id ]`
`desktop_width (integer - count)`	`principal.labels [desktop_width]`
`desktop_height (integer - count)`	`principal.labels [desktop_height]`
`requested_color_depth (string)`	`principal.labels [requested_color_depth]`
`cert_type (string)`	`about.labels [cert_type]`
`cert_count (integer - count)`	`about.labels [cert_count]`
`cert_permanent (boolean - bool)`	`about.labels [cert_permanent ]`
`encryption_level (string)`	`about.labels [encryption_level]`
`encryption_method (string)`	`about.labels [encryption_method]`
`auth_success (boolean - bool)`	`about.labels [auth_success]`
`channels_joined (integer - int)`	`intermediary.labels [channels_joined]`
`inferences (array[string] - set[string])`	`about.labels [inferences]`
`rdpeudp_uid (string)`	`about.labels [rdpeudp_uid]`
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `TCP`.
`rdfp_string (string)`	`principal.labels [rdfp_string]`
`rdfp_hash (string)`	`principal.labels [rdfp_hash]`
`result, security_protocol`	`security_result.description`	The `security_result.description` UDM field is set with `result`, `security_protocol` log fields as "`result` connection with security protocol `security_protocol`".
	`security_result.severity`	The `security_result.severity` UDM field is set to `INFORMATIONAL`.

필드 매핑 참조: CORELIGHT - sip

다음 표에는 sip 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SIP`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`method (string)`	`about.labels [method]`
`uri (string)`	`target.url`
`date (string)`	`about.labels [date]`
`request_from (string)`	`principal.labels [request_from]`
`request_to (string)`	`target.labels [request_to]`
`response_from`	`principal.labels [response_from]`
`response_to (string)`	`target.labels [response_to]`
`reply_to (string)`	`about.labels [reply_to]`
`call_id (string)`	`network.session_id`
`seq (string)`	`about.labels [seq]`
`subject (string)`	`about.labels [subject]`
`request_path (array[string] - vector of string)`	`about.labels [request_path]`
`response_path (array[string] - vector of string)`	`about.labels [response_path]`
`user_agent (string)`	`about.labels [user_agent]`
`status_code (integer - count)`	`about.labels [status_code]`
`status_msg (string)`	`security_result.description`
`warning (string)`	`security_result.summary`
`request_body_len (integer - count)`	`network.sent_bytes`
`response_body_len (integer - count)`	`network.received_bytes`
`content_type (string)`	`about.labels [content_type]`

필드 매핑 참조: CORELIGHT - intel

다음 표에는 intel 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`seen.indicator_type (string - enum)`	`entity.metadata.entity_type`	If the `indicator.type` log field value is equal to `Intel::ADDR`, then the `metadata.entity_type` UDM field is set to `IP_ADDRESS`. Else, if the `indicator.type` log field value is equal to `Intel::SUBNET` or `Intel::SOFTWARE` or `Intel::CERT_HASH` or `Intel::PUBKEY_HASH`, then the `metadata.entity_type` UDM field is set to `RESOURCE`. Else, if the `indicator.type` log field value is equal to `Intel::URL`, then the `metadata.entity_type` UDM field is set to `URL`. Else, if the `indicator.type` log field value is equal to the `Intel::EMAIL` or `Intel::USER_NAME`, then the `metadata.entity_type` UDM field is set to `USER`. Else, if the `indicator.type` log field value is equal to `Intel::DOMAIN`, then the `metadata.entity_type` UDM field is set to `DOMAIN_NAME`. Else, if the `indicator.type` log field value is equal to the `Intel::FILE_HASH` or `Intel::FILE_NAME`, then the `metadata.entity_type` UDM field is set to `FILE`. Else, the `metadata.entity_type` UDM field is set to `RESOURCE`.
`seen.indicator (string)`	`entity.ip`	If the `indicator.type` log field value is equal to `Intel::ADDR`, then the `seen.indicator` log field is mapped to the `entity.ip` UDM field.
`seen.indicator (string)`	`entity.url`	If the `indicator.type` log field value is equal to `Intel::URL`, then the `seen.indicator` log field is mapped to the `entity.url` UDM field.
`seen.indicator (string)`	`entity.domain.name`	If the `indicator.type` log field value is equal to `Intel::DOMAIN`, then the `seen.indicator` log field is mapped to the `entity.domain.name` UDM field.
`seen.indicator (string)`	`entity.user.email_address`	If the `indicator.type` log field value is equal to `Intel::USER_NAME` or `Intel::EMAIL`, then the `seen.indicator` log field is mapped to the `entity.user.email_address` UDM field.
`seen.indicator (string)`	`entity.file.names`	If the `indicator.type` log field value is equal to `Intel::FILE_HASH` or `Intel::FILE_NAME`, then the `seen.indicator` log field is mapped to the `entity.file.full_path` UDM field.
`seen.indicator (string)`	`entity.resource.name`	If the `metadata.entity_type` log field value is equal to `RESOURCE`, then the `seen.indicator` log field is mapped to the `entity.resource.name` UDM field.
	`entity.resource.resource_type`	If the `indicator.type` log field value is equal to `Intel::SUBNET`, then the `entity.resource.resource_name` UDM field is set to `VPC_NETWORK`.
`seen.indicator_type (string - enum)`	`entity.resource.resource_sub_type`	If the `metadata.entity_type` log field value is equal to `RESOURCE`, then the `seen.indicator_type` log field is mapped to the `entity.resource.resource_sub_type` UDM field.
`seen.where (string - enum)`	`entity.metadata.source_labels [seen_where]`
`matched (array[string] - set[enum])`	`entity.labels [matched]`
`sources (array[string] - set[string])`	`entity.metadata.source_labels [source]`
`fuid (string)`	`about.labels [fuid]`
`file_mime_type (string)`	`entity.file.mime_type`
`file_desc (string)`	`metadata.threat.detection_fields [file_desc]`
`desc (array[string] - set[string])`	`ioc.description`	The `desc` log field is mapped to `ioc.description` UDM field when index value in `desc` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `desc` and `desc` log field is mapped to the `entity.labels.value`.
`url (array[string] - set[string])`	`metadata.threat.url_back_to_product`
`confidence (array[number] - set[double])`	`ioc.confidence_score`	The `confidence` log field is mapped to `ioc.confidence_score` UDM field when index value in `confidence` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `confidence` and `confidence` log field is mapped to the `entity.labels.value`.
`firstseen (array[string] - set[string])`	`ioc.active_timerange.start`	The `firstseen` log field is mapped to `ioc.active_timerange.start` UDM field when index value in `firstseen` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `firstseen` and `firstseen` log field is mapped to the `entity.labels.value`.
`lastseen (array[string] - set[string])`	`ioc.active_timerange.end`	The `lastseen` log field is mapped to `ioc.active_timerange.end` UDM field when index value in `lastseen` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `lastseen` and `lastseen` log field is mapped to the `entity.labels.value`.
`associated (array[string] - set[string])`	`entity.labels [associated]`
`category (array[string] - set[string])`	`ioc.categorization`	The `category` log field is mapped to `ioc.categorization` UDM field when index value in `category` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `category` and `category` log field is mapped to the `entity.labels.value`.
`campaigns (array[string] - set[string])`	`entity.labels [campaign]`
`reports (array[string] - set[string])`	`entity.labels [report]`
`seen.indicator (string)`	`about.labels [indicator]`
`seen.indicator_type (string - enum)`	`about.labels [indicator_type]`
`seen.where (string - enum)`	`about.labels [where]`
`sources (array[string] - set[string])`	`about.labels [sources]`
`confidence (array[number] - set[double])`	`about.labels [confidence]`
`category (array[string] - set[string])`	`about.labels [category]`
`threat_score (array[number] - set[double])`	`entity.security_result.detection_fields[threat_score]`
`verdict (array[string] - set[string])`	`entity.security_result.verdict_info.verdict_response`	Iterate through `verdict`, If the `verdict` log field value matches the regular expression pattern `"(?i)Malicious" or the verdict log field value is equal to "1"` then, the `"entity.security_result.verdict_info.verdict_response"` UDM field is set to `MALICIOUS`. Else, If `verdict` log field value matches the regular expression pattern `"(?i)Benign" or the verdict log field value is equal to "2"` then, the `"entity.security_result.verdict_info.verdict_response"` UDM field is set to `BENIGN`. Else The `"entity.security_result.verdict_info.verdict_response"` UDM field is set to `VERDICT_RESPONSE_UNSPECIFIED`.
`verdict_source (array[string] - set[string])`	`entity.security_result.verdict_info.source_provider`	Iterate through `verdict_source`, `verdict_source` log field is mapped to the `entity.security_result.VerdictInfo.source_provider` UDM field.

필드 매핑 참조: CORELIGHT - smtp

다음 표에는 smtp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_SMTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SMTP`.
`trans_depth (integer - count)`	`about.labels [trans_depth]`
`helo (string)`	`target.domain.name`
`mailfrom (string)`	`network.smtp.mail_from`
`rcptto (array[string] - set[string])`	`network.smtp.rcpt_to`
`date (string)`	`about.labels [date]`
`from (string)`	`network.email.from`
`to (array[string] - set[string])`	`network.email.to`
`cc (array[string] - set[string])`	`network.email.cc`
`reply_to (string)`	`network.email.reply_to`
`msg_id (string)`	`network.email.mail_id`
`in_reply_to (string)`	`about.labels [in_reply_to]`
`subject (string)`	`network.email.subject`
`x_originating_ip (string - addr)`	`principal.ip`
`first_received (string)`	`about.labels [first_received]`
`second_received (string)`	`about.labels [second_received]`
`last_reply (string)`	`network.smtp.server_response`
`path (array[string] - vector of addr)`	`intermediary.ip`
`user_agent (string)`	`about.labels [user_agent]`
`tls (boolean - bool)`	`network.smtp.is_tls`
`fuids (array[string] - vector of string)`	`about.labels [fuid]`
`is_webmail (boolean - bool)`	`network.smtp.is_webmail`
`urls (array[string] - set[string])`	`about.url`
`domains (array[string] - set[string])`	`about.domain.name`

필드 매핑 참조: CORELIGHT - ssh

다음 표에는 ssh 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `SSH`.
`version (integer - count)`	`network.application_protocol_version`	The `network.application_protocol_version` UDM field is set with `version` log field as "SSH `version`".
`auth_success (boolean - bool)`	`security_result.action_details`
`auth_success (boolean - bool)`	`security_result.action`	If the `auth_success` log field value is not equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `BLOCK`.
`auth_attempts (integer - count)`	`extensions.auth.auth_details`	The `extensions.auth.auth_details` UDM field is set with `auth_attempts` log field as "auth_attempts: `auth_attempts`".
`direction (string - enum)`	`network.direction`	If the `direction` log field value is equal to `INBOUND`, then the `network.direction` UDM field is set to `INBOUND`. Else, if the `direction` log field value is equal to `OUTBOUND`, then the `network.direction` UDM field is set to `OUTBOUND`.
`client (string)`	`principal.application`
`server (string)`	`target.application`
`cipher_alg (string)`	`network.tls.cipher`
`mac_alg (string)`	`security_result.detection_fields [mac_alg]`
`compression_alg (string)`	`security_result.detection_fields [compression_alg]`
`kex_alg (string)`	`security_result.detection_fields [kex_alg]`
`host_key_alg (string)`	`security_result.detection_fields [host_key_alg]`
`host_key (string)`	`security_result.detection_fields [host_key]`
`remote_location.country_code (string)`	`target.location.country_or_region`
`remote_location.region (string)`	`target.location.country_or_region`
`remote_location.city (string)`	`target.location.city`
`remote_location.latitude (number - double)`	`target.location.region_coordinates.latitude`
`remote_location.longitude (number - double)`	`target.location.region_coordinates.longitude`
`hasshVersion (string)`	`about.labels [hassh_version]`
`hassh (string)`	`principal.labels [hassh]`
`hasshServer (string)`	`target.labels [hassh_server]`
`cshka (string)`	`about.labels [cshka]`
`hasshAlgorithms (string)`	`about.labels [hassh_algorithms]`
`sshka (string)`	`about.labels [sshka]`
`hasshServerAlgorithms (string)`	`about.labels [hassh_server_algorithms]`
`inferences (array[string] - set[string])`	`security_result.summary, security_result.description`	If the `inferences` log field value is equal to `ABP`, then the `security_result.summary` UDM field is set to `Client Authentication Bypass` and the `security_result.description` UDM field is set to `A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after enctyption begins`. If the `inferences` log field value is equal to `AFR`, then the `security_result.summary` UDM field is set to `SSH Agent Forwarding Requested` and the `security_result.description` UDM field is set to `Agent Forwarding is requested by tge Client`. If the `inferences` log field value is equal to `APWA`, then the `security_result.summary` UDM field is set to `Automated Password Authentication` and the `security_result.description` UDM field is set to `The client authenticated with an automated password tool (like sshpass)`. If the `inferences` log field value is equal to `AUTO`, then the `security_result.summary` UDM field is set to `Automated Interaction` and the `security_result.description` UDM field is set to `The client is a script automated utility and not driven by a user`. If the `inferences` log field value is equal to `BAN`, then the `security_result.summary` UDM field is set to `Server Banner` and the `security_result.description` UDM field is set to `The server sent the client a pre-authentication banner, likely for legal reasons`. If the `inferences` log field value is equal to `BF`, then the `security_result.summary` UDM field is set to `Client Brute Force Guessing` and the `security_result.description` UDM field is set to `A client made a number of authentication attempts that exceeded some configured, pre-connection threshold`. If the `inferences` log field value is equal to `BFS`, then the `security_result.summary` UDM field is set to `Client Brute Force Success` and the `security_result.description` UDM field is set to `A client made a number of authentication attempts that exceeded some configured, pre-connection threshold`. If the `inferences` log field value is equal to `CTS`, then the `security_result.summary` UDM field is set to `Client Trusted Server` and the `security_result.description` UDM field is set to `The client already has an entry in its known_hosts file for this server`. If the `inferences` log field value is equal to `CUS`, then the `security_result.summary` UDM field is set to `Client Untrusted Server` and the `security_result.description` UDM field is set to `The client did not have an entry in its known_hosts file for this server`. If the `inferences` log field value is equal to `IPWA`, then the `security_result.summary` UDM field is set to `Interactive Password Authentication` and the `security_result.description` UDM field is set to `The client interactively typed their password to authenticate`. If the `inferences` log field value is equal to `KS`, then the `security_result.summary` UDM field is set to `Keystrokes` and the `security_result.description` UDM field is set to `An interactive session occurred in which the client set user-driven keystrokes to the server`. If the `inferences` log field value is equal to `LFD`, then the `security_result.summary` UDM field is set to `Large Client File Download` and the `security_result.description` UDM field is set to `A file transfer occurred in which the server sent a sequence of bytes to the client`. If the `inferences` log field value is equal to `LFU`, then the `security_result.summary` UDM field is set to `Large Client File Upload` and the `security_result.description` UDM field is set to `A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets`. If the `inferences` log field value is equal to `MFA`, then the `security_result.summary` UDM field is set to `Multifactor Authentication` and the `security_result.description` UDM field is set to `The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it`. If the `inferences` log field value is equal to `NA`, then the `security_result.summary` UDM field is set to `None Authentication` and the `security_result.description` UDM field is set to `The client successfully authenticated using the None method`. If the `inferences` log field value is equal to `NRC`, then the `security_result.summary` UDM field is set to `No Remote Command` and the `security_result.description` UDM field is set to `The -N flag was used in SSH authentication`. If the `inferences` log field value is equal to `PKA`, then the `security_result.summary` UDM field is set to `Public Key Authentication` and the `security_result.description` UDM field is set to `The client automatically authenticated using pubkey authentication`. If the `inferences` log field value is equal to `RSI`, then the `security_result.summary` UDM field is set to `Reverse SSH Initiated` and the `security_result.description` UDM field is set to `The Reverse session is initiated from the server back to the client`. If the `inferences` log field value is equal to `RSIA`, then the `security_result.summary` UDM field is set to `Reverse SSH Initiated Automated` and the `security_result.description` UDM field is set to `The inititation of the Reverse session happened very early in the packet stream, indicating automation`. If the `inferences` log field value is equal to `RSK`, then the `security_result.summary` UDM field is set to `Reverse SSH Keystrokes` and the `security_result.description` UDM field is set to `Keystrokes are detected within the Reverse tunnel`. If the `inferences` log field value is equal to `RSL`, then the `security_result.summary` UDM field is set to `Reverse SSH Logged In` and the `security_result.description` UDM field is set to `The Reverse Tunnel login has succeeded`. If the `inferences` log field value is equal to `RSP`, then the `security_result.summary` UDM field is set to `Reverse SSH Provisioned` and the `security_result.description` UDM field is set to `The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time`. If the `inferences` log field value is equal to `SA`, then the `security_result.summary` UDM field is set to `Authentication Scanning` and the `security_result.description` UDM field is set to `The client scanned authentication method with the server and then disconnected`. If the `inferences` log field value is equal to `SC`, then the `security_result.summary` UDM field is set to `Capabilities Scanning` and the `security_result.description` UDM field is set to `The client exchanged capabilities with the server and then disconnected`. If the `inferences` log field value is equal to `SFD`, then the `security_result.summary` UDM field is set to `Small Client File Download` and the `security_result.description` UDM field is set to `A file transfer occurred in which the server sent a sequence of bytes to the client`. If the `inferences` log field value is equal to `SFU`, then the `security_result.summary` UDM field is set to `Small Client File Upload` and the `security_result.description` UDM field is set to `A file transfer occurred in which the client sent a sequence of bytes to the server`. If the `inferences` log field value is equal to `SP`, then the `security_result.summary` UDM field is set to `Other Scanning` and the `security_result.description` UDM field is set to `A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner`. If the `inferences` log field value is equal to `SV`, then the `security_result.summary` UDM field is set to `Version Scanning` and the `security_result.description` UDM field is set to `A client exchanged version strings with the server and than disconnected`. If the `inferences` log field value is equal to `UA`, then the `security_result.summary` UDM field is set to `Unknown Authentication` and the `security_result.description` UDM field is set to `The authentication method is not determinated or is unknown`.

필드 매핑 참조: CORELIGHT - suricata_corelight

다음 표에는 suricata_corelight 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Suricata`.
`id.vlan (integer - count)`	`intermediary.labels [id_vlan]`
`id.vlan_inner (integer - count)`	`intermediary.labels [id_vlan_inner]`
`icmp_type (integer - count)`	`about.labels [icmp_type]`
`icmp_code (integer - count)`	`about.labels [icmp_code]`
`suri_id (string)`	`metadata.product_log_id`
`service (string)`	`network.application_protocol`
`flow_id (integer - count)`	`network.session_id`
`tx_id (integer - count)`	`about.labels [tx_id]`
`pcap_cnt (integer - count)`	`about.labels [pcap_cnt]`
`alert.action (string)`	`security_result.action_details`
`alert.gid (integer - count)`	`security_result.detection_fields [alert_gid]`
`alert.signature_id (integer - count)`	`security_result.rule_id`
`alert.rev (integer - count)`	`security_result.detection_fields [alert_rev]`
`alert.signature (string)`	`security_result.summary`
`alert.signature (string)`	`security_result.rule_name`
`alert.category (string)`	`security_result.category_details`
`alert.severity (integer - count)`	`security_result.severity_details`
`alert.metadata (array[string] - vector of string)`	`security_result.detection_fields [alert_metadata]`
`community_id (string)`	`network.community_id`
`payload (string)`	`about.labels [payload]`
`payload (string)`	`about.labels [payload_decoded]`
`packet (string)`	`about.labels [packet]`
`packet (string)`	`about.labels [packet_decoded]`
`metadata (array[string] - vector of string)`	`security_result.detection_fields [metadata]`
`orig_cve (string)`	`extensions.vulns.vulnerabilities.cve_id`
`resp_cve (string)`	`extensions.vulns.vulnerabilities.cve_id`
`signature_severity`	`security_result.severity`	If `alert.rule` log field value matches the grok pattern `signature_severity (?Critical\|Major\|Minor\|Informational)` then If the `signature_severity` extracted field value is equal to `Critical` then, the `security_result.severity` UDM field is set to `CRITICAL` and `signature_severity` extracted field is mapped to the `security_result.severity_details` UDM field. Else, If `signature_severity` extracted field value is equal to `Major` then, the `security_result.severity` UDM field is set to `MEDIUM` and `signature_severity` extracted field is mapped to the `security_result.severity_details` UDM field. Else, If `signature_severity` extracted field value is equal to `Minor` then, the `security_result.severity` UDM field is set to `LOW` and `signature_severity` extracted field is mapped to the `security_result.severity_details` UDM field. Else, If `signature_severity` extracted field value is equal to `Informational` then, the `security_result.severity` UDM field is set to `INFORMATIONAL` and `signature_severity` extracted field is mapped to the `security_result.severity_details` UDM field.
`orig_vulnerable_host.cve (array[string] - vector of string)`	`principal.asset.vulnerabilities.cve_id`
`orig_vulnerable_host.hostname(string)`	`principal.asset.hostname`
`orig_vulnerable_host.host_uid(string)`	`about.labels [orig_vulnerable_host_uid]`
`orig_vulnerable_host.machine_domain(string)`	`principal.asset.network_domain`
`orig_vulnerable_host.os_version(string)`	`principal.asset.platform_software.platform_version`
`orig_vulnerable_host.source(string)`	`principal.asset.vulnerabilities.cve_description`
`resp_vulnerable_host.cve(string)`	`target.asset.vulnerabilities.cve_id`
`resp_vulnerable_host.hostname(string)`	`target.asset.hostname`
`resp_vulnerable_host.host_uid(string)`	`about.labels [resp_vulnerable_host_uid]`
`resp_vulnerable_host.machine_domain(string)`	`target.asset.network_domain`
`resp_vulnerable_host.os_version(string)`	`target.asset.platform_software.platform_version`
`resp_vulnerable_host.source(string)`	`target.asset.vulnerabilities.cve_description`
`service (string)`	`about.labels [service]`
`alert.rule (string)`	`security_result.description`
`alert.references (array[string] - vector of string)`	`security_result.detection_fields[alert_references]`	iterate through alert.references, `alert.references` log field is mapped to the `security_result.detection_fields.alert_references` UDM field.
`payload_printable (string)`	`security_result.detection_fields[payload_printable]`
`references (array[string] - vector of string)`	`security_result.detection_fields[references]`	iterate through references, `references` log field is mapped to the `security_result.detection_fields.references` UDM field.
`orig_vulnerable_host.criticality (string)`	`principal.asset.vulnerabilities.severity`	If the `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4"` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `CRITICAL`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3"` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `HIGH`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1"` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `LOW`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2"` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `MEDIUM`. Else, If `orig_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0"` then, the `"principal.asset.vulnerabilities.severity"` UDM field is set to `UNKNOWN_SEVERITY`.
`orig_vulnerable_host.criticality (string)`	`principal.asset.vulnerabilities.severity_details`
`resp_vulnerable_host.criticality (string)`	`target.asset.vulnerabilities.severity`	If the `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `CRITICAL`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `HIGH`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `LOW`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `MEDIUM`. Else, If `resp_vulnerable_host.criticality` log field value matches the regular expression pattern `"(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 "` then, the `"target.asset.vulnerabilities.severity"` UDM field is set to `UNKNOWN_SEVERITY`.
`resp_vulnerable_host.criticality (string)`	`target.asset.vulnerabilities.severity_details`
`rule_content`	`security_result.detection_fields[alert_rule_content]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}content:\\"%{GREEDYDATA:rule_content}\\"` then, the `rule_content` extracted field is mapped to `security_result.detection_fields [alert_rule_content]` UDM field.
`rule_classtype`	`security_result.detection_fields [alert_rule_classtype]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}classtype:%{DATA:rule_classtype};` then, the `rule_classtype` extracted field is mapped to `security_result.detection_fields [alert_rule_classtype]` UDM field.
`reference_url`	`security_result.detection_fields[alert_rule_reference_url]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}reference:url,%{DATA:reference_url};` then, the `reference_url` extracted field is mapped to `security_result.detection_fields [alert_rule_reference_url]` UDM field.
`attack_target`	`security_result.detection_fields[alert_rule_attack_target]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}metadata:%{DATA:rule_metadata};` and, The `attack_target` is extracted from `rule_metadata` using `kv filter` then the extracted `attack_target` field is mapped to `security_result.detection_fields [alert_rule_attack_target]` UDM field.
`created_at`	`security_result.detection_fields[alert_rule_created_at]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}metadata:%{DATA:rule_metadata};` and, The `created_at` is extracted from `rule_metadata` using `kv filter` then the extracted `created_at` field is mapped to `security_result.detection_fields [alert_rule_created_at]` UDM field.
`deployment`	`security_result.detection_fields[alert_rule_deployment]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}metadata:%{DATA:rule_metadata};` and, The `deployment` is extracted from `rule_metadata` using `kv filter` then the extracted `deployment` field is mapped to `security_result.detection_fields [alert_rule_deployment]` UDM field.
`performance_impact`	`security_result.detection_fields[alert_rule_performance_impact]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}metadata:%{DATA:rule_metadata};` and, The `performance_impact` is extracted from `rule_metadata` using `kv filter` then the extracted `performance_impact` field is mapped to `security_result.detection_fields [alert_rule_performance_impact]` UDM field.
`updated_at`	`security_result.detection_fields[alert_rule_updated_at]`	If `alert.rule` log field value matches the grok pattern `%{GREEDYDATA:_}metadata:%{DATA:rule_metadata};` and, The `updated_at` is extracted from `rule_metadata` using `kv filter` then the extracted `updated_at` field is mapped to `security_result.detection_fields [alert_rule_updated_at]` UDM field.
`uri`	`target.url`	If the `payload_printable` log field is `not empty` then, If `payload_printable` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `uri` extracted field is mapped to `target.url` UDM field. Else If the `payload` log field is `not empty` then, If `payload` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `uri` extracted field is mapped to `target.url` UDM field.
`http_method`	`network.http.method`	If the `payload_printable` log field is `not empty` then, If `payload_printable` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `http_method` extracted field is mapped to `network.http.method` UDM field. Else If the `payload` log field is `not empty` then, If `payload` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `http_method` extracted field is mapped to `network.http.method` UDM field.
`proto_version`	`network.application_protocol_version`	If the `payload_printable` log field is `not empty` then, If `payload_printable` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `proto_version` extracted field is mapped to `network.application_protocol_version` UDM field. Else If the `payload` log field is `not empty` then, If `payload` log field value matches the grok pattern `%{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version}` then, the `proto_version` extracted field is mapped to `network.application_protocol_version` UDM field.
`user_agent`	`target.http.useragent`	If the `payload_printable` log field is `not empty` then, If `payload_printable` log field value matches the grok pattern `^User-Agent: %{GREEDYDATA:user_agent}` then, the `user_agent` extracted field is mapped to `target.http.useragent` UDM field. Else If the `payload` log field is `not empty` then, If `payload` log field value matches the grok pattern `^User-Agent: %{GREEDYDATA:user_agent}` then, the `user_agent` extracted field is mapped to `target.http.useragent` UDM field.
`hostname`	`target.hostname`	If the `payload_printable` log field is `not empty` then, If `payload_printable` log field value matches the grok pattern `^Host: %{IPORHOST:hostname}` then, the `hostname` extracted field is mapped to `target.hostname` UDM field. Else If the `payload` log field is `not empty` then, If `payload` log field value matches the grok pattern `^Host: %{IPORHOST:hostname}` then, the `hostname` extracted field is mapped to `target.hostname` UDM field.
`meta (array[string] - vector of string)`	`additional.fields [meta]`

필드 매핑 참조: CORELIGHT - bacnet

다음 표에는 bacnet 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`bvlc_function (string)`	`about.labels [bvlc_function]`
`bvlc_len (integer - count)`	`about.labels [bvlc_len]`
`apdu_type (string)`	`about.labels [apdu_type]`
`service_choice (string)`	`about.labels [service_choice]`
`data (array[string] - vector of string)`	`about.labels [data]`
invoke_id (integer - count)	additional.fields [invoke_id]
is_orig (boolean - bool)	additional.fields [is_orig]
pdu_service (string)	additional.fields [pdu_service]
pdu_type (string)	additional.fields [pdu_type]
result_code (string)	additional.fields [result_code]

필드 매핑 참조: CORELIGHT - cip

다음 표에는 cip 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`service (string)`	`about.labels [service]`
`status (string)`	`about.labels [status]`
`tags (string)`	`about.labels [tag]`
attribute_id (string)	additional.fields [attribute_id]
cip_extended_status (string)	additional.fields [cip_extended_status]
cip_extended_status_code (string)	additional.fields [cip_extended_status_code]
cip_sequence_count (integer - count)	additional.fields [cip_sequence_count]
cip_service (string)	additional.fields [cip_service]
cip_service_code (string)	additional.fields [cip_service_code]
cip_status (string)	additional.fields [cip_status]
cip_status_code (string)	additional.fields [cip_status_code]
class_id (string)	additional.fields [class_id]
class_name (string)	additional.fields [class_name]
direction (string)	additional.fields [direction]
instance_id (string)	additional.fields [instance_id]
is_orig (boolean - bool)	additional.fields [is_orig]

필드 매핑 참조: CORELIGHT - corelight_buster

다음 표에는 corelight_burst 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`orig_size (integer - count)`	`network.sent_bytes`
`resp_size (integer - count)`	`network.received_bytes`
`mbps (number - double)`	`about.labels [mbps]`
`age_of_conn (number - interval)`	`about.labels [age_of_conn]`

필드 매핑 참조: CORELIGHT - corelight_overall_capture_loss

다음 표에는 corelight_overall_capture_loss 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`gaps (number - double)`	`security_result.detection_fields [gaps]`
`acks (number - double)`	`security_result.detection_fields [acks]`
`percent_lost (number - double)`	`security_result.detection_fields [percent_lost]`
	`metadata.description`	The `metadata.description` UDM field is set with `_system_name`, `percent_lost`, `ts.` log fields as "node `_system_name` experienced `percent_lost`% packet loss at `ts.`".

필드 매핑 참조: CORELIGHT - corelight_profiling

다음 표에는 corelight_profiling 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_NETWORK`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`node (string)`	`principal.hostname`
`prof.core_stack (string)`	`about.labels [prof_core_stack]`
`prof.script_stack (string)`	`about.labels [prof_script_stack]`
`prof.sched_wait_ns (integer - count)`	`about.labels [prof_sched_wait_ns]`

필드 매핑 참조: CORELIGHT - datared

다음 표에는 datared 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`conn_red (integer - count)`	`about.labels [conn_red]`
`conn_total (integer - count)`	`about.labels [conn_total]`
`dns_red (integer - count)`	`about.labels [dns_red]`
`dns_total (integer - count)`	`about.labels [dns_total]`
`dns_coal_miss (integer - count)`	`about.labels [dns_coal_miss]`
`files_red (integer - count)`	`about.labels [files_red]`
`files_total (integer - count)`	`about.labels [files_total]`
`files_coal_miss (integer - count)`	`about.labels [files_coal_miss]`
`http_red (integer - count)`	`about.labels [http_red]`
`http_total (integer - count)`	`about.labels [http_total]`
`ssl_red (integer - count)`	`about.labels [ssl_red]`
`ssl_total (integer - count)`	`about.labels [ssl_total]`
`ssl_coal_miss (integer - count)`	`about.labels [ssl_coal_miss]`
`weird_red (integer - count)`	`about.labels [weird_red]`
`weird_total (integer - count)`	`about.labels [weird_total]`
`x509_red (integer - count)`	`about.labels [x509_red]`
`x509_total (integer - count)`	`about.labels [x509_total]`
`x509_coal_miss (integer - count)`	`about.labels [x509_coal_miss]`

필드 매핑 참조: CORELIGHT - dhcp

다음 표에는 dhcp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DHCP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DHCP`.
`uids (array[string] - set[string])`	`about.labels [uid]`
`client_addr (string - addr)`	`network.dhcp.ciaddr`
`server_addr (string - addr)`	`network.dhcp.siaddr`
`mac (string)`	`network.dhcp.chaddr`
`host_name (string)`	`network.dhcp.client_hostname`
`client_fqdn (string)`	`principal.domain.name`
`domain (string)`	`target.domain.name`
`requested_addr (string - addr)`	`network.dhcp.requested_address`
`assigned_addr (string - addr)`	`network.dhcp.yiaddr`
`lease_time (number - interval)`	`network.dhcp.lease_time_seconds`
`client_message (string)`	`security_result.description`
`server_message (string)`	`security_result.description`
`msg_types (array[string] - vector of string)`	`network.dhcp.type`	The `msg_types` log field is mapped to `network.dhcp.type` UDM field when index value in `msg_types` is equal to `0`. For every other index value, `about.labels.key` UDM field is set to `msg_types` and `msg_types` log field is mapped to the `about.labels.value`.
`duration (number - interval)`	`about.labels [duration]`

필드 매핑 참조: CORELIGHT - dga

다음 표에는 dga 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`query (string)`	`network.dns.questions.name`
`family (string)`	`about.labels [family]`
`qtype_name (string)`	`about.labels [qtype_name]`
`rcode (integer - count)`	`network.dns.response_code`
`is_collision_heavy (boolean - bool)`	`security_result.detection_fields [is_collision_heavy]`
`ruse (boolean - bool)`	`about.labels [ruse]`

필드 매핑 참조: CORELIGHT - dnp3

다음 표에는 dnp3 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fc_request (string)`	`about.labels [fc_request]`
`fc_reply (string)`	`about.labels [fc_reply]`
`iin (integer - count)`	`about.labels [iin]`

필드 매핑 참조: CORELIGHT - iso_cotp

다음 표에는 iso_cotp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`pdu_type (string)`	`about.labels [pdu_type]`

필드 매핑 참조: CORELIGHT - kerberos

다음 표에는 kerberos 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `KRB5`.
`request_type (string)`	`principal.application`
`client (string)`	`principal.hostname`
`service (string)`	`target.application`
`success (boolean - bool)`	`security_result.action`	If the `success` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `FAIL`.
`error_msg (string)`	`security_result.action_details`
`from (time)`	`about.labels [from]`
`till (time)`	`about.labels [till]`
`cipher (string)`	`about.labels [cipher]`
`forwardable (boolean - bool)`	`about.labels [forwardable]`
`renewable (boolean - bool)`	`about.labels [renewable]`
`client_cert_subject (string)`	`about.labels [client_cert_subject]`
`client_cert_fuid (string)`	`about.labels [client_cert_fuid]`
`server_cert_subject (string)`	`about.labels [server_cert_subject]`
`server_cert_fuid (string)`	`about.labels [server_cert_fuid]`

필드 매핑 참조: CORELIGHT - ldap

다음 표에는 ldap 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `LDAP`.
`proto (string)`	`about.labels [proto]`
`message_id (integer - int)`	`about.labels [message_id]`
`version (integer - int)`	`network.application_protocol_version`
`opcode (array[string] - set[string])`	`security_result.detection_fields [opcode]`
`result (array[string] - set[string])`	`security_result.detection_fields [result]`
`diagnostic_message (array[string] - vector of string)`	`security_result.description`
`object (array[string] - vector of string)`	`about.labels [object]`
`argument (array[string] - vector of string)`	`about.labels [argument]`

필드 매핑 참조: CORELIGHT - ldap_search

다음 표에는 ldap_search 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `LDAP`.
`proto (string)`	`about.labels [proto]`
`message_id (integer - int)`	`about.labels [message_id]`
`scope (array[string] - set[string])`	`about.labels [scope]`
`deref (array[string] - set[string])`	`about.labels [deref]`
`base_object (array[string] - vector of string)`	`about.labels [base_object]`
`result_count (integer - count)`	`security_result.detection_fields [result_count]`
`result (array[string] - set[string])`	`security_result.detection_fields [result]`
`diagnostic_message (array[string] - vector of string)`	`security_result.description`
`filter (string)`	`about.labels [filter]`
`attributes (array[string] - vector of string)`	`about.labels [attributes]`

필드 매핑 참조: CORELIGHT - local_subnets

다음 표에는 local_subnets 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`round (integer - count)`	`about.labels [round]`
`ip_version (integer - count)`	`about.labels [ip_version]`
`subnets (array[string] - set[subnet])`	`about.labels [subnet]`
`component_ids (array[integer] - set[count])`	`about.labels [component_id]`
`size_of_component (integer - count)`	`about.labels [size_of_component]`
`bipartite (boolean - bool)`	`about.labels [bipartite]`
`inferred_site (boolean - bool)`	`about.labels [inferred_site]`
`other_ips (array[string] - set[addr])`	`about.ip`

필드 매핑 참조: CORELIGHT - local_subnets_dj

다음 표에는 local_subnets_dj 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`ip_version (integer - count)`	`about.labels [ip_version]`
`v (string - addr)`	`about.ip`
`side (string)`	`about.labels [side]`
`component_id (integer - count)`	`additional.fields [component_id]`
`round (integer - count)`	`additional.fields [round]`

필드 매핑 참조: CORELIGHT - local_subnets_graphs

다음 표에는 local_subnets_graphs 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`ip_version (integer - count)`	`about.labels [ip_version]`
`v1 (string - addr)`	`about.ip`
`v2 (string - addr)`	`about.ip`

필드 매핑 참조: CORELIGHT - syslog

다음 표에는 syslog 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`proto (string - enum)`	`network.ip_protocol`
`facility (string)`	`about.labels [facility]`
`severity (string)`	`about.labels [severity]`
`message (string)`	`metadata.description`

필드 매핑 참조: CORELIGHT - tds

다음 표에는 tds 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`command (string)`	`principal.process.command_line`

필드 매핑 참조: CORELIGHT - tds_rpc

다음 표에는 tds_rpc 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`procedure_name (string)`	`about.labels [procedure_name]`
`parameters (array[string] - vector of string)`	`about.labels [parameter]`

필드 매핑 참조: CORELIGHT - tds_sql_batch

다음 표에는 tds_sql_batch 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `DATABASE`.
`header_type (string)`	`target.resource.attribute.labels [header_type]`
`query (string)`	`target.resource.attribute.labels [query]`

필드 매핑 참조: CORELIGHT - traceroute

다음 표에는 traceroute 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`src (string - addr)`	`principal.ip`
`dst (string - addr)`	`target.ip`
`proto (string)`	`network.ip_protocol`

필드 매핑 참조: CORELIGHT - tunnel

다음 표에는 tunnel 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
`tunnel_type (string - enum)`	`intermediary.labels [tunnel_type]`
`action (string - enum)`	`security_result.action_details`
	`security_result.description`	The `security_result.description` UDM field is set with `action`, `tunnel_type` log fields as "action `action` on tunnel type `tunnel_type`".

필드 매핑 참조: CORELIGHT - weird, weird_red, weird_agg

다음 표에는 weird, weird_red, weird_agg 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
`name (string)`	`about.labels [name]`
`addl (string)`	`about.labels [addl]`
`notice (boolean - bool)`	`about.labels [notice]`
`source (string)`	`about.labels [source]`
`peer (string)`	`about.labels [peer]`

필드 매핑 참조: CORELOW - wireguard

다음 표에는 wireguard 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
`established (boolean - bool)`	`about.labels [established]`
`initiations (integer - count)`	`about.labels [initiations]`
`responses (integer - count)`	`about.labels [responses]`

필드 매핑 참조: CORELIGHT - vpn

다음 표에는 vpn 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`vpn_type (string - enum)`	`about.labels [vpn_type]`
`service (string)`	`target.application`
`inferences (array[string] - set[string])`	`about.labels [inference]`
`server_name (string)`	`network.tls.client.server_name`
`client_info (string)`	`principal.labels [client_info]`
`duration (number - interval)`	`network.session_duration`
`orig_bytes (integer - count)`	`network.sent_bytes`
`resp_bytes (integer - count)`	`network.received_bytes`
`orig_cc (string)`	`principal.location.country_or_region`
`orig_region (string)`	`principal.location.country_or_region`
`orig_city (string)`	`principal.location.city`
`resp_cc (string)`	`target.location.country_or_region`
`resp_region (string)`	`target.location.country_or_region`
`resp_city (string)`	`target.location.city`
`subject (string)`	`network.tls.client.certificate.subject`
`issuer (string)`	`network.tls.client.certificate.issuer`
`ja3 (string)`	`network.tls.client.ja3`
`ja3s (string)`	`network.tls.server.ja3s`

필드 매핑 참조: CORELIGHT - x509, x509_red

다음 표에는 x509, x509_red 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`fingerprint (string)`	`about.labels [fingerprint]`
`certificate.version (integer - count)`	`network.tls.server.certificate.version`
`certificate.serial (string)`	`network.tls.server.certificate.serial`
`certificate.subject (string)`	`network.tls.server.certificate.subject`
`certificate.issuer (string)`	`network.tls.server.certificate.issuer`
`certificate.not_valid_before (time)`	`network.tls.server.certificate.not_before`
`certificate.not_valid_after (time)`	`network.tls.server.certificate.not_after`
`certificate.key_alg (string)`	`about.labels [certificate_key_alg]`
`certificate.sig_alg (string)`	`about.labels [certificate_sig_alg]`
`certificate.key_type (string)`	`about.labels [certificate_key_type]`
`certificate.key_length (integer - count)`	`about.labels [certificate_key_length]`
`certificate.exponent (string)`	`about.labels [certificate_exponent]`
`certificate.curve (string)`	`network.tls.curve`
`san.dns (array[string] - vector of string)`	`about.labels [san_dns]`
`san.uri (array[string] - vector of string)`	`about.url`
`san.email (array[string] - vector of string)`	`about.labels [san_email]`
`san.ip (array[string] - vector of addr)`	`about.ip`
`basic_constraints.ca (boolean - bool)`	`about.labels [basic_constraints_ca]`
`basic_constraints.path_len (integer - count)`	`about.labels [basic_constraints_path_len]`
`host_cert (boolean - bool)`	`about.labels [host_cert]`
`client_cert (boolean - bool)`	`about.labels [client_cert]`
`vlan (integer - int)`	`additional.fields [vlan]`
`vlan_inner (integer - int)`	`additional.fields [vlan_inner]`

필드 매핑 참조: CORELIGHT - unknown-smartpcap

다음 표에는 unknown-smartpcap 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Smartpcap`.
`tid (string)`	`about.labels [tid]`
`pkts (integer - count)`	`about.labels [pkts]`
`url (string)`	`security_result.url_back_to_product`

필드 매핑 참조: CORELIGHT - mysql

다음 표에는 mysql 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_RESOURCE_ACCESS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`cmd (string)`	`target.resource.attribute.labels [cmd]`
`arg (string)`	`principal.process.command_line`
`success (boolean - bool)`	`target.resource.attribute.labels [success]`
`rows (integer - count)`	`target.resource.attribute.labels [rows]`
`response (string)`	`target.resource.attribute.labels [response]`
	`target.resource.resource_type`	The `target.resource.resource_type` UDM field is set to `DATABASE`.

필드 매핑 참조: CORELIGHT - napatech_shunting

다음 표에는 napatech_shunting 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`peer (string)`	`about.labels [peer]`
`terminated_flows (integer - count)`	`about.labels [terminated_flows]`
`shunted_flows (integer - count)`	`security_result.detection_fields [shunted_flows]`

필드 매핑 참조: CORELIGHT - ntlm

다음 표에는 ntlm 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`username (string)`	`target.user.userid`
`hostname (string)`	`principal.hostname`
`domainname (string)`	`principal.domain.name`
`server_nb_computer_name (string)`	`target.hostname`
`server_dns_computer_name (string)`	`target.domain.name`
`server_tree_name (string)`	`target.labels [server_tree_name]`
`success (boolean - bool)`	`extensions.auth.auth_details`	If the `success` log field value is equal to `true`, then the `extensions.auth.auth_details` UDM field is set to `Authentication successful`. Else, the `extensions.auth.auth_details` UDM field is set to `Authentication failed`.

필드 매핑 참조: CORELIGHT - pe

다음 표에는 pe 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`id (string)`	`about.labels [id]`
`machine (string)`	`target.labels [machine]`
`compile_ts (time)`	`about.labels [compile_ts]`
`os (string)`	`target.platform`	If the `os` log field value is equal to `windows`, then the `target.platform` UDM field is set to `WINDOWS`. Else, if is equal to `linux`, then the `target.platform` UDM field is set to `LINUX`. Else, if the `os` log field value is equal to `mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.`
`subsystem (string)`	`target.application`
`is_exe (boolean - bool)`	`about.file.file_type`	If the `is_exe` log field value is equal to `true`, then the `about.file.file_type` UDM field is set to `FILE_TYPE_PE_EXE`.
`is_64bit (boolean - bool)`	`about.labels [is_64bit]`
`uses_aslr (boolean - bool)`	`about.labels [uses_aslr]`
`uses_dep (boolean - bool)`	`about.labels [uses_dep]`
`uses_code_integrity (boolean - bool)`	`about.labels [uses_code_integrity]`
`uses_seh (boolean - bool)`	`about.labels [uses_seh ]`
`has_import_table (boolean - bool)`	`about.labels [has_import_table]`
`has_export_table (boolean - bool)`	`about.labels [has_export_table]`
`has_cert_table (boolean - bool)`	`about.labels [has_cert_table]`
`has_debug_data (boolean - bool)`	`about.labels [has_debug_data]`
`section_names (array[string] - vector of string)`	`about.labels [section_names]`

필드 매핑 참조: CORELIGHT - ntp

다음 표에는 ntp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `NTP`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `UDP`.
`version (integer - count)`	`network.application_protocol_version`
`mode (integer - count)`	`about.labels [mode]`
`stratum (integer - count)`	`about.labels [stratum]`
`poll (number - interval)`	`about.labels [poll]`
`precision (number - interval)`	`about.labels [precision]`
`root_delay (number - interval)`	`about.labels [root_delay]`
`root_disp (number - interval)`	`about.labels [root_disp]`
`ref_id (string)`	`target.ip`	If the `ref_id`log field value is matched with regex of IP, then the `ref_id`log field is mapped to the `target.ip` UDM field. Else, the `ref_id`log field is mapped to the `target.labels` UDM field.
`ref_id (string)`	`target.labels [ref_id]`	If the `ref_id`log field value is matched with regex of IP, then the `ref_id`log field is mapped to the `target.ip` UDM field. Else, the `ref_id`log field is mapped to the `target.labels` UDM field.
`ref_time (time)`	`about.labels [ref_time]`
`org_time (time)`	`about.labels [org_time]`
`rec_time (time)`	`about.labels [rec_time]`
`xmt_time (time)`	`about.labels [rec_time]`
`num_exts (integer - count)`	`about.labels [num_exts]`

필드 매핑 참조: CORELIGHT - radius

다음 표에는 radius 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `USER_LOGIN`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`username (string)`	`target.user.userid`
`mac (string)`	`principal.mac`
`framed_addr (string - addr)`	`intermediary.ip`
`tunnel_client (string)`	`intermediary.ip`	If the `tunnel_client` log field value is matched with regex of IP, then the `tunnel_client` log field is mapped to the `intermediary.ip` UDM field. Else, the `tunnel_client` log field is mapped to the `intermediary.domain.name` UDM field.
`tunnel_client (string)`	`intermediary.domain.name`	If the `tunnel_client` log field value is matched with regex of IP, then the `tunnel_client` log field is mapped to the `intermediary.ip` UDM field. Else, the `tunnel_client` log field is mapped to the `intermediary.domain.name` UDM field.
`connect_info (string)`	`about.labels [connect_info]`
`reply_msg (string)`	`about.labels [reply_msg]`
`result (string)`	`extensions.auth.auth_details`
`ttl (number - interval)`	`network.session_duration`

필드 매핑 참조: CORELIGHT - reporter

다음 표에는 reporter 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`level (string - enum)`	`security_result.severity`	If the `level` log field value is equal to `CRITICAL` or `ERROR` or `HIGH` or `INFORMATIONAL` or `LOW` or `MEDIUM`, then the `level` log field is mapped to the `security_result.severity` UDM field.
`level (string - enum)`	`security_result.severity_details`
`message (string)`	`security_result.description`
`location (string)`	`about.labels [location]`

필드 매핑 참조: CORELIGHT - log4shell

다음 표에는 log4shell 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `SCAN_HOST`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`extensions.vulns.vulnerabilities.cve_id`	The `extensions.vulns.vulnerabilities.cve_id` UDM field is set to `CVE-2021-44228`.
`http_uri (string)`	`about.labels [http_uri]`
`uri (string)`	`target.url`
`stem (string)`	`target.labels [stem]`
`target_host (string)`	`target.hostname`
`target_port (string)`	`target.port`
`method (string)`	`network.http.method`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`name (string)`	`about.labels.key`
`value (string)`	`about.labels.value`
`matched_name (boolean - bool)`	`about.labels [matched_name]`
`matched_value (boolean - bool)`	`about.labels [matched_value]`

필드 매핑 참조: CORELIGHT - modbus

다음 표에는 modbus 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MODBUS`.
`func (string)`	`about.labels [func]`
`exception (string)`	`security_result.description`
`pdu_type (string)`	`additional.fields [pdu_type]`
`tid (integer - count)`	`additional.fields [tid]`
`unit (integer - count)`	`additional.fields [unit]`

필드 매핑 참조: CORELIGHT - mqtt_connect

다음 표에는 mqtt_connect 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`proto_name (string)`	`about.labels [proto_name]`
`proto_version (string)`	`network.application_protocol_version`
`client_id (string)`	`principal.labels [client_id]`
`connect_status (string)`	`security_result.description`
`will_topic (string)`	`about.labels [will_topic]`
`will_payload (string)`	`about.labels [will_payload]`

필드 매핑 참조: CORELIGHT - mqtt_publish

다음 표에는 mqtt_publish 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`from_client (boolean - bool)`	`about.labels [from_client]`
`retain (boolean - bool)`	`target.labels [retain]`
`qos (string)`	`about.labels [qos]`
`status (string)`	`security_result.description`
`topic (string)`	`about.labels [topic]`
`payload (string)`	`about.labels [payload]`
`payload_len (integer - count)`	`about.labels [payload_len]`

필드 매핑 참조: CORELIGHT - mqtt_subscribe

다음 표에는 mqtt_subscribe 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `MQTT`.
`action (string - enum)`	`security_result.action_details`
`topics (array[string] - vector of string)`	`about.labels [topics]`
`qos_levels (array[integer] - vector of count)`	`about.labels [qos_levels]`
`granted_qos_level (integer - count)`	`about.labels [granted_qos_level]`
`ack (boolean - bool)`	`security_result.detection_fields [ack]`

필드 매핑 참조: CORELIGHT - dpd

다음 표에는 dpd 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`proto (string - enum)`	`network.ip_protocol`
`analyzer (string)`	`about.labels [analyzer]`
`failure_reason (string)`	`about.labels [failure_reason]`

필드 매핑 참조: CORELIGHT - encrypted_dns

다음 표에는 encrypted_dns 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`resp_h (string - addr)`	`target.ip`
`cert.cn (string)`	`about.labels [cert_cn]`
`cert.sans (array[string] - set[string])`	`about.labels [cert_sans]`
`sni (string)`	`network.tls.client.server_name`
`match (string)`	`about.labels [match]`

필드 매핑 참조: CORELIGHT - enip

다음 표에는 enip 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`command (string)`	`principal.process.command_line`
`length (integer - count)`	`about.labels [length]`
`session_handle (string)`	`network.session_id`
`status (string)`	`about.labels [status]`
`sender_context (string)`	`about.labels [sender_context]`
`options (string)`	`about.labels [options]`
`enip_command (string)`	`additional.fields [enip_command]`
`enip_command_code (string)`	`additional.fields [enip_command_code]`
`enip_status (string)`	`additional.fields [enip_status]`
`is_orig (boolean - bool)`	`additional.fields [is_orig]`

필드 매핑 참조: CORELIGHT - enip_debug

다음 표에는 enip_debug 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`raw_data (string)`	`about.labels [raw_data]`

필드 매핑 참조: CORELIGHT - enip_list_identity

다음 표에는 enip_list_identity 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`device_type (string)`	`target.asset.attribute.labels [device_type]`
`vendor (string)`	`target.asset.hardware.manufacturer`
`product_name (string)`	`target.asset.attribute.labels [product_name]`
`serial_number (string)`	`target.asset.asset_id`	The `target.asset.asset_id` UDM field is set with `serial_number` log fields as "CORELIGHT: `serial_number`".
`product_code (integer - count)`	`target.asset.attribute.labels [product_code]`
`revision (number - double)`	`target.asset.attribute.labels [revision]`
`status (string)`	`about.labels [status]`
`state (string)`	`target.asset.attribute.labels [state]`
`device_ip (string - addr)`	`target.asset.ip`

필드 매핑 참조: CORELIGHT - etc_viz

다음 표에는 etc_viz 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`server_a (string - addr)`	`target.ip`
`server_p (integer - port)`	`target.port`
`service (array[string] - set[string])`	`target.application`	The `service` log field is mapped to `target.application` UDM field when index value in `service` is equal to `0`. For every other index value, `target.labels.key` UDM field is set to `service` and `service` log field is mapped to the `target.labels.value`.
`viz_stat (string)`	`about.labels [viz_stat]`
`c2s_viz.size (integer - count)`	`about.labels [c2s_viz_size]`
`c2s_viz.enc_dev (number - double)`	`about.labels [c2s_viz_enc_dev]`
`c2s_viz.enc_frac (number - double)`	`about.labels [c2s_viz_enc_frac]`
`c2s_viz.pdu1_enc (boolean - bool)`	`about.labels [c2s_viz_pdu1_enc]`
`c2s_viz.clr_frac (number - double)`	`about.labels [c2s_viz_clr_frac]`
`c2s_viz.clr_ex (string)`	`about.labels [c2s_viz_clr_ex]`
`s2c_viz.size (integer - count)`	`about.labels [s2c_viz_size]`
`s2c_viz.enc_dev (number - double)`	`about.labels [s2c_viz_enc_dev]`
`s2c_viz.enc_frac (number - double)`	`about.labels [s2c_viz_enc_frac]`
`s2c_viz.pdu1_enc (boolean - bool)`	`about.labels [s2c_viz_pdu1_enc]`
`s2c_viz.clr_frac (number - double)`	`about.labels [s2c_viz_clr_frac]`
`s2c_viz.clr_ex (string)`	`about.labels [s2c_viz_clr_ex]`

필드 매핑 참조: CORELIGHT - ftp

다음 표에는 ftp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_FTP`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`user (string)`	`principal.user.user_display_name`
`password (string)`	`extensions.auth.auth_details`
`command (string), arg (string)`	`network.ftp.command`	The `network.ftp.command` UDM field is set with `command`, `arg` log fields as "`command` `arg`".
`mime_type (string)`	`target.file.mime_type`
`file_size (integer - count)`	`target.file.size`
`reply_code (integer - count)`	`about.labels [reply_code]`
`reply_msg (string)`	`about.labels [reply_msg]`
`data_channel.passive (boolean - bool)`	`about.labels [data_channel_passive]`
`data_channel.orig_h (string - addr)`	`principal.ip`
`data_channel.resp_h (string - addr)`	`target.ip`
`data_channel.resp_p (integer - port)`	`target.labels [data_channel_resp_p]`
`fuid (string)`	`about.labels [fuid]`

필드 매핑 참조: CORELIGHT - generic_dns_tunnels

다음 표에는 generic_dns_tunnels 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`dns_client (string - addr)`	`principal.ip`
`domain (string)`	`network.dns_domain`
`domain (string)`	`network.dns.questions.name`
`bytes (integer - int)`	`about.labels [bytes]`
`capture_secs (number - interval)`	`about.labels [capture_secs]`

필드 매핑 참조: CORELIGHT - generic_icmp_tunnels

다음 표에는 generic_icmp_tunnels 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `ICMP`.
`detection (string)`	`security_result.detection_fields [detection]`
`orig (string - addr)`	`principal.ip`
`resp (string - addr)`	`target.ip`
`id (integer - count)`	`about.labels [id]`
`seq (integer - count)`	`about.labels [seq]`
`bytes (integer - count)`	`about.labels [bytes]`
`payload_len (integer - count)`	`about.labels [payload_len]`
`payload (string)`	`about.labels [payload]`

필드 매핑 참조: CORELIGHT - icmp_specific_tunnels

다음 표에는 icmp_specific_tunnels 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.ip_protocol`	The `network.ip_protocol` UDM field is set to `ICMP`.
`start_time (time)`	`about.labels [start_time]`
`duration (number - interval)`	`network.session_duration`
`tunnel (string)`	`intermediary.labels [tunnel]`
`seq (integer - count)`	`about.labels [seq]`
`icmp_id (integer - count)`	`about.labels [icmp_id]`
`payload (string)`	`about.labels [payload]`

필드 매핑 참조: CORELIGHT - ipsec

다음 표에는 ipsec 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`initiator_spi (string)`	`principal.labels [initiator_spi]`
`responder_spi (string)`	`target.labels [responder_spi]`
`maj_ver (integer - count)`	`about.labels [maj_ver]`
`min_ver (integer - count)`	`about.labels [min_ver]`
`exchange_type (integer - count)`	`about.labels [exchange_type]`
`flag_e (boolean - bool)`	`about.labels [flag_e]`
`flag_c (boolean - bool)`	`about.labels [flag_c]`
`flag_a (boolean - bool)`	`about.labels [flag_a]`
`flag_i (boolean - bool)`	`about.labels [flag_i]`
`flag_v (boolean - bool)`	`about.labels [flag_v]`
`flag_r (boolean - bool)`	`about.labels [flag_r]`
`message_id (integer - count)`	`about.labels [message_id]`
`vendor_ids (array[string] - vector of string)`	`about.labels [vendor_id]`
`notify_messages (array[string] - vector of string)`	`about.labels [notify_message]`
`transforms (array[string] - vector of string)`	`about.labels [transform]`
`ke_dh_groups (array[integer] - vector of count)`	`about.labels [ke_dh_group]`
`proposals (array[integer] - vector of count)`	`about.labels [proposal]`
`protocol_id (integer - count)`	`about.labels [protocol_id]`
`certificates (array[string] - vector of string)`	`about.labels [certificate]`
`transform_attributes (array[string] - vector of string)`	`about.labels [transform_attribute]`
`length (integer - count)`	`about.labels [length]`
`hash (string)`	`about.labels [hash]`
`doi (integer - count)`	`about.labels [doi]`
`situation (string)`	`about.labels [situation]`
`is_orig (boolean - bool)`	`additional.fields [is_orig]`

필드 매핑 참조: CORELIGHT - profinet

다음 표에는 profinet 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`operation_type (string)`	`about.labels [operation_type]`
`block_version (string)`	`about.labels [block_version]`
`slot_number (integer - count)`	`about.labels [slot_number]`
`subslot_number (integer - count)`	`about.labels [subslot_number]`
`index (string)`	`about.labels [index]`

필드 매핑 참조: CORELIGHT - profinet_dce_rpc

다음 표에는 profinet_dce_rpc 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DCERPC`.
`version (integer - count)`	`about.labels [version]`
`packet_type (integer - count)`	`about.labels [packet_type]`
`object_uuid (string)`	`about.labels [object_uuid]`
`interface_uuid (string)`	`about.labels [interface_uuid]`
`activity_uuid (string)`	`about.labels [activity_uuid]`
`server_boot_time (integer - count)`	`about.labels [server_boot_time]`
`operation (string)`	`about.labels [operation]`

필드 매핑 참조: CORELIGHT - profinet_debug

다음 표에는 profinet_debug 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`raw_data (string)`	`about.labels [raw_data]`

필드 매핑 참조: CORELIGHT - rfb

다음 표에는 rfb 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`client_major_version (string)`	`principal.labels [client_major_version]`
`client_minor_version (string)`	`principal.labels [client_minor_version]`
`server_major_version (string)`	`target.labels [server_major_version]`
`server_minor_version (string)`	`target.labels [server_minor_version]`
`authentication_method (string)`	`extension.auth.mechanism`	If the `authentication_method` log field value is equal to `VNC`, then the `extension.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_OTHER`.
`authentication_method (string)`	`extension.auth.auth_details`
`auth (boolean - bool)`	`security_result.action`	If the `auth` log field value is equal to `true`, then the `security_result.action` UDM field is set to `ALLOW`. Else, the `security_result.action` UDM field is set to `FAIL`.
`share_flag (boolean - bool)`	`about.labels [share_flag]`
`desktop_name (string)`	`principal.labels [desktop_name]`
`width (integer - count)`	`principal.labels [width]`
`height (integer - count)`	`principal.labels [height]`

필드 매핑 참조: CORELIGHT - known_certs

다음 표에는 known_certs 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
	`entity.resource.resource_subtype`	The `entity.resource.resource_subtype` UDM field is set to `CERTIFICATE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`hash (string)`	`entity.resource.attribute.labels [hash]`
`port (integer - port)`	`entity.port`
`protocol (string - enum)`	`entity.labels [protocol]`
`serial (string)`	`entity.resource.attribute.labels [serial]`
`subject (string)`	`entity.resource.attribute.labels [subject]`
`issuer_subject (string)`	`entity.resource.attribute.labels [issuer_subject]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`
`port_num (integer - port)`	`entity.port`

필드 매핑 참조: CORELIGHT - known_devices

다음 표에는 known_devices 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`ts (time)`	`entity.asset.first_seen_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.asset.ip`
`mac (string)`	`entity.asset.mac`
`vendor_mac (string)`	`entity.asset.hardware.manufacturer`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`

필드 매핑 참조: CORELIGHT - known_domains

다음 표에는 known_domains 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `DOMAIN_NAME`.
`ts (time)`	`metadata.interval.start_time`
`ts (time)`	`entity.domain.first_seen_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`domain (string)`	`entity.domain.name`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`

필드 매핑 참조: CORELIGHT - known_hosts

다음 표에는 known_hosts 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `IP_ADDRESS`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`conns_opened (integer - count)`	`metadata.threat.detection_fields [conns_opened]`
`conns_closed (integer - count)`	`metadata.threat.detection_fields [conns_closed]`
`conns_pending (integer - count)`	`metadata.threat.detection_fields [conns_pending]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`ep.cid (string)`	`additional.fields [ep_cid]`
`ep.criticality (string)`	`entity.security_result.detection_fields[ep_criticality]`
`ep.desc (string)`	`metadata.description`
`ep.os_version (string)`	`entity.platform_version`
`ep.source (string)`	`additional.fields [ep_source]`
`ep.status (string)`	`additional.fields [ep_status]`
`ep.uid (string)`	`additional.fields [ep_uid]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`

필드 매핑 참조: CORELIGHT - known_names

다음 표에는 known_names 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`hostname (string)`	`entity.hostname`
`protocols (array[string] - set[string])`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`

필드 매핑 참조: CORELIGHT - known_remotes

다음 표에는 known_remotes 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `IP_ADDRESS`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`

필드 매핑 참조: CORELIGHT - known_services

다음 표에는 known_services 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`port (integer - port)`	`entity.port`
`protocol (string - enum)`	`entity.labels [protocol]`
`service (array[string] - vector of string)`	`entity.labels [service]`
`software (array[string] - set[string])`	`entity.asset.software.name`
`app (array[string] - set[string])`	`entity.application`	The `app` log field is mapped to `entity.application` UDM field when index value in `app` is equal to `0`. For every other index value, `entity.labels.key` UDM field is set to `app` and `app` log field is mapped to the `entity.labels.value`.
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`
`num_conns_complete (integer - count)`	`entity.security_result.detection_fields[num_conns_complete]`
`num_conns_pending (integer - int)`	`entity.security_result.detection_fields[num_conns_pending]`
`port_num (integer - port)`	`entity.port`

필드 매핑 참조: CORELIGHT - known_users

다음 표에는 known_users 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
	`metadata.entity_type`	The `metadata.entity_type` UDM field is set to `RESOURCE`.
`ts (time)`	`metadata.interval.start_time`
`duration (number - interval)`	`entity.labels [duration]`
`kuid (string)`	`entity.labels [kuid]`
`host_ip (string - addr)`	`entity.ip`
`remote_ip (string - addr)`	`entity.ip`
`user (string)`	`entity.user.user_display_name`
`protocol (string)`	`entity.labels [protocol]`
`num_conns (integer - count)`	`metadata.threat.detection_fields [num_conns]`
`annotations (array[string] - vector of string)`	`metadata.threat.detection_fields [annotations]`
`last_active_session (string)`	`entity.labels [last_active_session]`
`last_active_interval (number - interval)`	`entity.labels [last_active_interval]`
`host_inner_vlan (integer - int)`	`additional.fields [host_inner_vlan]`
`host_vlan (integer - int)`	`additional.fields [host_vlan]`
`remote_inner_vlan (integer - int)`	`additional.fields [remote_inner_vlan]`
`remote_vlan (integer - int)`	`additional.fields [remote_vlan]`
`long_conns (integer - count)`	`metadata.threat.detection_fields [long_conns]`

필드 매핑 참조: CORELIGHT - s7comm

다음 표에는 s7comm 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Zeek`.
`rosctr (string)`	`about.labels [rosctr]`
`parameter (array[string] - vector of string)`	`about.labels [parameter]`
`item_count (integer - count)`	`about.labels [item_count]`
`data_info (array[string] - vector of string)`	`about.labels [data_info]`
`error_class (string)`	`additional.fields [error_class]`
`error_code (string)`	`additional.fields [error_code]`
`function_code (string)`	`additional.fields [function_code]`
`function_name (string)`	`additional.fields [function_name]`
`is_orig (boolean - bool)`	`additional.fields [is_orig]`
`pdu_reference (integer - count)`	`additional.fields [pdu_reference]`
`rosctr_code (integer - count)`	`additional.fields [rosctr_code]`
`rosctr_name (string)`	`additional.fields [rosctr_name]`
`subfunction_code (string)`	`additional.fields [subfunction_code]`
`subfunction_name (string)`	`additional.fields [subfunction_name]`

필드 매핑 참조: CORELIGHT - smartpcap

다음 표에는 smartpcap 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Smartpcap`.
`logstr (string)`	`metadata.description`

필드 매핑 참조: CORELIGHT - snmp

다음 표에는 snmp 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_UNCATEGORIZED`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`duration (number - interval)`	`network.session_duration`
`version (string)`	`network.application_protocol_version`
`community (string)`	`about.labels [community]`
`get_requests (integer - count)`	`about.labels [get_requests]`
`get_bulk_requests (integer - count)`	`about.labels [get_bulk_requests]`
`get_responses (integer - count)`	`about.labels [get_responses]`
`set_requests (integer - count)`	`about.labels [set_requests]`
`display_string (string)`	`about.labels [display_string]`
`up_since (time)`	`about.labels [up_since]`

필드 매핑 참조: CORELIGHT - socks

다음 표에는 socks 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`version (integer - count)`	`about.labels [version]`
`user (string)`	`principal.user.userid`
`password (string)`	`extensions.auth.auth_details`
`status (string)`	`about.labels [status]`
`request.host (string - addr)`	`target.ip`
`request.name (string)`	`target.hostname`
`request_p (integer - port)`	`target.labels [request_p]`
`bound.host (string - addr)`	`intermediary.ip`
`bound.name (string)`	`intermediary.hostname`
`bound_p (integer - port)`	`intermediary.port`

필드 매핑 참조: CORELIGHT - software

다음 표에는 software 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`host (string - addr)`	`target.asset.ip`
`host_p (integer - port)`	`target.port`
`software_type (string - enum)`	`target.asset.software.description`
`name (string)`	`target.asset.software.name`
`version.major (integer - count)`	`target.asset.software.version`
`version.minor (integer - count)`	`target.asset.attribute.labels [version_minor]`
`version.minor2 (integer - count)`	`target.asset.attribute.labels [version_minor2]`
`version.minor3 (integer - count)`	`target.asset.attribute.labels [version_minor3]`
`version.addl (string)`	`target.asset.attribute.labels [version_addl]`
`unparsed_version (string)`	`target.asset.attribute.labels [unparsed_version]`

필드 매핑 참조: CORELIGHT - specific_dns_tunnels

다음 표에는 specific_dns_tunnels 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_DNS`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
	`network.application_protocol`	The `network.application_protocol` UDM field is set to `DNS`.
`trans_id (integer - count)`	`network.dns.id`
`dns_client (string - addr)`	`principal.ip`
`resolver (string - addr)`	`target.ip`
`query (string)`	`network.dns.questions.name`
`program (string - enum)`	`principal.application`
`session_id (integer - count)`	`network.session_id`
`detection (string)`	`security_result.detection_fields [detection]`
`sods_id (integer - count)`	`about.labels [sods_id]`

필드 매핑 참조: CORELIGHT - stepping

다음 표에는 stepping 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`dt (number - interval)`	`about.labels [dt]`
`uid1 (string)`	`about.labels [uid1]`
`uid2 (string)`	`about.labels [uid2]`
`direct (boolean - bool)`	`about.labels [direct]`
`client1_h (string - addr)`	`principal.ip`
`client1_p (integer - port)`	`principal.port`
`server1_h (string - addr)`	`target.ip`
`server1_p (integer - port)`	`target.port`
`client2_h (string - addr)`	`principal.ip`
`client2_p (integer - port)`	`principal.labels [client2_p]`
`server2_h (string - addr)`	`target.labels [server2_h]`
`server2_p (integer - port)`	`target.labels [server2_p]`

필드 매핑 참조: CORELIGHT - stun

다음 표에는 stun 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`proto (string - enum)`	`network.ip_protocol`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`trans_id (string)`	`network.session_id`
`method (string)`	`about.labels [method]`
`class (string)`	`about.labels [class]`
`attr_types (array[string] - vector of string)`	`about.labels.key`
`attr_vals (array[string] - vector of string)`	`about.labels.value`

필드 매핑 참조: CORELIGHT - stun_nat

다음 표에는 stun_nat 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `zeek`.
`proto (string - enum)`	`network.ip_protocol`
`is_orig (boolean - bool)`	`about.labels [is_orig]`
`wan_addrs (array[string] - vector of addr)`	`principal.nat_ip`
`wan_ports (array[integer] - vector of count)`	`principal.nat_port`	The `wan_ports` log field is mapped to `principal.nat_port` UDM field when index value in `wan_ports` is equal to `0`. For every other index value, `principal.labels.key` UDM field is set to `wan_port` and `wan_ports` log field is mapped to the `principal.labels.value`.
`lan_addrs (array[string] - vector of addr)`	`principal.ip`

필드 매핑 참조: CORELIGHT - suricata_stats

다음 표에는 suricata_stats 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Suricata`.
`raw_mgmt`	`about.labels [raw_mgmt]`
`timestamp(time)`	`metadata.event_timestamp`
`event_type(string)`	`about.labels [event_type]`
`stats.uptime(integer)`	`about.labels [stats_uptime]`
`stats.napa_total.pkts(integer)`	`about.labels [stats_napa_total_pkts]`
`stats.napa_total.byte(integer)`	`about.labels [stats_napa_total_byte]`
`stats.napa_total.overflow_drop_pkts(integer)`	`about.labels [stats_napa_total_overflow_drop_pkts]`
`stats.napa_total.overflow_drop_byte(integer)`	`about.labels [stats_napa_total_overflow_drop_byte]`
`stats.napa_dispatch_host.pkts(integer)`	`about.labels [stats_napa_dispatch_host_pkts]`
`stats.napa_dispatch_host.byte(integer)`	`about.labels [stats_napa_dispatch_host_byte]`
`stats.napa_dispatch_drop.pkts(integer)`	`about.labels [stats_napa_dispatch_drop_pkts]`
`stats.napa_dispatch_drop.byte(integer)`	`about.labels [stats_napa_dispatch_drop_byte]`
`stats.decoder.pkts(integer)`	`about.labels [stats_decoder_pkts]`
`stats.decoder.bytes(integer)`	`about.labels [stats_decoder_bytes]`
`stats.decoder.invalid(integer)`	`about.labels [stats_decoder_invalid]`
`stats.decoder.ipv4(integer)`	`about.labels [stats_decoder_ipv4]`
`stats.decoder.ipv6(integer)`	`about.labels [stats_decoder_ipv6]`
`stats.decoder.ethernet(integer)`	`about.labels [stats_decoder_ethernet]`
`stats.decoder.chdlc(integer)`	`about.labels [stats_decoder_chdlc]`
`stats.decoder.raw(integer)`	`about.labels [stats_decoder_raw]`
`stats.decoder.null(integer)`	`about.labels [stats_decoder_null]`
`stats.decoder.sll(integer)`	`about.labels [stats_decoder_sll]`
`stats.decoder.tcp(integer)`	`about.labels [stats_decoder_tcp]`
`stats.decoder.udp(integer)`	`about.labels [stats_decoder_udp]`
`stats.decoder.sctp(integer)`	`about.labels [stats_decoder_sctp]`
`stats.decoder.icmpv4(integer)`	`about.labels [stats_decoder_icmpv4]`
`stats.decoder.icmpv6(integer)`	`about.labels [stats_decoder_icmpv6]`
`stats.decoder.ppp(integer)`	`about.labels [stats_decoder_ppp]`
`stats.decoder.pppoe(integer)`	`about.labels [stats_decoder_pppoe]`
`stats.decoder.geneve(integer)`	`about.labels [stats_decoder_geneve]`
`stats.decoder.gre(integer)`	`about.labels [stats_decoder_gre]`
`stats.decoder.vlan(integer)`	`about.labels [stats_decoder_vlan]`
`stats.decoder.vlan_qinq(integer)`	`about.labels [stats_decoder_vlan_qinq]`
`stats.decoder.vxlan(integer)`	`about.labels [stats_decoder_vxlan]`
`stats.decoder.vntag(integer)`	`about.labels [stats_decoder_vntag]`
`stats.decoder.ieee8021ah(integer)`	`about.labels [stats_decoder_ieee8021ah]`
`stats.decoder.teredo(integer)`	`about.labels [stats_decoder_teredo]`
`stats.decoder.ipv4_in_ipv6(integer)`	`about.labels [stats_decoder_ipv4_in_ipv6]`
`stats.decoder.ipv6_in_ipv6(integer)`	`about.labels [stats_decoder_ipv6_in_ipv6]`
`stats.decoder.mpls(integer)`	`about.labels [stats_decoder_mpls]`
`stats.decoder.avg_pkt_size(integer)`	`about.labels [stats_decoder_avg_pkt_size]`
`stats.decoder.max_pkt_size(integer)`	`about.labels [stats_decoder_max_pkt_size]`
`stats.decoder.max_mac_addrs_src(integer)`	`about.labels [stats_decoder_max_mac_addrs_src]`
`stats.decoder.max_mac_addrs_dst(integer)`	`about.labels [stats_decoder_max_mac_addrs_dst]`
`stats.decoder.erspan(integer)`	`about.labels [stats_decoder_erspan]`
`stats.decoder.event.ipv4.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ipv4_pkt_too_small]`
`stats.decoder.event.ipv4.hlen_too_small(integer)`	`about.labels [stats_decoder_event_ipv4_hlen_too_small]`
`stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer)`	`about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]`
`stats.decoder.event.ipv4.trunc_pkt(integer)`	`about.labels [stats_decoder_event_ipv4_trunc_pkt]`
`stats.decoder.event.ipv4.opt_invalid(integer)`	`about.labels [stats_decoder_event_ipv4_opt_invalid]`
`stats.decoder.event.ipv4.opt_invalid_len(integer)`	`about.labels [stats_decoder_event_ipv4_opt_invalid_len]`
`stats.decoder.event.ipv4.opt_malformed(integer)`	`about.labels [stats_decoder_event_ipv4_opt_malformed]`
`stats.decoder.event.ipv4.opt_pad_required(integer)`	`about.labels [stats_decoder_event_ipv4_opt_pad_required]`
`stats.decoder.event.ipv4.opt_eol_required(integer)`	`about.labels [stats_decoder_event_ipv4_opt_eol_required]`
`stats.decoder.event.ipv4.opt_duplicate(integer)`	`about.labels [stats_decoder_event_ipv4_opt_duplicate]`
`stats.decoder.event.ipv4.opt_unknown(integer)`	`about.labels [stats_decoder_event_ipv4_opt_unknown]`
`stats.decoder.event.ipv4.wrong_ip_version(integer)`	`about.labels [stats_decoder_event_ipv4_wrong_ip_version]`
`stats.decoder.event.ipv4.icmpv6(integer)`	`about.labels [stats_decoder_event_ipv4_icmpv6]`
`stats.decoder.event.ipv4.frag_pkt_too_large(integer)`	`about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]`
`stats.decoder.event.ipv4.frag_overlap(integer)`	`about.labels [stats_decoder_event_ipv4_frag_overlap]`
`stats.decoder.event.ipv4.frag_ignored(integer)`	`about.labels [stats_decoder_event_ipv4_frag_ignored]`
`stats.decoder.event.icmpv4.pkt_too_small(integer)`	`about.labels [stats_decoder_event_icmpv4_pkt_too_small]`
`stats.decoder.event.icmpv4.unknown_type(integer)`	`about.labels [stats_decoder_event_icmpv4_unknown_type]`
`stats.decoder.event.icmpv4.unknown_code(integer)`	`about.labels [stats_decoder_event_icmpv4_unknown_code]`
`stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer)`	`about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]`
`stats.decoder.event.icmpv4.ipv4_unknown_ver(integer)`	`about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]`
`stats.decoder.event.icmpv6.unknown_type(integer)`	`about.labels [stats_decoder_event_icmpv6_unknown_type]`
`stats.decoder.event.icmpv6.unknown_code(integer)`	`about.labels [stats_decoder_event_icmpv6_unknown_code]`
`stats.decoder.event.icmpv6.pkt_too_small(integer)`	`about.labels [stats_decoder_event_icmpv6_pkt_too_small]`
`stats.decoder.event.icmpv6.ipv6_unknown_version(integer)`	`about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]`
`stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer)`	`about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]`
`stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer)`	`about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]`
`stats.decoder.event.icmpv6.unassigned_type(integer)`	`about.labels [stats_decoder_event_icmpv6_unassigned_type]`
`stats.decoder.event.icmpv6.experimentation_type(integer)`	`about.labels [stats_decoder_event_icmpv6_experimentation_type]`
`stats.decoder.event.ipv6.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_pkt_too_small]`
`stats.decoder.event.ipv6.trunc_pkt(integer)`	`about.labels [stats_decoder_event_ipv6_trunc_pkt]`
`stats.decoder.event.ipv6.trunc_exthdr(integer)`	`about.labels [stats_decoder_event_ipv6_trunc_exthdr]`
`stats.decoder.event.ipv6.exthdr_dupl_fh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]`
`stats.decoder.event.ipv6.exthdr_useless_fh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]`
`stats.decoder.event.ipv6.exthdr_dupl_rh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]`
`stats.decoder.event.ipv6.exthdr_dupl_hh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]`
`stats.decoder.event.ipv6.exthdr_dupl_dh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]`
`stats.decoder.event.ipv6.exthdr_dupl_ah(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]`
`stats.decoder.event.ipv6.exthdr_dupl_eh(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]`
`stats.decoder.event.ipv6.exthdr_invalid_optlen(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]`
`stats.decoder.event.ipv6.wrong_ip_version(integer)`	`about.labels [stats_decoder_event_ipv6_wrong_ip_version]`
`stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer)`	`about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]`
`stats.decoder.event.ipv6.hopopts_unknown_opt(integer)`	`about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]`
`stats.decoder.event.ipv6.hopopts_only_padding(integer)`	`about.labels [stats_decoder_event_ipv6_hopopts_only_padding]`
`stats.decoder.event.ipv6.dstopts_unknown_opt(integer)`	`about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]`
`stats.decoder.event.ipv6.dstopts_only_padding(integer)`	`about.labels [stats_decoder_event_ipv6_dstopts_only_padding]`
`stats.decoder.event.ipv6.rh_type_0(integer)`	`about.labels [stats_decoder_event_ipv6_rh_type_0]`
`stats.decoder.event.ipv6.zero_len_padn(integer)`	`about.labels [stats_decoder_event_ipv6_zero_len_padn]`
`stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer)`	`about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]`
`stats.decoder.event.ipv6.data_after_none_header(integer)`	`about.labels [stats_decoder_event_ipv6_data_after_none_header]`
`stats.decoder.event.ipv6.unknown_next_header(integer)`	`about.labels [stats_decoder_event_ipv6_unknown_next_header]`
`stats.decoder.event.ipv6.icmpv4(integer)`	`about.labels [stats_decoder_event_ipv6_icmpv4]`
`stats.decoder.event.ipv6.frag_pkt_too_large(integer)`	`about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]`
`stats.decoder.event.ipv6.frag_overlap(integer)`	`about.labels [stats_decoder_event_ipv6_frag_overlap]`
`stats.decoder.event.ipv6.frag_invalid_length(integer)`	`about.labels [stats_decoder_event_ipv6_frag_invalid_length]`
`stats.decoder.event.ipv6.frag_ignored(integer)`	`about.labels [stats_decoder_event_ipv6_frag_ignored]`
`stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]`
`stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer)`	`about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]`
`stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer)`	`about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]`
`stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer)`	`about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]`
`stats.decoder.event.tcp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_tcp_pkt_too_small]`
`stats.decoder.event.tcp.hlen_too_small(integer)`	`about.labels [stats_decoder_event_tcp_hlen_too_small]`
`stats.decoder.event.tcp.invalid_optlen(integer)`	`about.labels [stats_decoder_event_tcp_invalid_optlen]`
`stats.decoder.event.tcp.opt_invalid_len(integer)`	`about.labels [stats_decoder_event_tcp_opt_invalid_len]`
`stats.decoder.event.tcp.opt_duplicate(integer)`	`about.labels [stats_decoder_event_tcp_opt_duplicate]`
`stats.decoder.event.udp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_udp_pkt_too_small]`
`stats.decoder.event.udp.hlen_too_small(integer)`	`about.labels [stats_decoder_event_udp_hlen_too_small]`
`stats.decoder.event.udp.hlen_invalid(integer)`	`about.labels [stats_decoder_event_udp_hlen_invalid]`
`stats.decoder.event.udp.len_invalid(integer)`	`about.labels [stats_decoder_event_udp_len_invalid]`
`stats.decoder.event.sll.pkt_too_small(integer)`	`about.labels [stats_decoder_event_sll_pkt_too_small]`
`stats.decoder.event.ethernet.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ethernet_pkt_too_small]`
`stats.decoder.event.ppp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_pkt_too_small]`
`stats.decoder.event.ppp.vju_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_vju_pkt_too_small]`
`stats.decoder.event.ppp.ip4_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]`
`stats.decoder.event.ppp.ip6_pkt_too_small(integer)`	`about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]`
`stats.decoder.event.ppp.wrong_type(integer)`	`about.labels [stats_decoder_event_ppp_wrong_type]`
`stats.decoder.event.ppp.unsup_proto(integer)`	`about.labels [stats_decoder_event_ppp_unsup_proto]`
`stats.decoder.event.pppoe.pkt_too_small(integer)`	`about.labels [stats_decoder_event_pppoe_pkt_too_small]`
`stats.decoder.event.pppoe.wrong_code(integer)`	`about.labels [stats_decoder_event_pppoe_wrong_code]`
`stats.decoder.event.pppoe.malformed_tags(integer)`	`about.labels [stats_decoder_event_pppoe_malformed_tags]`
`stats.decoder.event.gre.pkt_too_small(integer)`	`about.labels [stats_decoder_event_gre_pkt_too_small]`
`stats.decoder.event.gre.wrong_version(integer)`	`about.labels [stats_decoder_event_gre_wrong_version]`
`stats.decoder.event.gre.version0_recur(integer)`	`about.labels [stats_decoder_event_gre_version0_recur]`
`stats.decoder.event.gre.version0_flags(integer)`	`about.labels [stats_decoder_event_gre_version0_flags]`
`stats.decoder.event.gre.version0_hdr_too_big(integer)`	`about.labels [stats_decoder_event_gre_version0_hdr_too_big]`
`stats.decoder.event.gre.version0_malformed_sre_hdr(integer)`	`about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]`
`stats.decoder.event.gre.version1_chksum(integer)`	`about.labels [stats_decoder_event_gre_version1_chksum]`
`stats.decoder.event.gre.version1_route(integer)`	`about.labels [stats_decoder_event_gre_version1_route]`
`stats.decoder.event.gre.version1_ssr(integer)`	`about.labels [stats_decoder_event_gre_version1_ssr]`
`stats.decoder.event.gre.version1_recur(integer)`	`about.labels [stats_decoder_event_gre_version1_recur]`
`stats.decoder.event.gre.version1_flags(integer)`	`about.labels [stats_decoder_event_gre_version1_flags]`
`stats.decoder.event.gre.version1_no_key(integer)`	`about.labels [stats_decoder_event_gre_version1_no_key]`
`stats.decoder.event.gre.version1_wrong_protocol(integer)`	`about.labels [stats_decoder_event_gre_version1_wrong_protocol]`
`stats.decoder.event.gre.version1_malformed_sre_hdr(integer)`	`about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]`
`stats.decoder.event.gre.version1_hdr_too_big(integer)`	`about.labels [stats_decoder_event_gre_version1_hdr_too_big]`
`stats.decoder.event.vlan.header_too_small(integer)`	`about.labels [stats_decoder_event_vlan_header_too_small]`
`stats.decoder.event.vlan.unknown_type(integer)`	`about.labels [stats_decoder_event_vlan_unknown_type]`
`stats.decoder.event.vlan.too_many_layers(integer)`	`about.labels [stats_decoder_event_vlan_too_many_layers]`
`stats.decoder.event.ieee8021ah.header_too_small(integer)`	`about.labels [stats_decoder_event_ieee8021ah_header_too_small]`
`stats.decoder.event.vntag.header_too_small(integer)`	`about.labels [stats_decoder_event_vntag_header_too_small]`
`stats.decoder.event.vntag.unknown_type(integer)`	`about.labels [stats_decoder_event_vntag_unknown_type]`
`stats.decoder.event.ipraw.invalid_ip_version(integer)`	`about.labels [stats_decoder_event_ipraw_invalid_ip_version]`
`stats.decoder.event.ltnull.pkt_too_small(integer)`	`about.labels [stats_decoder_event_ltnull_pkt_too_small]`
`stats.decoder.event.ltnull.unsupported_type(integer)`	`about.labels [stats_decoder_event_ltnull_unsupported_type]`
`stats.decoder.event.sctp.pkt_too_small(integer)`	`about.labels [stats_decoder_event_sctp_pkt_too_small]`
`stats.decoder.event.mpls.header_too_small(integer)`	`about.labels [stats_decoder_event_mpls_header_too_small]`
`stats.decoder.event.mpls.pkt_too_small(integer)`	`about.labels [stats_decoder_event_mpls_pkt_too_small]`
`stats.decoder.event.mpls.bad_label_router_alert(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_router_alert]`
`stats.decoder.event.mpls.bad_label_implicit_null(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_implicit_null]`
`stats.decoder.event.mpls.bad_label_reserved(integer)`	`about.labels [stats_decoder_event_mpls_bad_label_reserved]`
`stats.decoder.event.mpls.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_mpls_unknown_payload_type]`
`stats.decoder.event.vxlan.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_vxlan_unknown_payload_type]`
`stats.decoder.event.geneve.unknown_payload_type(integer)`	`about.labels [stats_decoder_event_geneve_unknown_payload_type]`
`stats.decoder.event.erspan.header_too_small(integer)`	`about.labels [stats_decoder_event_erspan_header_too_small]`
`stats.decoder.event.erspan.unsupported_version(integer)`	`about.labels [stats_decoder_event_erspan_unsupported_version]`
`stats.decoder.event.erspan.too_many_vlan_layers(integer)`	`about.labels [stats_decoder_event_erspan_too_many_vlan_layers]`
`stats.decoder.event.dce.pkt_too_small(integer)`	`about.labels [stats_decoder_event_dce_pkt_too_small]`
`stats.decoder.event.chdlc.pkt_too_small(integer)`	`about.labels [stats_decoder_event_chdlc_pkt_too_small]`
`stats.decoder.too_many_layers(integer)`	`about.labels [stats_decoder_too_many_layers]`
`stats.flow.memcap(integer)`	`about.labels [stats_flow_memcap]`
`stats.flow.tcp(integer)`	`about.labels [stats_flow_tcp]`
`stats.flow.udp(integer)`	`about.labels [stats_flow_udp]`
`stats.flow.icmpv4(integer)`	`about.labels [stats_flow_icmpv4]`
`stats.flow.icmpv6(integer)`	`about.labels [stats_flow_icmpv6]`
`stats.flow.tcp_reuse(integer)`	`about.labels [stats_flow_tcp_reuse]`
`stats.flow.get_used(integer)`	`about.labels [stats_flow_get_used]`
`stats.flow.get_used_eval(integer)`	`about.labels [stats_flow_get_used_eval]`
`stats.flow.get_used_eval_reject(integer)`	`about.labels [stats_flow_get_used_eval_reject]`
`stats.flow.get_used_eval_busy(integer)`	`about.labels [stats_flow_get_used_eval_busy]`
`stats.flow.get_used_failed(integer)`	`about.labels [stats_flow_get_used_failed]`
`stats.flow.wrk.spare_sync_avg(integer)`	`about.labels [stats_flow_wrk_spare_sync_avg]`
`stats.flow.wrk.spare_sync(integer)`	`about.labels [stats_flow_wrk_spare_sync]`
`stats.flow.wrk.spare_sync_incomplete(integer)`	`about.labels [stats_flow_wrk_spare_sync_incomplete]`
`stats.flow.wrk.spare_sync_empty(integer)`	`about.labels [stats_flow_wrk_spare_sync_empty]`
`stats.flow.wrk.flows_evicted_needs_work(integer)`	`about.labels [stats_flow_wrk_flows_evicted_needs_work]`
`stats.flow.wrk.flows_evicted_pkt_inject(integer)`	`about.labels [stats_flow_wrk_flows_evicted_pkt_inject]`
`stats.flow.wrk.flows_evicted(integer)`	`about.labels [stats_flow_wrk_flows_evicted]`
`stats.flow.wrk.flows_injected(integer)`	`about.labels [stats_flow_wrk_flows_injected]`
`stats.flow.mgr.full_hash_pass(integer)`	`about.labels [stats_flow_mgr_full_hash_pass]`
`stats.flow.mgr.closed_pruned(integer)`	`about.labels [stats_flow_mgr_closed_pruned]`
`stats.flow.mgr.new_pruned(integer)`	`about.labels [stats_flow_mgr_new_pruned]`
`stats.flow.mgr.est_pruned(integer)`	`about.labels [stats_flow_mgr_est_pruned]`
`stats.flow.mgr.bypassed_pruned(integer)`	`about.labels [stats_flow_mgr_bypassed_pruned]`
`stats.flow.mgr.rows_maxlen(integer)`	`about.labels [stats_flow_mgr_rows_maxlen]`
`stats.flow.mgr.flows_checked(integer)`	`about.labels [stats_flow_mgr_flows_checked]`
`stats.flow.mgr.flows_notimeout(integer)`	`about.labels [stats_flow_mgr_flows_notimeout]`
`stats.flow.mgr.flows_timeout(integer)`	`about.labels [stats_flow_mgr_flows_timeout]`
`stats.flow.mgr.flows_timeout_inuse(integer)`	`about.labels [stats_flow_mgr_flows_timeout_inuse]`
`stats.flow.mgr.flows_evicted(integer)`	`about.labels [stats_flow_mgr_flows_evicted]`
`stats.flow.mgr.flows_evicted_needs_work(integer)`	`about.labels [stats_flow_mgr_flows_evicted_needs_work]`
`stats.flow.spare(integer)`	`about.labels [stats_flow_spare]`
`stats.flow.emerg_mode_entered(integer)`	`about.labels [stats_flow_emerg_mode_entered]`
`stats.flow.emerg_mode_over(integer)`	`about.labels [stats_flow_emerg_mode_over]`
`stats.flow.memuse(integer)`	`about.labels [stats_flow_memuse]`
`stats.defrag.ipv4.fragments(integer)`	`about.labels [stats_defrag_ipv4_fragments]`
`stats.defrag.ipv4.reassembled(integer)`	`about.labels [stats_defrag_ipv4_reassembled]`
`stats.defrag.ipv4.timeouts(integer)`	`about.labels [stats_defrag_ipv4_timeouts]`
`stats.defrag.ipv6.fragments(integer)`	`about.labels [stats_defrag_ipv6_fragments]`
`stats.defrag.ipv6.reassembled(integer)`	`about.labels [stats_defrag_ipv6_reassembled]`
`stats.defrag.ipv6.timeouts(integer)`	`about.labels [stats_defrag_ipv6_timeouts]`
`stats.defrag.max_frag_hits(integer)`	`about.labels [stats_defrag_max_frag_hits]`
`stats.flow_bypassed.local_pkts(integer)`	`about.labels [stats_flow_bypassed_local_pkts]`
`stats.flow_bypassed.local_bytes(integer)`	`about.labels [stats_flow_bypassed_local_bytes]`
`stats.flow_bypassed.local_capture_pkts(integer)`	`about.labels [stats_flow_bypassed_local_capture_pkts]`
`stats.flow_bypassed.local_capture_bytes(integer)`	`about.labels [stats_flow_bypassed_local_capture_bytes]`
`stats.flow_bypassed.closed(integer)`	`about.labels [stats_flow_bypassed_closed]`
`stats.flow_bypassed.pkts(integer)`	`about.labels [stats_flow_bypassed_pkts]`
`stats.flow_bypassed.bytes(integer)`	`about.labels [stats_flow_bypassed_bytes]`
`stats.tcp.sessions(integer)`	`about.labels [stats_tcp_sessions]`
`stats.tcp.ssn_memcap_drop(integer)`	`about.labels [stats_tcp_ssn_memcap_drop]`
`stats.tcp.pseudo(integer)`	`about.labels [stats_tcp_pseudo]`
`stats.tcp.pseudo_failed(integer)`	`about.labels [stats_tcp_pseudo_failed]`
`stats.tcp.invalid_checksum(integer)`	`about.labels [stats_tcp_invalid_checksum]`
`stats.tcp.no_flow(integer)`	`about.labels [stats_tcp_no_flow]`
`stats.tcp.syn(integer)`	`about.labels [stats_tcp_syn]`
`stats.tcp.synack(integer)`	`about.labels [stats_tcp_synack]`
`stats.tcp.rst(integer)`	`about.labels [stats_tcp_rst]`
`stats.tcp.midstream_pickups(integer)`	`about.labels [stats_tcp_midstream_pickups]`
`stats.tcp.pkt_on_wrong_thread(integer)`	`about.labels [stats_tcp_pkt_on_wrong_thread]`
`stats.tcp.segment_memcap_drop(integer)`	`about.labels [stats_tcp_segment_memcap_drop]`
`stats.tcp.stream_depth_reached(integer)`	`about.labels [stats_tcp_stream_depth_reached]`
`stats.tcp.reassembly_gap(integer)`	`about.labels [stats_tcp_reassembly_gap]`
`stats.tcp.overlap(integer)`	`about.labels [stats_tcp_overlap]`
`stats.tcp.overlap_diff_data(integer)`	`about.labels [stats_tcp_overlap_diff_data]`
`stats.tcp.insert_data_normal_fail(integer)`	`about.labels [stats_tcp_insert_data_normal_fail]`
`stats.tcp.insert_data_overlap_fail(integer)`	`about.labels [stats_tcp_insert_data_overlap_fail]`
`stats.tcp.insert_list_fail(integer)`	`about.labels [stats_tcp_insert_list_fail]`
`stats.tcp.memuse(integer)`	`about.labels [stats_tcp_memuse]`
`stats.tcp.reassembly_memuse(integer)`	`about.labels [stats_tcp_reassembly_memuse]`
`stats.detect.engines.id(array)`	`about.labels [stats_detect_engines_id]`
`stats.detect.engines.last_reload(array)`	`about.labels [stats_detect_engines_last_reload]`
`stats.detect.engines.rules_loaded(array)`	`about.labels [stats_detect_engines_rules_loaded]`
`stats.detect.engines.rules_failed(array)`	`about.labels [stats_detect_engines_rules_failed]`
`stats.detect.alert(integer)`	`about.labels [stats_detect_alert]`
`stats.detect.alert_queue_overflow(integer)`	`about.labels [stats_detect_alert_queue_overflow]`
`stats.detect.alerts_suppressed(integer)`	`about.labels [stats_detect_alerts_suppressed]`
`stats.app_layer.flow.http(integer)`	`about.labels [stats_app_layer_flow_http]`
`stats.app_layer.flow.ftp(integer)`	`about.labels [stats_app_layer_flow_ftp]`
`stats.app_layer.flow.smtp(integer)`	`about.labels [stats_app_layer_flow_smtp]`
`stats.app_layer.flow.tls(integer)`	`about.labels [stats_app_layer_flow_tls]`
`stats.app_layer.flow.ssh(integer)`	`about.labels [stats_app_layer_flow_ssh]`
`stats.app_layer.flow.imap(integer)`	`about.labels [stats_app_layer_flow_imap]`
`stats.app_layer.flow.smb(integer)`	`about.labels [stats_app_layer_flow_smb]`
`stats.app_layer.flow.dcerpc_tcp(integer)`	`about.labels [stats_app_layer_flow_dcerpc_tcp]`
`stats.app_layer.flow.dns_tcp(integer)`	`about.labels [stats_app_layer_flow_dns_tcp]`
`stats.app_layer.flow.nfs_tcp(integer)`	`about.labels [stats_app_layer_flow_nfs_tcp]`
`stats.app_layer.flow.ntp(integer)`	`about.labels [stats_app_layer_flow_ntp]`
`stats.app_layer.flow.ftp-data(integer)`	`about.labels [stats_app_layer_flow_ftp-data]`
`stats.app_layer.flow.tftp(integer)`	`about.labels [stats_app_layer_flow_tftp]`
`stats.app_layer.flow.ikev2(integer)`	`about.labels [stats_app_layer_flow_ikev2]`
`stats.app_layer.flow.krb5_tcp(integer)`	`about.labels [stats_app_layer_flow_krb5_tcp]`
`stats.app_layer.flow.dhcp(integer)`	`about.labels [stats_app_layer_flow_dhcp]`
`stats.app_layer.flow.rfb(integer)`	`about.labels [stats_app_layer_flow_rfb]`
`stats.app_layer.flow.rdp(integer)`	`about.labels [stats_app_layer_flow_rdp]`
`stats.app_layer.flow.failed_tcp(integer)`	`about.labels [stats_app_layer_flow_failed_tcp]`
`stats.app_layer.flow.dcerpc_udp(integer)`	`about.labels [stats_app_layer_flow_dcerpc_udp]`
`stats.app_layer.flow.dns_udp(integer)`	`about.labels [stats_app_layer_flow_dns_udp]`
`stats.app_layer.flow.nfs_udp(integer)`	`about.labels [stats_app_layer_flow_nfs_udp]`
`stats.app_layer.flow.krb5_udp(integer)`	`about.labels [stats_app_layer_flow_krb5_udp]`
`stats.app_layer.flow.failed_udp(integer)`	`about.labels [stats_app_layer_flow_failed_udp]`
`stats.app_layer.tx.http(integer)`	`about.labels [stats_app_layer_tx_http]`
`stats.app_layer.tx.ftp(integer)`	`about.labels [stats_app_layer_tx_ftp]`
`stats.app_layer.tx.smtp(integer)`	`about.labels [stats_app_layer_tx_smtp]`
`stats.app_layer.tx.tls(integer)`	`about.labels [stats_app_layer_tx_tls]`
`stats.app_layer.tx.ssh(integer)`	`about.labels [stats_app_layer_tx_ssh]`
`stats.app_layer.tx.imap(integer)`	`about.labels [stats_app_layer_tx_imap]`
`stats.app_layer.tx.smb(integer)`	`about.labels [stats_app_layer_tx_smb]`
`stats.app_layer.tx.dcerpc_tcp(integer)`	`about.labels [stats_app_layer_tx_dcerpc_tcp]`
`stats.app_layer.tx.dns_tcp(integer)`	`about.labels [stats_app_layer_tx_dns_tcp]`
`stats.app_layer.tx.nfs_tcp(integer)`	`about.labels [stats_app_layer_tx_nfs_tcp]`
`stats.app_layer.tx.ntp(integer)`	`about.labels [stats_app_layer_tx_ntp]`
`stats.app_layer.tx.ftp-data(integer)`	`about.labels [stats_app_layer_tx_ftp-data]`
`stats.app_layer.tx.tftp(integer)`	`about.labels [stats_app_layer_tx_tftp]`
`stats.app_layer.tx.ikev2(integer)`	`about.labels [stats_app_layer_tx_ikev2]`
`stats.app_layer.tx.krb5_tcp(integer)`	`about.labels [stats_app_layer_tx_krb5_tcp]`
`stats.app_layer.tx.dhcp(integer)`	`about.labels [stats_app_layer_tx_dhcp]`
`stats.app_layer.tx.rfb(integer)`	`about.labels [stats_app_layer_tx_rfb]`
`stats.app_layer.tx.rdp(integer)`	`about.labels [stats_app_layer_tx_rdp]`
`stats.app_layer.tx.dcerpc_udp(integer)`	`about.labels [stats_app_layer_tx_dcerpc_udp]`
`stats.app_layer.tx.dns_udp(integer)`	`about.labels [stats_app_layer_tx_dns_udp]`
`stats.app_layer.tx.nfs_udp(integer)`	`about.labels [stats_app_layer_tx_nfs_udp]`
`stats.app_layer.tx.krb5_udp(integer)`	`about.labels [stats_app_layer_tx_krb5_udp]`
`stats.app_layer.expectations(integer)`	`about.labels [stats_app_layer_expectations]`
`stats.http.memuse(integer)`	`about.labels [stats_http_memuse]`
`stats.http.memcap(integer)`	`about.labels [stats_http_memcap]`
`stats.ftp.memuse(integer)`	`about.labels [stats_ftp_memuse]`
`stats.ftp.memcap(integer)`	`about.labels [stats_ftp_memcap]`

필드 매핑 참조: CORELIGHT - logschema

다음 표에는 logschema 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.event_type`	The `metadata.event_type` UDM field is set to `GENERIC_EVENT`.
`name(string)`	`about.labels [name]`
`text(string)`	`about.labels [text]`
`schema(string)`	`about.labels [schema]`
`avro(string)`	`about.labels [avro]`

다음 단계

Google Security Operations에 데이터 수집

도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.