diff --git a/packages/zeek/dataset/capture_loss/fields/beats.yml b/packages/zeek/dataset/capture_loss/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/capture_loss/fields/beats.yml +++ b/packages/zeek/dataset/capture_loss/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/capture_loss/fields/ecs.yml b/packages/zeek/dataset/capture_loss/fields/ecs.yml index b2ec9171f67..8928af5084d 100644 --- a/packages/zeek/dataset/capture_loss/fields/ecs.yml +++ b/packages/zeek/dataset/capture_loss/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: ECS version this event conforms to. example: 1.0.0 ignore_above: 1024 diff --git a/packages/zeek/dataset/capture_loss/fields/fields.yml b/packages/zeek/dataset/capture_loss/fields/fields.yml index 3c40e298dcc..54671c4d123 100644 --- a/packages/zeek/dataset/capture_loss/fields/fields.yml +++ b/packages/zeek/dataset/capture_loss/fields/fields.yml @@ -1,23 +1,23 @@ - name: zeek.capture_loss type: group fields: - - name: ts_delta - type: integer - description: | - The time delay between this measurement and the last. - - name: peer - type: keyword - description: | - In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. - - name: gaps - type: integer - description: | - Number of missed ACKs from the previous measurement interval. - - name: acks - type: integer - description: | - Total number of ACKs seen in the previous measurement interval. - - name: percent_lost - type: double - description: | - Percentage of ACKs seen where the data being ACKed wasn't seen. + - name: ts_delta + type: integer + description: | + The time delay between this measurement and the last. + - name: peer + type: keyword + description: | + In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + - name: gaps + type: integer + description: | + Number of missed ACKs from the previous measurement interval. + - name: acks + type: integer + description: | + Total number of ACKs seen in the previous measurement interval. + - name: percent_lost + type: double + description: | + Percentage of ACKs seen where the data being ACKed wasn't seen. diff --git a/packages/zeek/dataset/capture_loss/fields/package-fields.yml b/packages/zeek/dataset/capture_loss/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/capture_loss/fields/package-fields.yml +++ b/packages/zeek/dataset/capture_loss/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/capture_loss/manifest.yml b/packages/zeek/dataset/capture_loss/manifest.yml index f8457ce79e4..4cf19b47900 100644 --- a/packages/zeek/dataset/capture_loss/manifest.yml +++ b/packages/zeek/dataset/capture_loss/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek capture_loss logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: capture_loss.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/capture_loss.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.capture_loss - template_path: log.yml.hbs - title: Zeek capture_loss.log - description: Collect Zeek capture_loss logs + - input: logfile + vars: + - name: paths + type: text + title: capture_loss.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/capture_loss.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.capture_loss + template_path: log.yml.hbs + title: Zeek capture_loss.log + description: Collect Zeek capture_loss logs diff --git a/packages/zeek/dataset/connection/fields/beats.yml b/packages/zeek/dataset/connection/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/connection/fields/beats.yml +++ b/packages/zeek/dataset/connection/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/connection/fields/ecs.yml b/packages/zeek/dataset/connection/fields/ecs.yml index d94fa4c07df..ab78d231134 100644 --- a/packages/zeek/dataset/connection/fields/ecs.yml +++ b/packages/zeek/dataset/connection/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: Bytes sent from the destination to the source. @@ -155,10 +154,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: Bytes sent from the source to the destination. diff --git a/packages/zeek/dataset/connection/fields/fields.yml b/packages/zeek/dataset/connection/fields/fields.yml index fd919d01bb4..648f871d9db 100644 --- a/packages/zeek/dataset/connection/fields/fields.yml +++ b/packages/zeek/dataset/connection/fields/fields.yml @@ -1,46 +1,46 @@ - name: zeek.connection type: group fields: - - name: local_orig - type: boolean - description: | - Indicates whether the session is originated locally. - - name: local_resp - type: boolean - description: | - Indicates whether the session is responded locally. - - name: missed_bytes - type: long - description: | - Missed bytes for the session. - - name: state - type: keyword - description: | - Code indicating the state of the session. - - name: state_message - type: keyword - description: | - The state of the session. - - name: icmp - type: group - fields: - - name: type + - name: local_orig + type: boolean + description: | + Indicates whether the session is originated locally. + - name: local_resp + type: boolean + description: | + Indicates whether the session is responded locally. + - name: missed_bytes + type: long + description: | + Missed bytes for the session. + - name: state + type: keyword + description: | + Code indicating the state of the session. + - name: state_message + type: keyword + description: | + The state of the session. + - name: icmp + type: group + fields: + - name: type + type: integer + description: | + ICMP message type. + - name: code + type: integer + description: | + ICMP message code. + - name: history + type: keyword + description: | + Flags indicating the history of the session. + - name: vlan type: integer description: | - ICMP message type. - - name: code + VLAN identifier. + - name: inner_vlan type: integer description: | - ICMP message code. - - name: history - type: keyword - description: | - Flags indicating the history of the session. - - name: vlan - type: integer - description: | - VLAN identifier. - - name: inner_vlan - type: integer - description: | - VLAN identifier. + VLAN identifier. diff --git a/packages/zeek/dataset/connection/fields/package-fields.yml b/packages/zeek/dataset/connection/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/connection/fields/package-fields.yml +++ b/packages/zeek/dataset/connection/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/connection/manifest.yml b/packages/zeek/dataset/connection/manifest.yml index 0f7148bff25..c9d47c5bd42 100644 --- a/packages/zeek/dataset/connection/manifest.yml +++ b/packages/zeek/dataset/connection/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek connection logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: conn.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/conn.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.connection - template_path: log.yml.hbs - title: Zeek conn.log - description: Collect Zeek connection logs + - input: logfile + vars: + - name: paths + type: text + title: conn.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/conn.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.connection + template_path: log.yml.hbs + title: Zeek conn.log + description: Collect Zeek connection logs diff --git a/packages/zeek/dataset/dce_rpc/fields/beats.yml b/packages/zeek/dataset/dce_rpc/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/dce_rpc/fields/beats.yml +++ b/packages/zeek/dataset/dce_rpc/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/dce_rpc/fields/ecs.yml b/packages/zeek/dataset/dce_rpc/fields/ecs.yml index a86328b1670..d74dec6487a 100644 --- a/packages/zeek/dataset/dce_rpc/fields/ecs.yml +++ b/packages/zeek/dataset/dce_rpc/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: Bytes sent from the destination to the source. @@ -126,10 +125,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: Bytes sent from the source to the destination. diff --git a/packages/zeek/dataset/dce_rpc/fields/fields.yml b/packages/zeek/dataset/dce_rpc/fields/fields.yml index 379f18af116..e0741e5456a 100644 --- a/packages/zeek/dataset/dce_rpc/fields/fields.yml +++ b/packages/zeek/dataset/dce_rpc/fields/fields.yml @@ -1,19 +1,19 @@ - name: zeek.dce_rpc type: group fields: - - name: rtt - type: integer - description: | - Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. - - name: named_pipe - type: keyword - description: | - Remote pipe name. - - name: endpoint - type: keyword - description: | - Endpoint name looked up from the uuid. - - name: operation - type: keyword - description: | - Operation seen in the call. + - name: rtt + type: integer + description: | + Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. + - name: named_pipe + type: keyword + description: | + Remote pipe name. + - name: endpoint + type: keyword + description: | + Endpoint name looked up from the uuid. + - name: operation + type: keyword + description: | + Operation seen in the call. diff --git a/packages/zeek/dataset/dce_rpc/fields/package-fields.yml b/packages/zeek/dataset/dce_rpc/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/dce_rpc/fields/package-fields.yml +++ b/packages/zeek/dataset/dce_rpc/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/dce_rpc/manifest.yml b/packages/zeek/dataset/dce_rpc/manifest.yml index e8eaeecbe2a..e2b9b4d9175 100644 --- a/packages/zeek/dataset/dce_rpc/manifest.yml +++ b/packages/zeek/dataset/dce_rpc/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek dce_rpc logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: dce_rpc.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/dce_rpc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.dce_rpc - template_path: log.yml.hbs - title: Zeek dce_rpc.log - description: Collect Zeek dce_rpc logs + - input: logfile + vars: + - name: paths + type: text + title: dce_rpc.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/dce_rpc.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.dce_rpc + template_path: log.yml.hbs + title: Zeek dce_rpc.log + description: Collect Zeek dce_rpc logs diff --git a/packages/zeek/dataset/dhcp/fields/beats.yml b/packages/zeek/dataset/dhcp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/dhcp/fields/beats.yml +++ b/packages/zeek/dataset/dhcp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/dhcp/fields/ecs.yml b/packages/zeek/dataset/dhcp/fields/ecs.yml index 72c6c9fb073..2cdcfb54cba 100644 --- a/packages/zeek/dataset/dhcp/fields/ecs.yml +++ b/packages/zeek/dataset/dhcp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Client network address. ignore_above: 1024 name: client.address diff --git a/packages/zeek/dataset/dhcp/fields/fields.yml b/packages/zeek/dataset/dhcp/fields/fields.yml index 1f42b89a472..f095974165d 100644 --- a/packages/zeek/dataset/dhcp/fields/fields.yml +++ b/packages/zeek/dataset/dhcp/fields/fields.yml @@ -1,110 +1,110 @@ - name: zeek.dhcp type: group fields: - - name: domain - type: keyword - description: | - Domain given by the server in option 15. - - name: duration - type: double - description: | - Duration of the DHCP session representing the time from the first - message to the last, in seconds. - - name: hostname - type: keyword - description: | - Name given by client in Hostname option 12. - - name: client_fqdn - type: keyword - description: | - FQDN given by client in Client FQDN option 81. - - name: lease_time - type: integer - description: | - IP address lease interval in seconds. - - name: address - type: group - fields: - - name: assigned - type: ip - description: | - IP address assigned by the server. - - name: client - type: ip - description: | - IP address of the client. If a transaction is only a client sending - INFORM messages then there is no lease information exchanged so this - is helpful to know who sent the messages. Getting an address in this - field does require that the client sources at least one DHCP message - using a non-broadcast address. - - name: mac - type: keyword - description: | - Client's hardware address. - - name: requested - type: ip - description: | - IP address requested by the client. - - name: server - type: ip - description: | - IP address of the DHCP server. - - name: msg - type: group - fields: - - name: types + - name: domain type: keyword description: | - List of DHCP message types seen in this exchange. - - name: origin - type: ip - description: | - (present if policy/protocols/dhcp/msg-orig.bro is loaded) - The address that originated each message from the msg.types field. - - name: client - type: keyword + Domain given by the server in option 15. + - name: duration + type: double description: | - Message typically accompanied with a DHCP_DECLINE so the client can - tell the server why it rejected an address. - - name: server + Duration of the DHCP session representing the time from the first + message to the last, in seconds. + - name: hostname type: keyword description: | - Message typically accompanied with a DHCP_NAK to let the client know - why it rejected the request. - - name: software - type: group - fields: - - name: client + Name given by client in Hostname option 12. + - name: client_fqdn type: keyword description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: server - type: keyword - description: | - (present if policy/protocols/dhcp/software.bro is loaded) - Software reported by the client in the vendor_class option. - - name: id - type: group - fields: - - name: circuit - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - Added by DHCP relay agents which terminate switched or permanent - circuits. It encodes an agent-local identifier of the circuit from - which a DHCP client-to-server packet was received. Typically it - should represent a router or switch interface number. - - name: remote_agent - type: keyword - description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - A globally unique identifier added by relay agents to identify the - remote host end of the circuit. - - name: subscriber - type: keyword + FQDN given by client in Client FQDN option 81. + - name: lease_time + type: integer description: | - (present if policy/protocols/dhcp/sub-opts.bro is loaded) - The subscriber ID is a value independent of the physical network - configuration so that a customer's DHCP configuration can be given - to them correctly no matter where they are physically connected. + IP address lease interval in seconds. + - name: address + type: group + fields: + - name: assigned + type: ip + description: | + IP address assigned by the server. + - name: client + type: ip + description: | + IP address of the client. If a transaction is only a client sending + INFORM messages then there is no lease information exchanged so this + is helpful to know who sent the messages. Getting an address in this + field does require that the client sources at least one DHCP message + using a non-broadcast address. + - name: mac + type: keyword + description: | + Client's hardware address. + - name: requested + type: ip + description: | + IP address requested by the client. + - name: server + type: ip + description: | + IP address of the DHCP server. + - name: msg + type: group + fields: + - name: types + type: keyword + description: | + List of DHCP message types seen in this exchange. + - name: origin + type: ip + description: | + (present if policy/protocols/dhcp/msg-orig.bro is loaded) + The address that originated each message from the msg.types field. + - name: client + type: keyword + description: | + Message typically accompanied with a DHCP_DECLINE so the client can + tell the server why it rejected an address. + - name: server + type: keyword + description: | + Message typically accompanied with a DHCP_NAK to let the client know + why it rejected the request. + - name: software + type: group + fields: + - name: client + type: keyword + description: | + (present if policy/protocols/dhcp/software.bro is loaded) + Software reported by the client in the vendor_class option. + - name: server + type: keyword + description: | + (present if policy/protocols/dhcp/software.bro is loaded) + Software reported by the client in the vendor_class option. + - name: id + type: group + fields: + - name: circuit + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + Added by DHCP relay agents which terminate switched or permanent + circuits. It encodes an agent-local identifier of the circuit from + which a DHCP client-to-server packet was received. Typically it + should represent a router or switch interface number. + - name: remote_agent + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + A globally unique identifier added by relay agents to identify the + remote host end of the circuit. + - name: subscriber + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + The subscriber ID is a value independent of the physical network + configuration so that a customer's DHCP configuration can be given + to them correctly no matter where they are physically connected. diff --git a/packages/zeek/dataset/dhcp/fields/package-fields.yml b/packages/zeek/dataset/dhcp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/dhcp/fields/package-fields.yml +++ b/packages/zeek/dataset/dhcp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/dhcp/manifest.yml b/packages/zeek/dataset/dhcp/manifest.yml index b15a2acc64c..d19a58e1d3c 100644 --- a/packages/zeek/dataset/dhcp/manifest.yml +++ b/packages/zeek/dataset/dhcp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek dhcp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: dhcp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/dhcp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.dhcp - template_path: log.yml.hbs - title: Zeek dhcp.log - description: Collect Zeek dhcp logs + - input: logfile + vars: + - name: paths + type: text + title: dhcp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/dhcp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.dhcp + template_path: log.yml.hbs + title: Zeek dhcp.log + description: Collect Zeek dhcp logs diff --git a/packages/zeek/dataset/dnp3/fields/beats.yml b/packages/zeek/dataset/dnp3/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/dnp3/fields/beats.yml +++ b/packages/zeek/dataset/dnp3/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/dnp3/fields/ecs.yml b/packages/zeek/dataset/dnp3/fields/ecs.yml index a86328b1670..d74dec6487a 100644 --- a/packages/zeek/dataset/dnp3/fields/ecs.yml +++ b/packages/zeek/dataset/dnp3/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: Bytes sent from the destination to the source. @@ -126,10 +125,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: Bytes sent from the source to the destination. diff --git a/packages/zeek/dataset/dnp3/fields/fields.yml b/packages/zeek/dataset/dnp3/fields/fields.yml index 4cad3295c24..bddbd099d0c 100644 --- a/packages/zeek/dataset/dnp3/fields/fields.yml +++ b/packages/zeek/dataset/dnp3/fields/fields.yml @@ -1,18 +1,18 @@ - name: zeek.dnp3 type: group fields: - - name: function - type: group - fields: - - name: request - type: keyword + - name: function + type: group + fields: + - name: request + type: keyword + description: | + The name of the function message in the request. + - name: reply + type: keyword + description: | + The name of the function message in the reply. + - name: id + type: integer description: | - The name of the function message in the request. - - name: reply - type: keyword - description: | - The name of the function message in the reply. - - name: id - type: integer - description: | - The response's internal indication number. + The response's internal indication number. diff --git a/packages/zeek/dataset/dnp3/fields/package-fields.yml b/packages/zeek/dataset/dnp3/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/dnp3/fields/package-fields.yml +++ b/packages/zeek/dataset/dnp3/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/dnp3/manifest.yml b/packages/zeek/dataset/dnp3/manifest.yml index 0067fd518e3..1cb4db9cea8 100644 --- a/packages/zeek/dataset/dnp3/manifest.yml +++ b/packages/zeek/dataset/dnp3/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek dnp3 logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: dnp3.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/dnp3.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.dnp3 - template_path: log.yml.hbs - title: Zeek dnp3.log - description: Collect Zeek dnp3 logs + - input: logfile + vars: + - name: paths + type: text + title: dnp3.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/dnp3.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.dnp3 + template_path: log.yml.hbs + title: Zeek dnp3.log + description: Collect Zeek dnp3 logs diff --git a/packages/zeek/dataset/dns/fields/beats.yml b/packages/zeek/dataset/dns/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/dns/fields/beats.yml +++ b/packages/zeek/dataset/dns/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/dns/fields/ecs.yml b/packages/zeek/dataset/dns/fields/ecs.yml index 3612ee7446f..feee2181210 100644 --- a/packages/zeek/dataset/dns/fields/ecs.yml +++ b/packages/zeek/dataset/dns/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -64,13 +63,12 @@ type: long - description: Array of DNS header flags. example: - - RD - - RA + - RD + - RA ignore_above: 1024 name: dns.header_flags type: keyword -- description: The DNS packet identifier assigned by the program that generated the - query. The identifier is copied to the response. +- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. example: 62111 ignore_above: 1024 name: dns.id @@ -102,8 +100,8 @@ type: keyword - description: Array containing all IPs seen in answers.data example: - - 10.10.10.10 - - 10.10.10.11 + - 10.10.10.10 + - 10.10.10.11 name: dns.resolved_ip type: ip - description: The DNS response code. @@ -151,13 +149,11 @@ name: event.kind type: keyword - description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 ignore_above: 1024 name: event.original type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -191,10 +187,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/dns/fields/fields.yml b/packages/zeek/dataset/dns/fields/fields.yml index b52838d787f..18bc9c08d0a 100644 --- a/packages/zeek/dataset/dns/fields/fields.yml +++ b/packages/zeek/dataset/dns/fields/fields.yml @@ -1,86 +1,86 @@ - name: zeek.dns type: group fields: - - name: trans_id - type: keyword - description: | - DNS transaction identifier. - - name: rtt - type: double - description: | - Round trip time for the query and response. - - name: query - type: keyword - description: | - The domain name that is the subject of the DNS query. - - name: qclass - type: long - description: | - The QCLASS value specifying the class of the query. - - name: qclass_name - type: keyword - description: | - A descriptive name for the class of the query. - - name: qtype - type: long - description: | - A QTYPE value specifying the type of the query. - - name: qtype_name - type: keyword - description: | - A descriptive name for the type of the query. - - name: rcode - type: long - description: | - The response code value in DNS response messages. - - name: rcode_name - type: keyword - description: | - A descriptive name for the response code value. - - name: AA - type: boolean - description: | - The Authoritative Answer bit for response messages specifies that the responding - name server is an authority for the domain name in the question section. - - name: TC - type: boolean - description: | - The Truncation bit specifies that the message was truncated. - - name: RD - type: boolean - description: | - The Recursion Desired bit in a request message indicates that the client - wants recursive service for this query. - - name: RA - type: boolean - description: | - The Recursion Available bit in a response message indicates that the name - server supports recursive queries. - - name: answers - type: keyword - description: | - The set of resource descriptions in the query answer. - - name: TTLs - type: double - description: | - The caching intervals of the associated RRs described by the answers field. - - name: rejected - type: boolean - description: | - Indicates whether the DNS query was rejected by the server. - - name: total_answers - type: integer - description: | - The total number of resource records in the reply. - - name: total_replies - type: integer - description: | - The total number of resource records in the reply message. - - name: saw_query - type: boolean - description: | - Whether the full DNS query has been seen. - - name: saw_reply - type: boolean - description: | - Whether the full DNS reply has been seen. + - name: trans_id + type: keyword + description: | + DNS transaction identifier. + - name: rtt + type: double + description: | + Round trip time for the query and response. + - name: query + type: keyword + description: | + The domain name that is the subject of the DNS query. + - name: qclass + type: long + description: | + The QCLASS value specifying the class of the query. + - name: qclass_name + type: keyword + description: | + A descriptive name for the class of the query. + - name: qtype + type: long + description: | + A QTYPE value specifying the type of the query. + - name: qtype_name + type: keyword + description: | + A descriptive name for the type of the query. + - name: rcode + type: long + description: | + The response code value in DNS response messages. + - name: rcode_name + type: keyword + description: | + A descriptive name for the response code value. + - name: AA + type: boolean + description: | + The Authoritative Answer bit for response messages specifies that the responding + name server is an authority for the domain name in the question section. + - name: TC + type: boolean + description: | + The Truncation bit specifies that the message was truncated. + - name: RD + type: boolean + description: | + The Recursion Desired bit in a request message indicates that the client + wants recursive service for this query. + - name: RA + type: boolean + description: | + The Recursion Available bit in a response message indicates that the name + server supports recursive queries. + - name: answers + type: keyword + description: | + The set of resource descriptions in the query answer. + - name: TTLs + type: double + description: | + The caching intervals of the associated RRs described by the answers field. + - name: rejected + type: boolean + description: | + Indicates whether the DNS query was rejected by the server. + - name: total_answers + type: integer + description: | + The total number of resource records in the reply. + - name: total_replies + type: integer + description: | + The total number of resource records in the reply message. + - name: saw_query + type: boolean + description: | + Whether the full DNS query has been seen. + - name: saw_reply + type: boolean + description: | + Whether the full DNS reply has been seen. diff --git a/packages/zeek/dataset/dns/fields/package-fields.yml b/packages/zeek/dataset/dns/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/dns/fields/package-fields.yml +++ b/packages/zeek/dataset/dns/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/dns/manifest.yml b/packages/zeek/dataset/dns/manifest.yml index 951795846a2..9ae205a6f9a 100644 --- a/packages/zeek/dataset/dns/manifest.yml +++ b/packages/zeek/dataset/dns/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek dns logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: dns.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/dns.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.dns - template_path: log.yml.hbs - title: Zeek dns.log - description: Collect Zeek dns logs + - input: logfile + vars: + - name: paths + type: text + title: dns.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/dns.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.dns + template_path: log.yml.hbs + title: Zeek dns.log + description: Collect Zeek dns logs diff --git a/packages/zeek/dataset/dpd/fields/beats.yml b/packages/zeek/dataset/dpd/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/dpd/fields/beats.yml +++ b/packages/zeek/dataset/dpd/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/dpd/fields/ecs.yml b/packages/zeek/dataset/dpd/fields/ecs.yml index 0dc7b5a9afa..5f9707c34be 100644 --- a/packages/zeek/dataset/dpd/fields/ecs.yml +++ b/packages/zeek/dataset/dpd/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -122,10 +121,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/dpd/fields/fields.yml b/packages/zeek/dataset/dpd/fields/fields.yml index 241bb1dc67e..7365fbb1cc4 100644 --- a/packages/zeek/dataset/dpd/fields/fields.yml +++ b/packages/zeek/dataset/dpd/fields/fields.yml @@ -1,16 +1,16 @@ - name: zeek.dpd type: group fields: - - name: analyzer - type: keyword - description: | - The analyzer that generated the violation. - - name: failure_reason - type: keyword - description: | - The textual reason for the analysis failure. - - name: packet_segment - type: keyword - description: | - (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) - A chunk of the payload that most likely resulted in the protocol violation. + - name: analyzer + type: keyword + description: | + The analyzer that generated the violation. + - name: failure_reason + type: keyword + description: | + The textual reason for the analysis failure. + - name: packet_segment + type: keyword + description: | + (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) + A chunk of the payload that most likely resulted in the protocol violation. diff --git a/packages/zeek/dataset/dpd/fields/package-fields.yml b/packages/zeek/dataset/dpd/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/dpd/fields/package-fields.yml +++ b/packages/zeek/dataset/dpd/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/dpd/manifest.yml b/packages/zeek/dataset/dpd/manifest.yml index a68794a4bd3..e7552a9f350 100644 --- a/packages/zeek/dataset/dpd/manifest.yml +++ b/packages/zeek/dataset/dpd/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek dpd logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: dpd.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/dpd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.dpd - template_path: log.yml.hbs - title: Zeek dpd.log - description: Collect Zeek dpd logs + - input: logfile + vars: + - name: paths + type: text + title: dpd.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/dpd.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.dpd + template_path: log.yml.hbs + title: Zeek dpd.log + description: Collect Zeek dpd logs diff --git a/packages/zeek/dataset/files/fields/beats.yml b/packages/zeek/dataset/files/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/files/fields/beats.yml +++ b/packages/zeek/dataset/files/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/files/fields/ecs.yml b/packages/zeek/dataset/files/fields/ecs.yml index 5e2177f7418..b53eb8504e5 100644 --- a/packages/zeek/dataset/files/fields/ecs.yml +++ b/packages/zeek/dataset/files/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: IP address of the client. name: client.ip type: ip diff --git a/packages/zeek/dataset/files/fields/fields.yml b/packages/zeek/dataset/files/fields/fields.yml index c2d44e8c44e..e7d400751c6 100644 --- a/packages/zeek/dataset/files/fields/fields.yml +++ b/packages/zeek/dataset/files/fields/fields.yml @@ -1,112 +1,112 @@ - name: zeek.files type: group fields: - - name: fuid - type: keyword - description: | - A file unique identifier. - - name: tx_host - type: ip - description: | - The host that transferred the file. - - name: rx_host - type: ip - description: | - The host that received the file. - - name: session_ids - type: keyword - description: | - The sessions that have this file. - - name: source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: depth - type: long - description: | - A value to represent the depth of this file in relation to its source. In SMTP, it - is the depth of the MIME attachment on the message. In HTTP, it is the depth of the - request within the TCP connection. - - name: analyzers - type: keyword - description: | - A set of analysis types done during the file analysis. - - name: mime_type - type: keyword - description: | - Mime type of the file. - - name: filename - type: keyword - description: | - Name of the file if available. - - name: local_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the data - originated from the local network or not. - - name: is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: duration - type: double - description: | - The duration the file was analyzed for. Not the duration of the session. - - name: seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: timedout - type: boolean - description: | - Whether the file analysis timed out at least once for the file. - - name: parent_fuid - type: keyword - description: | - Identifier associated with a container file from which this one was extracted as part of - the file analysis. - - name: md5 - type: keyword - description: | - An MD5 digest of the file contents. - - name: sha1 - type: keyword - description: | - A SHA1 digest of the file contents. - - name: sha256 - type: keyword - description: | - A SHA256 digest of the file contents. - - name: extracted - type: keyword - description: | - Local filename of extracted file. - - name: extracted_cutoff - type: boolean - description: | - Indicate whether the file being extracted was cut off hence not extracted completely. - - name: extracted_size - type: long - description: | - The number of bytes extracted to disk. - - name: entropy - type: double - description: | - The information density of the contents of the file. + - name: fuid + type: keyword + description: | + A file unique identifier. + - name: tx_host + type: ip + description: | + The host that transferred the file. + - name: rx_host + type: ip + description: | + The host that received the file. + - name: session_ids + type: keyword + description: | + The sessions that have this file. + - name: source + type: keyword + description: | + An identification of the source of the file data. E.g. it may be a network protocol + over which it was transferred, or a local file path which was read, or some other + input source. + - name: depth + type: long + description: | + A value to represent the depth of this file in relation to its source. In SMTP, it + is the depth of the MIME attachment on the message. In HTTP, it is the depth of the + request within the TCP connection. + - name: analyzers + type: keyword + description: | + A set of analysis types done during the file analysis. + - name: mime_type + type: keyword + description: | + Mime type of the file. + - name: filename + type: keyword + description: | + Name of the file if available. + - name: local_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the data + originated from the local network or not. + - name: is_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the file is + being sent by the originator of the connection or the responder. + - name: duration + type: double + description: | + The duration the file was analyzed for. Not the duration of the session. + - name: seen_bytes + type: long + description: | + Number of bytes provided to the file analysis engine for the file. + - name: total_bytes + type: long + description: | + Total number of bytes that are supposed to comprise the full file. + - name: missing_bytes + type: long + description: | + The number of bytes in the file stream that were completely missed during the process + of analysis. + - name: overflow_bytes + type: long + description: | + The number of bytes in the file stream that were not delivered to stream file analyzers. + This could be overlapping bytes or bytes that couldn't be reassembled. + - name: timedout + type: boolean + description: | + Whether the file analysis timed out at least once for the file. + - name: parent_fuid + type: keyword + description: | + Identifier associated with a container file from which this one was extracted as part of + the file analysis. + - name: md5 + type: keyword + description: | + An MD5 digest of the file contents. + - name: sha1 + type: keyword + description: | + A SHA1 digest of the file contents. + - name: sha256 + type: keyword + description: | + A SHA256 digest of the file contents. + - name: extracted + type: keyword + description: | + Local filename of extracted file. + - name: extracted_cutoff + type: boolean + description: | + Indicate whether the file being extracted was cut off hence not extracted completely. + - name: extracted_size + type: long + description: | + The number of bytes extracted to disk. + - name: entropy + type: double + description: | + The information density of the contents of the file. diff --git a/packages/zeek/dataset/files/fields/package-fields.yml b/packages/zeek/dataset/files/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/files/fields/package-fields.yml +++ b/packages/zeek/dataset/files/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/files/manifest.yml b/packages/zeek/dataset/files/manifest.yml index fa5b644cc59..207bd94991c 100644 --- a/packages/zeek/dataset/files/manifest.yml +++ b/packages/zeek/dataset/files/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek files logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: files.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.files - template_path: log.yml.hbs - title: Zeek files.log - description: Collect Zeek files logs + - input: logfile + vars: + - name: paths + type: text + title: files.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/files.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.files + template_path: log.yml.hbs + title: Zeek files.log + description: Collect Zeek files logs diff --git a/packages/zeek/dataset/ftp/fields/beats.yml b/packages/zeek/dataset/ftp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/ftp/fields/beats.yml +++ b/packages/zeek/dataset/ftp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/ftp/fields/ecs.yml b/packages/zeek/dataset/ftp/fields/ecs.yml index c248da7f5c5..e246255c103 100644 --- a/packages/zeek/dataset/ftp/fields/ecs.yml +++ b/packages/zeek/dataset/ftp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -134,10 +133,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -189,9 +188,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/ftp/fields/fields.yml b/packages/zeek/dataset/ftp/fields/fields.yml index b1f91feebb1..ca17231e592 100644 --- a/packages/zeek/dataset/ftp/fields/fields.yml +++ b/packages/zeek/dataset/ftp/fields/fields.yml @@ -1,101 +1,101 @@ - name: zeek.ftp type: group fields: - - name: user - type: keyword - description: | - User name for the current FTP session. - - name: password - type: keyword - description: | - Password for the current FTP session if captured. - - name: command - type: keyword - description: | - Command given by the client. - - name: arg - type: keyword - description: | - Argument for the command if one is given. - - name: file - type: group - fields: - - name: size - type: long + - name: user + type: keyword description: | - Size of the file if the command indicates a file transfer. - - name: mime_type + User name for the current FTP session. + - name: password type: keyword description: | - Sniffed mime type of file. - - name: fuid + Password for the current FTP session if captured. + - name: command type: keyword description: | - (present if base/protocols/ftp/files.bro is loaded) - File unique ID. - - name: reply - type: group - fields: - - name: code - type: integer + Command given by the client. + - name: arg + type: keyword description: | - Reply code from the server in response to the command. - - name: msg + Argument for the command if one is given. + - name: file + type: group + fields: + - name: size + type: long + description: | + Size of the file if the command indicates a file transfer. + - name: mime_type + type: keyword + description: | + Sniffed mime type of file. + - name: fuid + type: keyword + description: | + (present if base/protocols/ftp/files.bro is loaded) + File unique ID. + - name: reply + type: group + fields: + - name: code + type: integer + description: | + Reply code from the server in response to the command. + - name: msg + type: keyword + description: | + Reply message from the server in response to the command. + - name: data_channel + type: group + fields: + - name: passive + type: boolean + description: | + Whether PASV mode is toggled for control channel. + - name: originating_host + type: ip + description: | + The host that will be initiating the data connection. + - name: response_host + type: ip + description: | + The host that will be accepting the data connection. + - name: response_port + type: integer + description: | + The port at which the acceptor is listening for the data connection. + - name: cwd type: keyword description: | - Reply message from the server in response to the command. - - name: data_channel - type: group - fields: + Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + - name: cmdarg + type: group + fields: + - name: cmd + type: keyword + description: | + Command. + - name: arg + type: keyword + description: | + Argument for the command if one was given. + - name: seq + type: integer + description: | + Counter to track how many commands have been executed. + - name: pending_commands + type: integer + description: | + Queue for commands that have been sent but not yet responded to are tracked here. - name: passive type: boolean description: | - Whether PASV mode is toggled for control channel. - - name: originating_host - type: ip - description: | - The host that will be initiating the data connection. - - name: response_host - type: ip - description: | - The host that will be accepting the data connection. - - name: response_port - type: integer + Indicates if the session is in active or passive mode. + - name: capture_password + type: boolean description: | - The port at which the acceptor is listening for the data connection. - - name: cwd - type: keyword - description: | - Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. - - name: cmdarg - type: group - fields: - - name: cmd + Determines if the password will be captured for this request. + - name: last_auth_requested type: keyword description: | - Command. - - name: arg - type: keyword - description: | - Argument for the command if one was given. - - name: seq - type: integer - description: | - Counter to track how many commands have been executed. - - name: pending_commands - type: integer - description: | - Queue for commands that have been sent but not yet responded to are tracked here. - - name: passive - type: boolean - description: | - Indicates if the session is in active or passive mode. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: last_auth_requested - type: keyword - description: | - present if base/protocols/ftp/gridftp.bro is loaded. - Last authentication/security mechanism that was used. + present if base/protocols/ftp/gridftp.bro is loaded. + Last authentication/security mechanism that was used. diff --git a/packages/zeek/dataset/ftp/fields/package-fields.yml b/packages/zeek/dataset/ftp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/ftp/fields/package-fields.yml +++ b/packages/zeek/dataset/ftp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/ftp/manifest.yml b/packages/zeek/dataset/ftp/manifest.yml index 055ba1b21ff..90e5d889328 100644 --- a/packages/zeek/dataset/ftp/manifest.yml +++ b/packages/zeek/dataset/ftp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek ftp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: ftp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/ftp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.ftp - template_path: log.yml.hbs - title: Zeek ftp.log - description: Collect Zeek ftp logs + - input: logfile + vars: + - name: paths + type: text + title: ftp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/ftp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.ftp + template_path: log.yml.hbs + title: Zeek ftp.log + description: Collect Zeek ftp logs diff --git a/packages/zeek/dataset/http/fields/beats.yml b/packages/zeek/dataset/http/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/http/fields/beats.yml +++ b/packages/zeek/dataset/http/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/http/fields/ecs.yml b/packages/zeek/dataset/http/fields/ecs.yml index 81cdaebe454..0e7b5592684 100644 --- a/packages/zeek/dataset/http/fields/ecs.yml +++ b/packages/zeek/dataset/http/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -98,8 +97,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -159,10 +157,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -219,10 +217,10 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch ignore_above: 1024 multi_fields: - - flat_name: url.original.text - name: text - norms: false - type: text + - flat_name: url.original.text + name: text + norms: false + type: text name: url.original type: keyword - description: Password of the request. @@ -248,14 +246,13 @@ name: user_agent.name type: keyword - description: Unparsed user_agent string. - example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 - (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 ignore_above: 1024 multi_fields: - - flat_name: user_agent.original.text - name: text - norms: false - type: text + - flat_name: user_agent.original.text + name: text + norms: false + type: text name: user_agent.original type: keyword - description: OS family (such as redhat, debian, freebsd, windows). @@ -267,10 +264,10 @@ example: Mac OS Mojave ignore_above: 1024 multi_fields: - - flat_name: user_agent.os.full.text - name: text - norms: false - type: text + - flat_name: user_agent.os.full.text + name: text + norms: false + type: text name: user_agent.os.full type: keyword - description: Operating system kernel version as a raw string. @@ -282,10 +279,10 @@ example: Mac OS X ignore_above: 1024 multi_fields: - - flat_name: user_agent.os.name.text - name: text - norms: false - type: text + - flat_name: user_agent.os.name.text + name: text + norms: false + type: text name: user_agent.os.name type: keyword - description: Operating system platform (such centos, ubuntu, windows). diff --git a/packages/zeek/dataset/http/fields/fields.yml b/packages/zeek/dataset/http/fields/fields.yml index 03aa3629f84..f264ff0db99 100644 --- a/packages/zeek/dataset/http/fields/fields.yml +++ b/packages/zeek/dataset/http/fields/fields.yml @@ -1,82 +1,82 @@ - name: zeek.http type: group fields: - - name: trans_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: status_msg - type: keyword - description: | - Status message returned by the server. - - name: info_code - type: integer - description: | - Last seen 1xx informational reply code returned by the server. - - name: info_msg - type: keyword - description: | - Last seen 1xx informational reply message returned by the server. - - name: tags - type: keyword - description: | - A set of indicators of various attributes discovered and related to a particular - request/response pair. - - name: password - type: keyword - description: | - Password if basic-auth is performed for the request. - - name: captured_password - type: boolean - description: | - Determines if the password will be captured for this request. - - name: proxied - type: keyword - description: | - All of the headers that may indicate if the HTTP request was proxied. - - name: range_request - type: boolean - description: | - Indicates if this request can assume 206 partial content in response. - - name: client_header_names - type: keyword - description: | - The vector of HTTP header names sent by the client. No header values - are included here, just the header names. - - name: server_header_names - type: keyword - description: | - The vector of HTTP header names sent by the server. No header values - are included here, just the header names. - - name: orig_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the originator. - - name: orig_mime_types - type: keyword - description: | - An ordered vector of mime types from the originator. - - name: orig_filenames - type: keyword - description: | - An ordered vector of filenames from the originator. - - name: resp_fuids - type: keyword - description: | - An ordered vector of file unique IDs from the responder. - - name: resp_mime_types - type: keyword - description: | - An ordered vector of mime types from the responder. - - name: resp_filenames - type: keyword - description: | - An ordered vector of filenames from the responder. - - name: orig_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP request message body. - - name: resp_mime_depth - type: integer - description: | - Current number of MIME entities in the HTTP response message body. + - name: trans_depth + type: integer + description: | + Represents the pipelined depth into the connection of this request/response transaction. + - name: status_msg + type: keyword + description: | + Status message returned by the server. + - name: info_code + type: integer + description: | + Last seen 1xx informational reply code returned by the server. + - name: info_msg + type: keyword + description: | + Last seen 1xx informational reply message returned by the server. + - name: tags + type: keyword + description: | + A set of indicators of various attributes discovered and related to a particular + request/response pair. + - name: password + type: keyword + description: | + Password if basic-auth is performed for the request. + - name: captured_password + type: boolean + description: | + Determines if the password will be captured for this request. + - name: proxied + type: keyword + description: | + All of the headers that may indicate if the HTTP request was proxied. + - name: range_request + type: boolean + description: | + Indicates if this request can assume 206 partial content in response. + - name: client_header_names + type: keyword + description: | + The vector of HTTP header names sent by the client. No header values + are included here, just the header names. + - name: server_header_names + type: keyword + description: | + The vector of HTTP header names sent by the server. No header values + are included here, just the header names. + - name: orig_fuids + type: keyword + description: | + An ordered vector of file unique IDs from the originator. + - name: orig_mime_types + type: keyword + description: | + An ordered vector of mime types from the originator. + - name: orig_filenames + type: keyword + description: | + An ordered vector of filenames from the originator. + - name: resp_fuids + type: keyword + description: | + An ordered vector of file unique IDs from the responder. + - name: resp_mime_types + type: keyword + description: | + An ordered vector of mime types from the responder. + - name: resp_filenames + type: keyword + description: | + An ordered vector of filenames from the responder. + - name: orig_mime_depth + type: integer + description: | + Current number of MIME entities in the HTTP request message body. + - name: resp_mime_depth + type: integer + description: | + Current number of MIME entities in the HTTP response message body. diff --git a/packages/zeek/dataset/http/fields/package-fields.yml b/packages/zeek/dataset/http/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/http/fields/package-fields.yml +++ b/packages/zeek/dataset/http/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/http/manifest.yml b/packages/zeek/dataset/http/manifest.yml index baecc388fee..2e8ca094108 100644 --- a/packages/zeek/dataset/http/manifest.yml +++ b/packages/zeek/dataset/http/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek http logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: http.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/http.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.http - template_path: log.yml.hbs - title: Zeek http.log - description: Collect Zeek http logs + - input: logfile + vars: + - name: paths + type: text + title: http.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/http.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.http + template_path: log.yml.hbs + title: Zeek http.log + description: Collect Zeek http logs diff --git a/packages/zeek/dataset/intel/fields/beats.yml b/packages/zeek/dataset/intel/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/intel/fields/beats.yml +++ b/packages/zeek/dataset/intel/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/intel/fields/ecs.yml b/packages/zeek/dataset/intel/fields/ecs.yml index a239bb3a39d..a58e1cc9bdb 100644 --- a/packages/zeek/dataset/intel/fields/ecs.yml +++ b/packages/zeek/dataset/intel/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -84,8 +83,7 @@ name: event.kind type: keyword - description: Raw text message of entire event. - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 ignore_above: 1024 name: event.original type: keyword @@ -113,10 +111,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/intel/fields/fields.yml b/packages/zeek/dataset/intel/fields/fields.yml index 15607f747c0..2d513fe45e3 100644 --- a/packages/zeek/dataset/intel/fields/fields.yml +++ b/packages/zeek/dataset/intel/fields/fields.yml @@ -1,62 +1,62 @@ - name: zeek.intel type: group fields: - - name: seen - type: group - fields: - - name: indicator - type: keyword - description: | - The intelligence indicator. - - name: indicator_type - type: keyword - description: | - The type of data the indicator represents. - - name: host - type: keyword - description: | - If the indicator type was Intel::ADDR, then this field will be present. - - name: conn - type: keyword - description: | - If the data was discovered within a connection, the connection record should go here to give context to the data. - - name: where - type: keyword - description: | - Where the data was discovered. - - name: node + - name: seen + type: group + fields: + - name: indicator + type: keyword + description: | + The intelligence indicator. + - name: indicator_type + type: keyword + description: | + The type of data the indicator represents. + - name: host + type: keyword + description: | + If the indicator type was Intel::ADDR, then this field will be present. + - name: conn + type: keyword + description: | + If the data was discovered within a connection, the connection record should go here to give context to the data. + - name: where + type: keyword + description: | + Where the data was discovered. + - name: node + type: keyword + description: | + The name of the node where the match was discovered. + - name: uid + type: keyword + description: | + If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. + - name: f + type: object + description: | + If the data was discovered within a file, the file record should go here to provide context to the data. + - name: fuid + type: keyword + description: | + If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. + - name: matched + type: keyword + description: | + Event to represent a match in the intelligence data from data that was seen. + - name: sources + type: keyword + description: | + Sources which supplied data for this match. + - name: fuid type: keyword description: | - The name of the node where the match was discovered. - - name: uid + If a file was associated with this intelligence hit, this is the uid for the file. + - name: file_mime_type type: keyword description: | - If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. - - name: f - type: object - description: | - If the data was discovered within a file, the file record should go here to provide context to the data. - - name: fuid + A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. + - name: file_desc type: keyword description: | - If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. - - name: matched - type: keyword - description: | - Event to represent a match in the intelligence data from data that was seen. - - name: sources - type: keyword - description: | - Sources which supplied data for this match. - - name: fuid - type: keyword - description: | - If a file was associated with this intelligence hit, this is the uid for the file. - - name: file_mime_type - type: keyword - description: | - A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. - - name: file_desc - type: keyword - description: | - Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. + Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. diff --git a/packages/zeek/dataset/intel/fields/package-fields.yml b/packages/zeek/dataset/intel/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/intel/fields/package-fields.yml +++ b/packages/zeek/dataset/intel/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/intel/manifest.yml b/packages/zeek/dataset/intel/manifest.yml index 12b540c51f1..eb086da04f3 100644 --- a/packages/zeek/dataset/intel/manifest.yml +++ b/packages/zeek/dataset/intel/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek intel logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: intel.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/intel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.intel - template_path: log.yml.hbs - title: Zeek intel.log - description: Collect Zeek intel logs + - input: logfile + vars: + - name: paths + type: text + title: intel.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/intel.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.intel + template_path: log.yml.hbs + title: Zeek intel.log + description: Collect Zeek intel logs diff --git a/packages/zeek/dataset/irc/fields/beats.yml b/packages/zeek/dataset/irc/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/irc/fields/beats.yml +++ b/packages/zeek/dataset/irc/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/irc/fields/ecs.yml b/packages/zeek/dataset/irc/fields/ecs.yml index eb53a59b852..82f54a6779b 100644 --- a/packages/zeek/dataset/irc/fields/ecs.yml +++ b/packages/zeek/dataset/irc/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -149,10 +148,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -204,9 +203,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/irc/fields/fields.yml b/packages/zeek/dataset/irc/fields/fields.yml index 0d2bb303346..532e0f86209 100644 --- a/packages/zeek/dataset/irc/fields/fields.yml +++ b/packages/zeek/dataset/irc/fields/fields.yml @@ -1,49 +1,49 @@ - name: zeek.irc type: group fields: - - name: nick - type: keyword - description: | - Nickname given for the connection. - - name: user - type: keyword - description: | - Username given for the connection. - - name: command - type: keyword - description: | - Command given by the client. - - name: value - type: keyword - description: | - Value for the command given by the client. - - name: addl - type: keyword - description: | - Any additional data for the command. - - name: dcc - type: group - fields: - - name: file + - name: nick + type: keyword + description: | + Nickname given for the connection. + - name: user + type: keyword + description: | + Username given for the connection. + - name: command + type: keyword + description: | + Command given by the client. + - name: value + type: keyword + description: | + Value for the command given by the client. + - name: addl + type: keyword + description: | + Any additional data for the command. + - name: dcc type: group fields: - - name: name - type: keyword - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - DCC filename requested. - - name: size - type: long - description: | - Present if base/protocols/irc/dcc-send.bro is loaded. - Size of the DCC transfer as indicated by the sender. - - name: mime_type + - name: file + type: group + fields: + - name: name + type: keyword + description: | + Present if base/protocols/irc/dcc-send.bro is loaded. + DCC filename requested. + - name: size + type: long + description: | + Present if base/protocols/irc/dcc-send.bro is loaded. + Size of the DCC transfer as indicated by the sender. + - name: mime_type + type: keyword + description: | + present if base/protocols/irc/dcc-send.bro is loaded. + Sniffed mime type of the file. + - name: fuid type: keyword description: | - present if base/protocols/irc/dcc-send.bro is loaded. - Sniffed mime type of the file. - - name: fuid - type: keyword - description: | - present if base/protocols/irc/files.bro is loaded. - File unique ID. + present if base/protocols/irc/files.bro is loaded. + File unique ID. diff --git a/packages/zeek/dataset/irc/fields/package-fields.yml b/packages/zeek/dataset/irc/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/irc/fields/package-fields.yml +++ b/packages/zeek/dataset/irc/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/irc/manifest.yml b/packages/zeek/dataset/irc/manifest.yml index 5f5112c8fbe..aed9d7c569b 100644 --- a/packages/zeek/dataset/irc/manifest.yml +++ b/packages/zeek/dataset/irc/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek irc logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: irc.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/irc.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.irc - template_path: log.yml.hbs - title: Zeek irc.log - description: Collect Zeek irc logs + - input: logfile + vars: + - name: paths + type: text + title: irc.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/irc.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.irc + template_path: log.yml.hbs + title: Zeek irc.log + description: Collect Zeek irc logs diff --git a/packages/zeek/dataset/kerberos/fields/beats.yml b/packages/zeek/dataset/kerberos/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/kerberos/fields/beats.yml +++ b/packages/zeek/dataset/kerberos/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/kerberos/fields/ecs.yml b/packages/zeek/dataset/kerberos/fields/ecs.yml index a21300df6fe..a9ffbd2ac1a 100644 --- a/packages/zeek/dataset/kerberos/fields/ecs.yml +++ b/packages/zeek/dataset/kerberos/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Client network address. ignore_above: 1024 name: client.address @@ -15,10 +14,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -102,8 +101,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -140,10 +138,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -257,9 +255,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/kerberos/fields/fields.yml b/packages/zeek/dataset/kerberos/fields/fields.yml index af35a2c7df9..7f5d5fcbb67 100644 --- a/packages/zeek/dataset/kerberos/fields/fields.yml +++ b/packages/zeek/dataset/kerberos/fields/fields.yml @@ -1,101 +1,101 @@ - name: zeek.kerberos type: group fields: - - name: request_type - type: keyword - description: | - Request type - Authentication Service (AS) or Ticket Granting Service (TGS). - - name: client - type: keyword - description: | - Client name. - - name: service - type: keyword - description: | - Service name. - - name: success - type: boolean - description: | - Request result. - - name: error - type: group - fields: - - name: code - type: integer - description: | - Error code. - - name: msg + - name: request_type type: keyword description: | - Error message. - - name: valid - type: group - fields: - - name: from - type: date + Request type - Authentication Service (AS) or Ticket Granting Service (TGS). + - name: client + type: keyword description: | - Ticket valid from. - - name: until - type: date + Client name. + - name: service + type: keyword description: | - Ticket valid until. - - name: days - type: integer + Service name. + - name: success + type: boolean description: | - Number of days the ticket is valid for. - - name: cipher - type: keyword - description: | - Ticket encryption type. - - name: forwardable - type: boolean - description: | - Forwardable ticket requested. - - name: renewable - type: boolean - description: | - Renewable ticket requested. - - name: ticket - type: group - fields: - - name: auth + Request result. + - name: error + type: group + fields: + - name: code + type: integer + description: | + Error code. + - name: msg + type: keyword + description: | + Error message. + - name: valid + type: group + fields: + - name: from + type: date + description: | + Ticket valid from. + - name: until + type: date + description: | + Ticket valid until. + - name: days + type: integer + description: | + Number of days the ticket is valid for. + - name: cipher type: keyword description: | - Hash of ticket used to authorize request/transaction. - - name: new - type: keyword + Ticket encryption type. + - name: forwardable + type: boolean description: | - Hash of ticket returned by the KDC. - - name: cert - type: group - fields: - - name: client + Forwardable ticket requested. + - name: renewable + type: boolean + description: | + Renewable ticket requested. + - name: ticket type: group fields: - - name: value - type: keyword - description: | - Client certificate. - - name: fuid - type: keyword - description: | - File unique ID of client cert. - - name: subject - type: keyword - description: | - Subject of client certificate. - - name: server + - name: auth + type: keyword + description: | + Hash of ticket used to authorize request/transaction. + - name: new + type: keyword + description: | + Hash of ticket returned by the KDC. + - name: cert type: group fields: - - name: value - type: keyword - description: | - Server certificate. - - name: fuid - type: keyword - description: | - File unique ID of server certificate. - - name: subject - type: keyword - description: | - Subject of server certificate. + - name: client + type: group + fields: + - name: value + type: keyword + description: | + Client certificate. + - name: fuid + type: keyword + description: | + File unique ID of client cert. + - name: subject + type: keyword + description: | + Subject of client certificate. + - name: server + type: group + fields: + - name: value + type: keyword + description: | + Server certificate. + - name: fuid + type: keyword + description: | + File unique ID of server certificate. + - name: subject + type: keyword + description: | + Subject of server certificate. diff --git a/packages/zeek/dataset/kerberos/fields/package-fields.yml b/packages/zeek/dataset/kerberos/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/kerberos/fields/package-fields.yml +++ b/packages/zeek/dataset/kerberos/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/kerberos/manifest.yml b/packages/zeek/dataset/kerberos/manifest.yml index 5fe9fc729d0..32a0abc4466 100644 --- a/packages/zeek/dataset/kerberos/manifest.yml +++ b/packages/zeek/dataset/kerberos/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek kerberos logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: kerberos.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/kerberos.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.kerberos - template_path: log.yml.hbs - title: Zeek kerberos.log - description: Collect Zeek kerberos logs + - input: logfile + vars: + - name: paths + type: text + title: kerberos.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/kerberos.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.kerberos + template_path: log.yml.hbs + title: Zeek kerberos.log + description: Collect Zeek kerberos logs diff --git a/packages/zeek/dataset/modbus/fields/beats.yml b/packages/zeek/dataset/modbus/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/modbus/fields/beats.yml +++ b/packages/zeek/dataset/modbus/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/modbus/fields/ecs.yml b/packages/zeek/dataset/modbus/fields/ecs.yml index 4221c023cab..25e74ea65e4 100644 --- a/packages/zeek/dataset/modbus/fields/ecs.yml +++ b/packages/zeek/dataset/modbus/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -98,8 +97,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -128,10 +126,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/modbus/fields/fields.yml b/packages/zeek/dataset/modbus/fields/fields.yml index f144f17e716..220bd043d79 100644 --- a/packages/zeek/dataset/modbus/fields/fields.yml +++ b/packages/zeek/dataset/modbus/fields/fields.yml @@ -1,16 +1,16 @@ - name: zeek.modbus type: group fields: - - name: function - type: keyword - description: | - The name of the function message that was sent. - - name: exception - type: keyword - description: | - The exception if the response was a failure. - - name: track_address - type: integer - description: | - Present if policy/protocols/modbus/track-memmap.bro is loaded. - Modbus track address. + - name: function + type: keyword + description: | + The name of the function message that was sent. + - name: exception + type: keyword + description: | + The exception if the response was a failure. + - name: track_address + type: integer + description: | + Present if policy/protocols/modbus/track-memmap.bro is loaded. + Modbus track address. diff --git a/packages/zeek/dataset/modbus/fields/package-fields.yml b/packages/zeek/dataset/modbus/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/modbus/fields/package-fields.yml +++ b/packages/zeek/dataset/modbus/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/modbus/manifest.yml b/packages/zeek/dataset/modbus/manifest.yml index 7fa7d14038f..0e6db175be3 100644 --- a/packages/zeek/dataset/modbus/manifest.yml +++ b/packages/zeek/dataset/modbus/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek modbus logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: modbus.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/modbus.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.modbus - template_path: log.yml.hbs - title: Zeek modbus.log - description: Collect Zeek modbus logs + - input: logfile + vars: + - name: paths + type: text + title: modbus.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/modbus.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.modbus + template_path: log.yml.hbs + title: Zeek modbus.log + description: Collect Zeek modbus logs diff --git a/packages/zeek/dataset/mysql/fields/beats.yml b/packages/zeek/dataset/mysql/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/mysql/fields/beats.yml +++ b/packages/zeek/dataset/mysql/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/mysql/fields/ecs.yml b/packages/zeek/dataset/mysql/fields/ecs.yml index 1e6d4f94031..67d01ee1f9a 100644 --- a/packages/zeek/dataset/mysql/fields/ecs.yml +++ b/packages/zeek/dataset/mysql/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -97,8 +96,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -127,10 +125,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/mysql/fields/fields.yml b/packages/zeek/dataset/mysql/fields/fields.yml index 411cd6a56da..475a41bb53d 100644 --- a/packages/zeek/dataset/mysql/fields/fields.yml +++ b/packages/zeek/dataset/mysql/fields/fields.yml @@ -1,23 +1,23 @@ - name: zeek.mysql type: group fields: - - name: cmd - type: keyword - description: | - The command that was issued. - - name: arg - type: keyword - description: | - The argument issued to the command. - - name: success - type: boolean - description: | - Whether the command succeeded. - - name: rows - type: integer - description: | - The number of affected rows, if any. - - name: response - type: keyword - description: | - Server message, if any. + - name: cmd + type: keyword + description: | + The command that was issued. + - name: arg + type: keyword + description: | + The argument issued to the command. + - name: success + type: boolean + description: | + Whether the command succeeded. + - name: rows + type: integer + description: | + The number of affected rows, if any. + - name: response + type: keyword + description: | + Server message, if any. diff --git a/packages/zeek/dataset/mysql/fields/package-fields.yml b/packages/zeek/dataset/mysql/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/mysql/fields/package-fields.yml +++ b/packages/zeek/dataset/mysql/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/mysql/manifest.yml b/packages/zeek/dataset/mysql/manifest.yml index 9a5eb4e48fa..0c55e09ed95 100644 --- a/packages/zeek/dataset/mysql/manifest.yml +++ b/packages/zeek/dataset/mysql/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek mysql logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: mysql.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/mysql.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.mysql - template_path: log.yml.hbs - title: Zeek mysql.log - description: Collect Zeek mysql logs + - input: logfile + vars: + - name: paths + type: text + title: mysql.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/mysql.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.mysql + template_path: log.yml.hbs + title: Zeek mysql.log + description: Collect Zeek mysql logs diff --git a/packages/zeek/dataset/notice/fields/beats.yml b/packages/zeek/dataset/notice/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/notice/fields/beats.yml +++ b/packages/zeek/dataset/notice/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/notice/fields/ecs.yml b/packages/zeek/dataset/notice/fields/ecs.yml index 1b63e2b0e92..e0768ae701c 100644 --- a/packages/zeek/dataset/notice/fields/ecs.yml +++ b/packages/zeek/dataset/notice/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -140,10 +139,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/notice/fields/fields.yml b/packages/zeek/dataset/notice/fields/fields.yml index e6a3a3c523a..52e50fa4da0 100644 --- a/packages/zeek/dataset/notice/fields/fields.yml +++ b/packages/zeek/dataset/notice/fields/fields.yml @@ -1,107 +1,107 @@ - name: zeek.notice type: group fields: - - name: connection_id - type: keyword - description: | - Identifier of the related connection session. - - name: icmp_id - type: keyword - description: | - Identifier of the related ICMP session. - - name: file.id - type: keyword - description: | - An identifier associated with a single file that is related to this notice. - - name: file.parent_id - type: keyword - description: | - Identifier associated with a container file from which this one was extracted. - - name: file.source - type: keyword - description: | - An identification of the source of the file data. E.g. it may be a network protocol - over which it was transferred, or a local file path which was read, or some other - input source. - - name: file.mime_type - type: keyword - description: | - A mime type if the notice is related to a file. - - name: file.is_orig - type: boolean - description: | - If the source of this file is a network connection, this field indicates if the file is - being sent by the originator of the connection or the responder. - - name: file.seen_bytes - type: long - description: | - Number of bytes provided to the file analysis engine for the file. - - name: ffile.total_bytes - type: long - description: | - Total number of bytes that are supposed to comprise the full file. - - name: file.missing_bytes - type: long - description: | - The number of bytes in the file stream that were completely missed during the process - of analysis. - - name: file.overflow_bytes - type: long - description: | - The number of bytes in the file stream that were not delivered to stream file analyzers. - This could be overlapping bytes or bytes that couldn't be reassembled. - - name: fuid - type: keyword - description: | - A file unique ID if this notice is related to a file. - - name: note - type: keyword - description: | - The type of the notice. - - name: msg - type: keyword - description: | - The human readable message for the notice. - - name: sub - type: keyword - description: | - The human readable sub-message. - - name: "n" - type: long - description: | - Associated count, or a status code. - - name: peer_name - type: keyword - description: | - Name of remote peer that raised this notice. - - name: peer_descr - type: text - description: | - Textual description for the peer that raised this notice. - - name: actions - type: keyword - description: | - The actions which have been applied to this notice. - - name: email_body_sections - type: text - description: | - By adding chunks of text into this element, other scripts can expand on notices - that are being emailed. - - name: email_delay_tokens - type: keyword - description: | - Adding a string token to this set will cause the built-in emailing functionality - to delay sending the email either the token has been removed or the email - has been delayed for the specified time duration. - - name: identifier - type: keyword - description: | - This field is provided when a notice is generated for the purpose of deduplicating notices. - - name: suppress_for - type: double - description: | - This field indicates the length of time that this unique notice should be suppressed. - - name: dropped - type: boolean - description: | - Indicate if the source IP address was dropped and denied network access. + - name: connection_id + type: keyword + description: | + Identifier of the related connection session. + - name: icmp_id + type: keyword + description: | + Identifier of the related ICMP session. + - name: file.id + type: keyword + description: | + An identifier associated with a single file that is related to this notice. + - name: file.parent_id + type: keyword + description: | + Identifier associated with a container file from which this one was extracted. + - name: file.source + type: keyword + description: | + An identification of the source of the file data. E.g. it may be a network protocol + over which it was transferred, or a local file path which was read, or some other + input source. + - name: file.mime_type + type: keyword + description: | + A mime type if the notice is related to a file. + - name: file.is_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the file is + being sent by the originator of the connection or the responder. + - name: file.seen_bytes + type: long + description: | + Number of bytes provided to the file analysis engine for the file. + - name: ffile.total_bytes + type: long + description: | + Total number of bytes that are supposed to comprise the full file. + - name: file.missing_bytes + type: long + description: | + The number of bytes in the file stream that were completely missed during the process + of analysis. + - name: file.overflow_bytes + type: long + description: | + The number of bytes in the file stream that were not delivered to stream file analyzers. + This could be overlapping bytes or bytes that couldn't be reassembled. + - name: fuid + type: keyword + description: | + A file unique ID if this notice is related to a file. + - name: note + type: keyword + description: | + The type of the notice. + - name: msg + type: keyword + description: | + The human readable message for the notice. + - name: sub + type: keyword + description: | + The human readable sub-message. + - name: "n" + type: long + description: | + Associated count, or a status code. + - name: peer_name + type: keyword + description: | + Name of remote peer that raised this notice. + - name: peer_descr + type: text + description: | + Textual description for the peer that raised this notice. + - name: actions + type: keyword + description: | + The actions which have been applied to this notice. + - name: email_body_sections + type: text + description: | + By adding chunks of text into this element, other scripts can expand on notices + that are being emailed. + - name: email_delay_tokens + type: keyword + description: | + Adding a string token to this set will cause the built-in emailing functionality + to delay sending the email either the token has been removed or the email + has been delayed for the specified time duration. + - name: identifier + type: keyword + description: | + This field is provided when a notice is generated for the purpose of deduplicating notices. + - name: suppress_for + type: double + description: | + This field indicates the length of time that this unique notice should be suppressed. + - name: dropped + type: boolean + description: | + Indicate if the source IP address was dropped and denied network access. diff --git a/packages/zeek/dataset/notice/fields/package-fields.yml b/packages/zeek/dataset/notice/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/notice/fields/package-fields.yml +++ b/packages/zeek/dataset/notice/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/notice/manifest.yml b/packages/zeek/dataset/notice/manifest.yml index 68f58b755bd..74af65c5a57 100644 --- a/packages/zeek/dataset/notice/manifest.yml +++ b/packages/zeek/dataset/notice/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek notice logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: notice.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/notice.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.notice - template_path: log.yml.hbs - title: Zeek notice.log - description: Collect Zeek notice logs + - input: logfile + vars: + - name: paths + type: text + title: notice.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/notice.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.notice + template_path: log.yml.hbs + title: Zeek notice.log + description: Collect Zeek notice logs diff --git a/packages/zeek/dataset/ntlm/fields/beats.yml b/packages/zeek/dataset/ntlm/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/ntlm/fields/beats.yml +++ b/packages/zeek/dataset/ntlm/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/ntlm/fields/ecs.yml b/packages/zeek/dataset/ntlm/fields/ecs.yml index dacd09659c2..0ab1d79af50 100644 --- a/packages/zeek/dataset/ntlm/fields/ecs.yml +++ b/packages/zeek/dataset/ntlm/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -93,8 +92,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -137,10 +135,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -196,9 +194,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/ntlm/fields/fields.yml b/packages/zeek/dataset/ntlm/fields/fields.yml index 56575b2e960..42c05921af6 100644 --- a/packages/zeek/dataset/ntlm/fields/fields.yml +++ b/packages/zeek/dataset/ntlm/fields/fields.yml @@ -1,37 +1,37 @@ - name: zeek.ntlm type: group fields: - - name: domain - type: keyword - description: | - Domain name given by the client. - - name: hostname - type: keyword - description: | - Hostname given by the client. - - name: success - type: boolean - description: | - Indicate whether or not the authentication was successful. - - name: username - type: keyword - description: | - Username given by the client. - - name: server - type: group - fields: - - name: name + - name: domain + type: keyword + description: | + Domain name given by the client. + - name: hostname + type: keyword + description: | + Hostname given by the client. + - name: success + type: boolean + description: | + Indicate whether or not the authentication was successful. + - name: username + type: keyword + description: | + Username given by the client. + - name: server type: group fields: - - name: dns - type: keyword - description: | - DNS name given by the server in a CHALLENGE. - - name: netbios - type: keyword - description: | - NetBIOS name given by the server in a CHALLENGE. - - name: tree - type: keyword - description: | - Tree name given by the server in a CHALLENGE. + - name: name + type: group + fields: + - name: dns + type: keyword + description: | + DNS name given by the server in a CHALLENGE. + - name: netbios + type: keyword + description: | + NetBIOS name given by the server in a CHALLENGE. + - name: tree + type: keyword + description: | + Tree name given by the server in a CHALLENGE. diff --git a/packages/zeek/dataset/ntlm/fields/package-fields.yml b/packages/zeek/dataset/ntlm/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/ntlm/fields/package-fields.yml +++ b/packages/zeek/dataset/ntlm/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/ntlm/manifest.yml b/packages/zeek/dataset/ntlm/manifest.yml index e08349db551..c3e8ab44d0a 100644 --- a/packages/zeek/dataset/ntlm/manifest.yml +++ b/packages/zeek/dataset/ntlm/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek ntlm logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: ntlm.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/ntlm.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.ntlm - template_path: log.yml.hbs - title: Zeek ntlm.log - description: Collect Zeek ntlm logs + - input: logfile + vars: + - name: paths + type: text + title: ntlm.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/ntlm.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.ntlm + template_path: log.yml.hbs + title: Zeek ntlm.log + description: Collect Zeek ntlm logs diff --git a/packages/zeek/dataset/ocsp/fields/beats.yml b/packages/zeek/dataset/ocsp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/ocsp/fields/beats.yml +++ b/packages/zeek/dataset/ocsp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/ocsp/fields/ecs.yml b/packages/zeek/dataset/ocsp/fields/ecs.yml index fc8a5ec0768..7a2fc4292b6 100644 --- a/packages/zeek/dataset/ocsp/fields/ecs.yml +++ b/packages/zeek/dataset/ocsp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: ECS version this event conforms to. example: 1.0.0 ignore_above: 1024 diff --git a/packages/zeek/dataset/ocsp/fields/fields.yml b/packages/zeek/dataset/ocsp/fields/fields.yml index 2a3645eabb0..6c4dd6795d1 100644 --- a/packages/zeek/dataset/ocsp/fields/fields.yml +++ b/packages/zeek/dataset/ocsp/fields/fields.yml @@ -1,55 +1,55 @@ - name: zeek.ocsp type: group fields: - - name: file_id - type: keyword - description: | - File id of the OCSP reply. - - name: hash - type: group - fields: - - name: algorithm + - name: file_id type: keyword description: | - Hash algorithm used to generate issuerNameHash and issuerKeyHash. - - name: issuer + File id of the OCSP reply. + - name: hash type: group fields: - - name: name - type: keyword - description: | - Hash of the issuer's distingueshed name. - - name: key - type: keyword - description: | - Hash of the issuer's public key. - - name: serial_number - type: keyword - description: | - Serial number of the affected certificate. - - name: status - type: keyword - description: | - Status of the affected certificate. - - name: revoke - type: group - fields: - - name: time - type: date - description: | - Time at which the certificate was revoked. - - name: reason + - name: algorithm + type: keyword + description: | + Hash algorithm used to generate issuerNameHash and issuerKeyHash. + - name: issuer + type: group + fields: + - name: name + type: keyword + description: | + Hash of the issuer's distingueshed name. + - name: key + type: keyword + description: | + Hash of the issuer's public key. + - name: serial_number type: keyword description: | - Reason for which the certificate was revoked. - - name: update - type: group - fields: - - name: this - type: date - description: | - The time at which the status being shows is known to have been correct. - - name: next - type: date + Serial number of the affected certificate. + - name: status + type: keyword description: | - The latest time at which new information about the status of the certificate will be available. + Status of the affected certificate. + - name: revoke + type: group + fields: + - name: time + type: date + description: | + Time at which the certificate was revoked. + - name: reason + type: keyword + description: | + Reason for which the certificate was revoked. + - name: update + type: group + fields: + - name: this + type: date + description: | + The time at which the status being shows is known to have been correct. + - name: next + type: date + description: | + The latest time at which new information about the status of the certificate will be available. diff --git a/packages/zeek/dataset/ocsp/fields/package-fields.yml b/packages/zeek/dataset/ocsp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/ocsp/fields/package-fields.yml +++ b/packages/zeek/dataset/ocsp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/ocsp/manifest.yml b/packages/zeek/dataset/ocsp/manifest.yml index 544782df8b3..830b6a950a1 100644 --- a/packages/zeek/dataset/ocsp/manifest.yml +++ b/packages/zeek/dataset/ocsp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek ocsp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: ocsp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/ocsp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.ocsp - template_path: log.yml.hbs - title: Zeek ocsp.log - description: Collect Zeek ocsp logs + - input: logfile + vars: + - name: paths + type: text + title: ocsp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/ocsp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.ocsp + template_path: log.yml.hbs + title: Zeek ocsp.log + description: Collect Zeek ocsp logs diff --git a/packages/zeek/dataset/pe/fields/beats.yml b/packages/zeek/dataset/pe/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/pe/fields/beats.yml +++ b/packages/zeek/dataset/pe/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/pe/fields/ecs.yml b/packages/zeek/dataset/pe/fields/ecs.yml index cad759c019d..df76e04b67c 100644 --- a/packages/zeek/dataset/pe/fields/ecs.yml +++ b/packages/zeek/dataset/pe/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: ECS version this event conforms to. example: 1.0.0 ignore_above: 1024 diff --git a/packages/zeek/dataset/pe/fields/fields.yml b/packages/zeek/dataset/pe/fields/fields.yml index 2357c22614e..f4d50fff0fe 100644 --- a/packages/zeek/dataset/pe/fields/fields.yml +++ b/packages/zeek/dataset/pe/fields/fields.yml @@ -1,71 +1,71 @@ - name: zeek.pe type: group fields: - - name: client - type: keyword - description: | - The client's version string. - - name: id - type: keyword - description: | - File id of this portable executable file. - - name: machine - type: keyword - description: | - The target machine that the file was compiled for. - - name: compile_time - type: date - description: | - The time that the file was created at. - - name: os - type: keyword - description: | - The required operating system. - - name: subsystem - type: keyword - description: | - The subsystem that is required to run this file. - - name: is_exe - type: boolean - description: | - Is the file an executable, or just an object file? - - name: is_64bit - type: boolean - description: | - Is the file a 64-bit executable? - - name: uses_aslr - type: boolean - description: | - Does the file support Address Space Layout Randomization? - - name: uses_dep - type: boolean - description: | - Does the file support Data Execution Prevention? - - name: uses_code_integrity - type: boolean - description: | - Does the file enforce code integrity checks? - - name: uses_seh - type: boolean - description: | - Does the file use structured exception handing? - - name: has_import_table - type: boolean - description: | - Does the file have an import table? - - name: has_export_table - type: boolean - description: | - Does the file have an export table? - - name: has_cert_table - type: boolean - description: | - Does the file have an attribute certificate table? - - name: has_debug_data - type: boolean - description: | - Does the file have a debug table? - - name: section_names - type: keyword - description: | - The names of the sections, in order. + - name: client + type: keyword + description: | + The client's version string. + - name: id + type: keyword + description: | + File id of this portable executable file. + - name: machine + type: keyword + description: | + The target machine that the file was compiled for. + - name: compile_time + type: date + description: | + The time that the file was created at. + - name: os + type: keyword + description: | + The required operating system. + - name: subsystem + type: keyword + description: | + The subsystem that is required to run this file. + - name: is_exe + type: boolean + description: | + Is the file an executable, or just an object file? + - name: is_64bit + type: boolean + description: | + Is the file a 64-bit executable? + - name: uses_aslr + type: boolean + description: | + Does the file support Address Space Layout Randomization? + - name: uses_dep + type: boolean + description: | + Does the file support Data Execution Prevention? + - name: uses_code_integrity + type: boolean + description: | + Does the file enforce code integrity checks? + - name: uses_seh + type: boolean + description: | + Does the file use structured exception handing? + - name: has_import_table + type: boolean + description: | + Does the file have an import table? + - name: has_export_table + type: boolean + description: | + Does the file have an export table? + - name: has_cert_table + type: boolean + description: | + Does the file have an attribute certificate table? + - name: has_debug_data + type: boolean + description: | + Does the file have a debug table? + - name: section_names + type: keyword + description: | + The names of the sections, in order. diff --git a/packages/zeek/dataset/pe/fields/package-fields.yml b/packages/zeek/dataset/pe/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/pe/fields/package-fields.yml +++ b/packages/zeek/dataset/pe/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/pe/manifest.yml b/packages/zeek/dataset/pe/manifest.yml index 9feca37e472..6fa9de0bc7d 100644 --- a/packages/zeek/dataset/pe/manifest.yml +++ b/packages/zeek/dataset/pe/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek pe logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: pe.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/pe.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.pe - template_path: log.yml.hbs - title: Zeek pe.log - description: Collect Zeek pe logs + - input: logfile + vars: + - name: paths + type: text + title: pe.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/pe.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.pe + template_path: log.yml.hbs + title: Zeek pe.log + description: Collect Zeek pe logs diff --git a/packages/zeek/dataset/radius/fields/beats.yml b/packages/zeek/dataset/radius/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/radius/fields/beats.yml +++ b/packages/zeek/dataset/radius/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/radius/fields/ecs.yml b/packages/zeek/dataset/radius/fields/ecs.yml index 03a998ba244..05dfe8417f2 100644 --- a/packages/zeek/dataset/radius/fields/ecs.yml +++ b/packages/zeek/dataset/radius/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -93,8 +92,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -137,10 +135,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -192,9 +190,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/radius/fields/fields.yml b/packages/zeek/dataset/radius/fields/fields.yml index 34df96c198e..bb2cfd38d01 100644 --- a/packages/zeek/dataset/radius/fields/fields.yml +++ b/packages/zeek/dataset/radius/fields/fields.yml @@ -1,39 +1,39 @@ - name: zeek.radius type: group fields: - - name: username - type: keyword - description: | - The username, if present. - - name: mac - type: keyword - description: | - MAC address, if present. - - name: framed_addr - type: ip - description: | - The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. - - name: remote_ip - type: ip - description: | - Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. - - name: connect_info - type: keyword - description: | - Connect info, if present. - - name: reply_msg - type: keyword - description: | - Reply message from the server challenge. This is frequently shown to the user authenticating. - - name: result - type: keyword - description: | - Successful or failed authentication. - - name: ttl - type: integer - description: | - The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. - - name: logged - type: boolean - description: | - Whether this has already been logged and can be ignored. + - name: username + type: keyword + description: | + The username, if present. + - name: mac + type: keyword + description: | + MAC address, if present. + - name: framed_addr + type: ip + description: | + The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. + - name: remote_ip + type: ip + description: | + Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. + - name: connect_info + type: keyword + description: | + Connect info, if present. + - name: reply_msg + type: keyword + description: | + Reply message from the server challenge. This is frequently shown to the user authenticating. + - name: result + type: keyword + description: | + Successful or failed authentication. + - name: ttl + type: integer + description: | + The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. + - name: logged + type: boolean + description: | + Whether this has already been logged and can be ignored. diff --git a/packages/zeek/dataset/radius/fields/package-fields.yml b/packages/zeek/dataset/radius/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/radius/fields/package-fields.yml +++ b/packages/zeek/dataset/radius/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/radius/manifest.yml b/packages/zeek/dataset/radius/manifest.yml index 3b1f98b5dcb..61d8f4c51f8 100644 --- a/packages/zeek/dataset/radius/manifest.yml +++ b/packages/zeek/dataset/radius/manifest.yml @@ -1,26 +1,25 @@ - type: logs title: Zeek radius logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: radius.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/radius.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.radius - template_path: log.yml.hbs - title: Zeek radius.log - description: Collect Zeek radius logs + - input: logfile + vars: + - name: paths + type: text + title: radius.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/radius.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.radius + template_path: log.yml.hbs + title: Zeek radius.log + description: Collect Zeek radius logs diff --git a/packages/zeek/dataset/rdp/fields/beats.yml b/packages/zeek/dataset/rdp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/rdp/fields/beats.yml +++ b/packages/zeek/dataset/rdp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/rdp/fields/ecs.yml b/packages/zeek/dataset/rdp/fields/ecs.yml index fa3d1fc3f4e..3ec3ac9d791 100644 --- a/packages/zeek/dataset/rdp/fields/ecs.yml +++ b/packages/zeek/dataset/rdp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -122,10 +121,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/rdp/fields/fields.yml b/packages/zeek/dataset/rdp/fields/fields.yml index 0ca63f0caf6..379d00eb000 100644 --- a/packages/zeek/dataset/rdp/fields/fields.yml +++ b/packages/zeek/dataset/rdp/fields/fields.yml @@ -1,84 +1,84 @@ - name: zeek.rdp type: group fields: - - name: cookie - type: keyword - description: | - Cookie value used by the client machine. This is typically a username. - - name: result - type: keyword - description: | - Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. - - name: security_protocol - type: keyword - description: | - Security protocol chosen by the server. - - name: keyboard_layout - type: keyword - description: | - Keyboard layout (language) of the client machine. - - name: client - type: group - fields: - - name: build + - name: cookie type: keyword description: | - RDP client version used by the client machine. - - name: client_name + Cookie value used by the client machine. This is typically a username. + - name: result type: keyword description: | - Name of the client machine. - - name: product_id + Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. + - name: security_protocol type: keyword description: | - Product ID of the client machine. - - name: desktop - type: group - fields: - - name: width - type: integer - description: | - Desktop width of the client machine. - - name: height - type: integer - description: | - Desktop height of the client machine. - - name: color_depth + Security protocol chosen by the server. + - name: keyboard_layout type: keyword description: | - The color depth requested by the client in the high_color_depth field. - - name: cert - type: group - fields: - - name: type - type: keyword - description: | - If the connection is being encrypted with native RDP encryption, this is the type of cert being used. - - name: count - type: integer - description: | - The number of certs seen. X.509 can transfer an entire certificate chain. - - name: permanent + Keyboard layout (language) of the client machine. + - name: client + type: group + fields: + - name: build + type: keyword + description: | + RDP client version used by the client machine. + - name: client_name + type: keyword + description: | + Name of the client machine. + - name: product_id + type: keyword + description: | + Product ID of the client machine. + - name: desktop + type: group + fields: + - name: width + type: integer + description: | + Desktop width of the client machine. + - name: height + type: integer + description: | + Desktop height of the client machine. + - name: color_depth + type: keyword + description: | + The color depth requested by the client in the high_color_depth field. + - name: cert + type: group + fields: + - name: type + type: keyword + description: | + If the connection is being encrypted with native RDP encryption, this is the type of cert being used. + - name: count + type: integer + description: | + The number of certs seen. X.509 can transfer an entire certificate chain. + - name: permanent + type: boolean + description: | + Indicates if the provided certificate or certificate chain is permanent or temporary. + - name: encryption + type: group + fields: + - name: level + type: keyword + description: | + Encryption level of the connection. + - name: method + type: keyword + description: | + Encryption method of the connection. + - name: done type: boolean description: | - Indicates if the provided certificate or certificate chain is permanent or temporary. - - name: encryption - type: group - fields: - - name: level - type: keyword - description: | - Encryption level of the connection. - - name: method - type: keyword + Track status of logging RDP connections. + - name: ssl + type: boolean description: | - Encryption method of the connection. - - name: done - type: boolean - description: | - Track status of logging RDP connections. - - name: ssl - type: boolean - description: | - (present if policy/protocols/rdp/indicate_ssl.bro is loaded) - Flag the connection if it was seen over SSL. + (present if policy/protocols/rdp/indicate_ssl.bro is loaded) + Flag the connection if it was seen over SSL. diff --git a/packages/zeek/dataset/rdp/fields/package-fields.yml b/packages/zeek/dataset/rdp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/rdp/fields/package-fields.yml +++ b/packages/zeek/dataset/rdp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/rdp/manifest.yml b/packages/zeek/dataset/rdp/manifest.yml index d4a2e6f3683..e0f419d9a5c 100644 --- a/packages/zeek/dataset/rdp/manifest.yml +++ b/packages/zeek/dataset/rdp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek rdp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: rdp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/rdp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.rdp - template_path: log.yml.hbs - title: Zeek rdp.log - description: Collect Zeek rdp logs + - input: logfile + vars: + - name: paths + type: text + title: rdp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/rdp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.rdp + template_path: log.yml.hbs + title: Zeek rdp.log + description: Collect Zeek rdp logs diff --git a/packages/zeek/dataset/rfb/fields/beats.yml b/packages/zeek/dataset/rfb/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/rfb/fields/beats.yml +++ b/packages/zeek/dataset/rfb/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/rfb/fields/ecs.yml b/packages/zeek/dataset/rfb/fields/ecs.yml index 6cf761924d9..e7f9038ad62 100644 --- a/packages/zeek/dataset/rfb/fields/ecs.yml +++ b/packages/zeek/dataset/rfb/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -127,10 +126,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/rfb/fields/fields.yml b/packages/zeek/dataset/rfb/fields/fields.yml index ad39402e9dd..77fe1df108a 100644 --- a/packages/zeek/dataset/rfb/fields/fields.yml +++ b/packages/zeek/dataset/rfb/fields/fields.yml @@ -1,55 +1,55 @@ - name: zeek.rfb type: group fields: - - name: version - type: group - fields: - - name: client + - name: version type: group fields: - - name: major - type: keyword - description: | - Major version of the client. - - name: minor - type: keyword - description: | - Minor version of the client. - - name: server + - name: client + type: group + fields: + - name: major + type: keyword + description: | + Major version of the client. + - name: minor + type: keyword + description: | + Minor version of the client. + - name: server + type: group + fields: + - name: major + type: keyword + description: | + Major version of the server. + - name: minor + type: keyword + description: | + Minor version of the server. + - name: auth type: group fields: - - name: major - type: keyword - description: | - Major version of the server. - - name: minor - type: keyword - description: | - Minor version of the server. - - name: auth - type: group - fields: - - name: success + - name: success + type: boolean + description: | + Whether or not authentication was successful. + - name: method + type: keyword + description: | + Identifier of authentication method used. + - name: share_flag type: boolean description: | - Whether or not authentication was successful. - - name: method + Whether the client has an exclusive or a shared session. + - name: desktop_name type: keyword description: | - Identifier of authentication method used. - - name: share_flag - type: boolean - description: | - Whether the client has an exclusive or a shared session. - - name: desktop_name - type: keyword - description: | - Name of the screen that is being shared. - - name: width - type: integer - description: | - Width of the screen that is being shared. - - name: height - type: integer - description: | - Height of the screen that is being shared. + Name of the screen that is being shared. + - name: width + type: integer + description: | + Width of the screen that is being shared. + - name: height + type: integer + description: | + Height of the screen that is being shared. diff --git a/packages/zeek/dataset/rfb/fields/package-fields.yml b/packages/zeek/dataset/rfb/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/rfb/fields/package-fields.yml +++ b/packages/zeek/dataset/rfb/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/rfb/manifest.yml b/packages/zeek/dataset/rfb/manifest.yml index 292198bfcbd..29d97c240ab 100644 --- a/packages/zeek/dataset/rfb/manifest.yml +++ b/packages/zeek/dataset/rfb/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek rfb logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: rfb.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/rfb.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.rfb - template_path: log.yml.hbs - title: Zeek rfb.log - description: Collect Zeek rfb logs + - input: logfile + vars: + - name: paths + type: text + title: rfb.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/rfb.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.rfb + template_path: log.yml.hbs + title: Zeek rfb.log + description: Collect Zeek rfb logs diff --git a/packages/zeek/dataset/sip/fields/beats.yml b/packages/zeek/dataset/sip/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/sip/fields/beats.yml +++ b/packages/zeek/dataset/sip/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/sip/fields/ecs.yml b/packages/zeek/dataset/sip/fields/ecs.yml index 2bc14f03f77..70709551f50 100644 --- a/packages/zeek/dataset/sip/fields/ecs.yml +++ b/packages/zeek/dataset/sip/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -98,8 +97,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -138,10 +136,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -193,9 +191,9 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top ignore_above: 1024 multi_fields: - - flat_name: url.full.text - name: text - norms: false - type: text + - flat_name: url.full.text + name: text + norms: false + type: text name: url.full type: keyword diff --git a/packages/zeek/dataset/sip/fields/fields.yml b/packages/zeek/dataset/sip/fields/fields.yml index e20f211a6ee..399f7a09b19 100644 --- a/packages/zeek/dataset/sip/fields/fields.yml +++ b/packages/zeek/dataset/sip/fields/fields.yml @@ -1,99 +1,99 @@ - name: zeek.sip type: group fields: - - name: transaction_depth - type: integer - description: | - Represents the pipelined depth into the connection of this request/response transaction. - - name: sequence - type: group - fields: - - name: method - type: keyword + - name: transaction_depth + type: integer description: | - Verb used in the SIP request (INVITE, REGISTER etc.). - - name: number + Represents the pipelined depth into the connection of this request/response transaction. + - name: sequence + type: group + fields: + - name: method + type: keyword + description: | + Verb used in the SIP request (INVITE, REGISTER etc.). + - name: number + type: keyword + description: | + Contents of the CSeq: header from the client. + - name: uri type: keyword description: | - Contents of the CSeq: header from the client. - - name: uri - type: keyword - description: | - URI used in the request. - - name: date - type: keyword - description: | - Contents of the Date: header from the client. - - name: request - type: group - fields: - - name: from + URI used in the request. + - name: date type: keyword description: | - Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to + Contents of the Date: header from the client. + - name: request + type: group + fields: + - name: from + type: keyword + description: | + Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + - name: to + type: keyword + description: | + Contents of the To: header. + - name: path + type: keyword + description: | + The client message transmission path, as extracted from the headers. + - name: body_length + type: long + description: | + Contents of the Content-Length: header from the client. + - name: response + type: group + fields: + - name: from + type: keyword + description: | + Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + - name: to + type: keyword + description: | + Contents of the response To: header. + - name: path + type: keyword + description: | + The server message transmission path, as extracted from the headers. + - name: body_length + type: long + description: | + Contents of the Content-Length: header from the server. + - name: reply_to type: keyword description: | - Contents of the To: header. - - name: path + Contents of the Reply-To: header. + - name: call_id type: keyword description: | - The client message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the client. - - name: response - type: group - fields: - - name: from + Contents of the Call-ID: header from the client. + - name: subject type: keyword description: | - Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. - - name: to + Contents of the Subject: header from the client. + - name: user_agent type: keyword description: | - Contents of the response To: header. - - name: path + Contents of the User-Agent: header from the client. + - name: status + type: group + fields: + - name: code + type: integer + description: | + Status code returned by the server. + - name: msg + type: keyword + description: | + Status message returned by the server. + - name: warning type: keyword description: | - The server message transmission path, as extracted from the headers. - - name: body_length - type: long - description: | - Contents of the Content-Length: header from the server. - - name: reply_to - type: keyword - description: | - Contents of the Reply-To: header. - - name: call_id - type: keyword - description: | - Contents of the Call-ID: header from the client. - - name: subject - type: keyword - description: | - Contents of the Subject: header from the client. - - name: user_agent - type: keyword - description: | - Contents of the User-Agent: header from the client. - - name: status - type: group - fields: - - name: code - type: integer - description: | - Status code returned by the server. - - name: msg + Contents of the Warning: header. + - name: content_type type: keyword description: | - Status message returned by the server. - - name: warning - type: keyword - description: | - Contents of the Warning: header. - - name: content_type - type: keyword - description: | - Contents of the Content-Type: header from the server. + Contents of the Content-Type: header from the server. diff --git a/packages/zeek/dataset/sip/fields/package-fields.yml b/packages/zeek/dataset/sip/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/sip/fields/package-fields.yml +++ b/packages/zeek/dataset/sip/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/sip/manifest.yml b/packages/zeek/dataset/sip/manifest.yml index 7864272c656..ecf58849a03 100644 --- a/packages/zeek/dataset/sip/manifest.yml +++ b/packages/zeek/dataset/sip/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek sip logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: sip.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/sip.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.sip - template_path: log.yml.hbs - title: Zeek sip.log - description: Collect Zeek sip logs + - input: logfile + vars: + - name: paths + type: text + title: sip.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/sip.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.sip + template_path: log.yml.hbs + title: Zeek sip.log + description: Collect Zeek sip logs diff --git a/packages/zeek/dataset/smb_cmd/fields/beats.yml b/packages/zeek/dataset/smb_cmd/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/smb_cmd/fields/beats.yml +++ b/packages/zeek/dataset/smb_cmd/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/smb_cmd/fields/ecs.yml b/packages/zeek/dataset/smb_cmd/fields/ecs.yml index 33ca93b303b..8e2af728df9 100644 --- a/packages/zeek/dataset/smb_cmd/fields/ecs.yml +++ b/packages/zeek/dataset/smb_cmd/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -98,8 +97,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -142,10 +140,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -197,9 +195,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/smb_cmd/fields/fields.yml b/packages/zeek/dataset/smb_cmd/fields/fields.yml index d57fcb5aaae..73c6a4b0849 100644 --- a/packages/zeek/dataset/smb_cmd/fields/fields.yml +++ b/packages/zeek/dataset/smb_cmd/fields/fields.yml @@ -1,75 +1,75 @@ - name: zeek.smb_cmd type: group fields: - - name: command - type: keyword - description: | - The command sent by the client. - - name: sub_command - type: keyword - description: | - The subcommand sent by the client, if present. - - name: argument - type: keyword - description: | - Command argument sent by the client, if any. - - name: status - type: keyword - description: | - Server reply to the client's command. - - name: rtt - type: double - description: | - Round trip time from the request to the response. - - name: version - type: keyword - description: | - Version of SMB for the command. - - name: username - type: keyword - description: | - Authenticated username, if available. - - name: tree - type: keyword - description: | - If this is related to a tree, this is the tree that was used for the current command. - - name: tree_service - type: keyword - description: | - The type of tree (disk share, printer share, named pipe, etc.). - - name: file - type: group - fields: - - name: name + - name: command type: keyword description: | - Filename if one was seen. - - name: action + The command sent by the client. + - name: sub_command type: keyword description: | - Action this log record represents. - - name: uid + The subcommand sent by the client, if present. + - name: argument type: keyword description: | - UID of the referenced file. - - name: host + Command argument sent by the client, if any. + - name: status + type: keyword + description: | + Server reply to the client's command. + - name: rtt + type: double + description: | + Round trip time from the request to the response. + - name: version + type: keyword + description: | + Version of SMB for the command. + - name: username + type: keyword + description: | + Authenticated username, if available. + - name: tree + type: keyword + description: | + If this is related to a tree, this is the tree that was used for the current command. + - name: tree_service + type: keyword + description: | + The type of tree (disk share, printer share, named pipe, etc.). + - name: file type: group fields: - - name: tx - type: ip - description: | - Address of the transmitting host. - - name: rx - type: ip - description: | - Address of the receiving host. - - name: smb1_offered_dialects - type: keyword - description: | - Present if base/protocols/smb/smb1-main.bro is loaded. - Dialects offered by the client. - - name: smb2_offered_dialects - type: integer - description: | - Present if base/protocols/smb/smb2-main.bro is loaded. - Dialects offered by the client. + - name: name + type: keyword + description: | + Filename if one was seen. + - name: action + type: keyword + description: | + Action this log record represents. + - name: uid + type: keyword + description: | + UID of the referenced file. + - name: host + type: group + fields: + - name: tx + type: ip + description: | + Address of the transmitting host. + - name: rx + type: ip + description: | + Address of the receiving host. + - name: smb1_offered_dialects + type: keyword + description: | + Present if base/protocols/smb/smb1-main.bro is loaded. + Dialects offered by the client. + - name: smb2_offered_dialects + type: integer + description: | + Present if base/protocols/smb/smb2-main.bro is loaded. + Dialects offered by the client. diff --git a/packages/zeek/dataset/smb_cmd/fields/package-fields.yml b/packages/zeek/dataset/smb_cmd/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/smb_cmd/fields/package-fields.yml +++ b/packages/zeek/dataset/smb_cmd/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/smb_cmd/manifest.yml b/packages/zeek/dataset/smb_cmd/manifest.yml index d230acc1486..9f7cf7d2764 100644 --- a/packages/zeek/dataset/smb_cmd/manifest.yml +++ b/packages/zeek/dataset/smb_cmd/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek smb_cmd logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: smb_cmd paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/smb_cmd.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.smb_cmd - template_path: log.yml.hbs - title: Zeek smb_cmd.log - description: Collect Zeek smb_cmd logs + - input: logfile + vars: + - name: paths + type: text + title: smb_cmd paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/smb_cmd.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.smb_cmd + template_path: log.yml.hbs + title: Zeek smb_cmd.log + description: Collect Zeek smb_cmd logs diff --git a/packages/zeek/dataset/smb_files/fields/beats.yml b/packages/zeek/dataset/smb_files/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/smb_files/fields/beats.yml +++ b/packages/zeek/dataset/smb_files/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/smb_files/fields/ecs.yml b/packages/zeek/dataset/smb_files/fields/ecs.yml index 63db41e0f03..ceb9217e108 100644 --- a/packages/zeek/dataset/smb_files/fields/ecs.yml +++ b/packages/zeek/dataset/smb_files/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -123,10 +122,10 @@ example: /home/alice/example.png ignore_above: 1024 multi_fields: - - flat_name: file.path.text - name: text - norms: false - type: text + - flat_name: file.path.text + name: text + norms: false + type: text name: file.path type: keyword - description: File size in bytes. @@ -167,10 +166,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/smb_files/fields/fields.yml b/packages/zeek/dataset/smb_files/fields/fields.yml index c90e9c215f5..9a2bae33cba 100644 --- a/packages/zeek/dataset/smb_files/fields/fields.yml +++ b/packages/zeek/dataset/smb_files/fields/fields.yml @@ -1,50 +1,50 @@ - name: zeek.smb_files type: group fields: - - name: action - type: keyword - description: | - Action this log record represents. - - name: fid - type: integer - description: | - ID referencing this file. - - name: name - type: keyword - description: | - Filename if one was seen. - - name: path - type: keyword - description: | - Path pulled from the tree this file was transferred to or from. - - name: previous_name - type: keyword - description: | - If the rename action was seen, this will be the file's previous name. - - name: size - type: long - description: | - Byte size of the file. - - name: times - type: group - fields: - - name: accessed - type: date + - name: action + type: keyword description: | - The file's access time. - - name: changed - type: date + Action this log record represents. + - name: fid + type: integer description: | - The file's change time. - - name: created - type: date + ID referencing this file. + - name: name + type: keyword description: | - The file's create time. - - name: modified - type: date + Filename if one was seen. + - name: path + type: keyword description: | - The file's modify time. - - name: uuid - type: keyword - description: | - UUID referencing this file if DCE/RPC. + Path pulled from the tree this file was transferred to or from. + - name: previous_name + type: keyword + description: | + If the rename action was seen, this will be the file's previous name. + - name: size + type: long + description: | + Byte size of the file. + - name: times + type: group + fields: + - name: accessed + type: date + description: | + The file's access time. + - name: changed + type: date + description: | + The file's change time. + - name: created + type: date + description: | + The file's create time. + - name: modified + type: date + description: | + The file's modify time. + - name: uuid + type: keyword + description: | + UUID referencing this file if DCE/RPC. diff --git a/packages/zeek/dataset/smb_files/fields/package-fields.yml b/packages/zeek/dataset/smb_files/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/smb_files/fields/package-fields.yml +++ b/packages/zeek/dataset/smb_files/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/smb_files/manifest.yml b/packages/zeek/dataset/smb_files/manifest.yml index 5b52413b5e6..803165483ab 100644 --- a/packages/zeek/dataset/smb_files/manifest.yml +++ b/packages/zeek/dataset/smb_files/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek smb_files logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: smb_files.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/smb_files.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.smb_files - template_path: log.yml.hbs - title: Zeek smb_files.log - description: Collect Zeek smb_files logs + - input: logfile + vars: + - name: paths + type: text + title: smb_files.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/smb_files.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.smb_files + template_path: log.yml.hbs + title: Zeek smb_files.log + description: Collect Zeek smb_files logs diff --git a/packages/zeek/dataset/smb_mapping/fields/beats.yml b/packages/zeek/dataset/smb_mapping/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/smb_mapping/fields/beats.yml +++ b/packages/zeek/dataset/smb_mapping/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/smb_mapping/fields/ecs.yml b/packages/zeek/dataset/smb_mapping/fields/ecs.yml index 6cf761924d9..e7f9038ad62 100644 --- a/packages/zeek/dataset/smb_mapping/fields/ecs.yml +++ b/packages/zeek/dataset/smb_mapping/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -127,10 +126,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/smb_mapping/fields/fields.yml b/packages/zeek/dataset/smb_mapping/fields/fields.yml index c1a7407075e..050d877b416 100644 --- a/packages/zeek/dataset/smb_mapping/fields/fields.yml +++ b/packages/zeek/dataset/smb_mapping/fields/fields.yml @@ -1,20 +1,20 @@ - name: zeek.smb_mapping type: group fields: - - name: path - type: keyword - description: | - Name of the tree path. - - name: service - type: keyword - description: | - The type of resource of the tree (disk share, printer share, named pipe, etc.). - - name: native_file_system - type: keyword - description: | - File system of the tree. - - name: share_type - type: keyword - description: | - If this is SMB2, a share type will be included. For SMB1, the type of share - will be deduced and included as well. + - name: path + type: keyword + description: | + Name of the tree path. + - name: service + type: keyword + description: | + The type of resource of the tree (disk share, printer share, named pipe, etc.). + - name: native_file_system + type: keyword + description: | + File system of the tree. + - name: share_type + type: keyword + description: | + If this is SMB2, a share type will be included. For SMB1, the type of share + will be deduced and included as well. diff --git a/packages/zeek/dataset/smb_mapping/fields/package-fields.yml b/packages/zeek/dataset/smb_mapping/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/smb_mapping/fields/package-fields.yml +++ b/packages/zeek/dataset/smb_mapping/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/smb_mapping/manifest.yml b/packages/zeek/dataset/smb_mapping/manifest.yml index d768d421784..c84667f71b1 100644 --- a/packages/zeek/dataset/smb_mapping/manifest.yml +++ b/packages/zeek/dataset/smb_mapping/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek smb_mapping logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: smb_mapping.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/smb_mapping.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.smb_mapping - template_path: log.yml.hbs - title: Zeek smb_mapping.log - description: Collect Zeek smb_mapping logs + - input: logfile + vars: + - name: paths + type: text + title: smb_mapping.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/smb_mapping.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.smb_mapping + template_path: log.yml.hbs + title: Zeek smb_mapping.log + description: Collect Zeek smb_mapping logs diff --git a/packages/zeek/dataset/smtp/fields/beats.yml b/packages/zeek/dataset/smtp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/smtp/fields/beats.yml +++ b/packages/zeek/dataset/smtp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/smtp/fields/ecs.yml b/packages/zeek/dataset/smtp/fields/ecs.yml index 3a68792502e..de5d25dd582 100644 --- a/packages/zeek/dataset/smtp/fields/ecs.yml +++ b/packages/zeek/dataset/smtp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -127,10 +126,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -178,7 +177,6 @@ - description: Port of the source. name: source.port type: long -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned - to an encrypted tunnel. +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. name: tls.established type: boolean diff --git a/packages/zeek/dataset/smtp/fields/fields.yml b/packages/zeek/dataset/smtp/fields/fields.yml index fded1969156..167b12eb1f7 100644 --- a/packages/zeek/dataset/smtp/fields/fields.yml +++ b/packages/zeek/dataset/smtp/fields/fields.yml @@ -1,96 +1,96 @@ - name: zeek.smtp type: group fields: - - name: transaction_depth - type: integer - description: | - A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. - - name: helo - type: keyword - description: | - Contents of the Helo header. - - name: mail_from - type: keyword - description: | - Email addresses found in the MAIL FROM header. - - name: rcpt_to - type: keyword - description: | - Email addresses found in the RCPT TO header. - - name: date - type: date - description: | - Contents of the Date header. - - name: from - type: keyword - description: | - Contents of the From header. - - name: to - type: keyword - description: | - Contents of the To header. - - name: cc - type: keyword - description: | - Contents of the CC header. - - name: reply_to - type: keyword - description: | - Contents of the ReplyTo header. - - name: msg_id - type: keyword - description: | - Contents of the MsgID header. - - name: in_reply_to - type: keyword - description: | - Contents of the In-Reply-To header. - - name: subject - type: keyword - description: | - Contents of the Subject header. - - name: x_originating_ip - type: keyword - description: | - Contents of the X-Originating-IP header. - - name: first_received - type: keyword - description: | - Contents of the first Received header. - - name: second_received - type: keyword - description: | - Contents of the second Received header. - - name: last_reply - type: keyword - description: | - The last message that the server sent to the client. - - name: path - type: ip - description: | - The message transmission path, as extracted from the headers. - - name: user_agent - type: keyword - description: | - Value of the User-Agent header from the client. - - name: tls - type: boolean - description: | - Indicates that the connection has switched to using TLS. - - name: process_received_from - type: boolean - description: | - Indicates if the "Received: from" headers should still be processed. - - name: has_client_activity - type: boolean - description: | - Indicates if client activity has been seen, but not yet logged. - - name: fuids - type: keyword - description: | - (present if base/protocols/smtp/files.bro is loaded) - An ordered vector of file unique IDs seen attached to the message. - - name: is_webmail - type: boolean - description: | - Indicates if the message was sent through a webmail interface. + - name: transaction_depth + type: integer + description: | + A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. + - name: helo + type: keyword + description: | + Contents of the Helo header. + - name: mail_from + type: keyword + description: | + Email addresses found in the MAIL FROM header. + - name: rcpt_to + type: keyword + description: | + Email addresses found in the RCPT TO header. + - name: date + type: date + description: | + Contents of the Date header. + - name: from + type: keyword + description: | + Contents of the From header. + - name: to + type: keyword + description: | + Contents of the To header. + - name: cc + type: keyword + description: | + Contents of the CC header. + - name: reply_to + type: keyword + description: | + Contents of the ReplyTo header. + - name: msg_id + type: keyword + description: | + Contents of the MsgID header. + - name: in_reply_to + type: keyword + description: | + Contents of the In-Reply-To header. + - name: subject + type: keyword + description: | + Contents of the Subject header. + - name: x_originating_ip + type: keyword + description: | + Contents of the X-Originating-IP header. + - name: first_received + type: keyword + description: | + Contents of the first Received header. + - name: second_received + type: keyword + description: | + Contents of the second Received header. + - name: last_reply + type: keyword + description: | + The last message that the server sent to the client. + - name: path + type: ip + description: | + The message transmission path, as extracted from the headers. + - name: user_agent + type: keyword + description: | + Value of the User-Agent header from the client. + - name: tls + type: boolean + description: | + Indicates that the connection has switched to using TLS. + - name: process_received_from + type: boolean + description: | + Indicates if the "Received: from" headers should still be processed. + - name: has_client_activity + type: boolean + description: | + Indicates if client activity has been seen, but not yet logged. + - name: fuids + type: keyword + description: | + (present if base/protocols/smtp/files.bro is loaded) + An ordered vector of file unique IDs seen attached to the message. + - name: is_webmail + type: boolean + description: | + Indicates if the message was sent through a webmail interface. diff --git a/packages/zeek/dataset/smtp/fields/package-fields.yml b/packages/zeek/dataset/smtp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/smtp/fields/package-fields.yml +++ b/packages/zeek/dataset/smtp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/smtp/manifest.yml b/packages/zeek/dataset/smtp/manifest.yml index 7325436c139..f9adf92f8a2 100644 --- a/packages/zeek/dataset/smtp/manifest.yml +++ b/packages/zeek/dataset/smtp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek smtp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: smtp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/smtp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.smtp - template_path: log.yml.hbs - title: Zeek smtp.log - description: Collect Zeek smtp logs + - input: logfile + vars: + - name: paths + type: text + title: smtp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/smtp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.smtp + template_path: log.yml.hbs + title: Zeek smtp.log + description: Collect Zeek smtp logs diff --git a/packages/zeek/dataset/snmp/fields/beats.yml b/packages/zeek/dataset/snmp/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/snmp/fields/beats.yml +++ b/packages/zeek/dataset/snmp/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/snmp/fields/ecs.yml b/packages/zeek/dataset/snmp/fields/ecs.yml index 6cf761924d9..e7f9038ad62 100644 --- a/packages/zeek/dataset/snmp/fields/ecs.yml +++ b/packages/zeek/dataset/snmp/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -127,10 +126,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/snmp/fields/fields.yml b/packages/zeek/dataset/snmp/fields/fields.yml index 97e70a5a328..f005e686aad 100644 --- a/packages/zeek/dataset/snmp/fields/fields.yml +++ b/packages/zeek/dataset/snmp/fields/fields.yml @@ -1,45 +1,45 @@ - name: zeek.snmp type: group fields: - - name: duration - type: double - description: | - The amount of time between the first packet beloning to the SNMP session and the latest one seen. - - name: version - type: keyword - description: | - The version of SNMP being used. - - name: community - type: keyword - description: | - The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. - - name: get - type: group - fields: - - name: requests - type: integer + - name: duration + type: double description: | - The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. - - name: bulk_requests - type: integer + The amount of time between the first packet beloning to the SNMP session and the latest one seen. + - name: version + type: keyword description: | - The number of variable bindings in GetBulkRequest PDUs seen for the session. - - name: responses - type: integer + The version of SNMP being used. + - name: community + type: keyword description: | - The number of variable bindings in GetResponse/Response PDUs seen for the session. - - name: set - type: group - fields: - - name: requests - type: integer + The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. + - name: get + type: group + fields: + - name: requests + type: integer + description: | + The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. + - name: bulk_requests + type: integer + description: | + The number of variable bindings in GetBulkRequest PDUs seen for the session. + - name: responses + type: integer + description: | + The number of variable bindings in GetResponse/Response PDUs seen for the session. + - name: set + type: group + fields: + - name: requests + type: integer + description: | + The number of variable bindings in SetRequest PDUs seen for the session. + - name: display_string + type: keyword description: | - The number of variable bindings in SetRequest PDUs seen for the session. - - name: display_string - type: keyword - description: | - A system description of the SNMP responder endpoint. - - name: up_since - type: date - description: | - The time at which the SNMP responder endpoint claims it's been up since. + A system description of the SNMP responder endpoint. + - name: up_since + type: date + description: | + The time at which the SNMP responder endpoint claims it's been up since. diff --git a/packages/zeek/dataset/snmp/fields/package-fields.yml b/packages/zeek/dataset/snmp/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/snmp/fields/package-fields.yml +++ b/packages/zeek/dataset/snmp/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/snmp/manifest.yml b/packages/zeek/dataset/snmp/manifest.yml index bf2872c3a7a..7a25645ff7e 100644 --- a/packages/zeek/dataset/snmp/manifest.yml +++ b/packages/zeek/dataset/snmp/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek snmp logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: snmp.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/snmp.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.snmp - template_path: log.yml.hbs - title: Zeek snmp.log - description: Collect Zeek snmp logs + - input: logfile + vars: + - name: paths + type: text + title: snmp.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/snmp.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.snmp + template_path: log.yml.hbs + title: Zeek snmp.log + description: Collect Zeek snmp logs diff --git a/packages/zeek/dataset/socks/fields/beats.yml b/packages/zeek/dataset/socks/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/socks/fields/beats.yml +++ b/packages/zeek/dataset/socks/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/socks/fields/ecs.yml b/packages/zeek/dataset/socks/fields/ecs.yml index 426d5ccac7c..a2a81c11da5 100644 --- a/packages/zeek/dataset/socks/fields/ecs.yml +++ b/packages/zeek/dataset/socks/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -90,8 +89,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -134,10 +132,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -189,9 +187,9 @@ example: albert ignore_above: 1024 multi_fields: - - flat_name: user.name.text - name: text - norms: false - type: text + - flat_name: user.name.text + name: text + norms: false + type: text name: user.name type: keyword diff --git a/packages/zeek/dataset/socks/fields/fields.yml b/packages/zeek/dataset/socks/fields/fields.yml index fbe0bef70db..05cdd644f4d 100644 --- a/packages/zeek/dataset/socks/fields/fields.yml +++ b/packages/zeek/dataset/socks/fields/fields.yml @@ -1,45 +1,45 @@ - name: zeek.socks type: group fields: - - name: version - type: integer - description: | - Protocol version of SOCKS. - - name: user - type: keyword - description: | - Username used to request a login to the proxy. - - name: password - type: keyword - description: | - Password used to request a login to the proxy. - - name: status - type: keyword - description: | - Server status for the attempt at using the proxy. - - name: request - type: group - fields: - - name: host + - name: version + type: integer + description: | + Protocol version of SOCKS. + - name: user type: keyword description: | - Client requested SOCKS address. Could be an address, a name or both. - - name: port - type: integer + Username used to request a login to the proxy. + - name: password + type: keyword description: | - Client requested port. - - name: bound - type: group - fields: - - name: host + Password used to request a login to the proxy. + - name: status type: keyword description: | - Server bound address. Could be an address, a name or both. - - name: port - type: integer + Server status for the attempt at using the proxy. + - name: request + type: group + fields: + - name: host + type: keyword + description: | + Client requested SOCKS address. Could be an address, a name or both. + - name: port + type: integer + description: | + Client requested port. + - name: bound + type: group + fields: + - name: host + type: keyword + description: | + Server bound address. Could be an address, a name or both. + - name: port + type: integer + description: | + Server bound port. + - name: capture_password + type: boolean description: | - Server bound port. - - name: capture_password - type: boolean - description: | - Determines if the password will be captured for this request. + Determines if the password will be captured for this request. diff --git a/packages/zeek/dataset/socks/fields/package-fields.yml b/packages/zeek/dataset/socks/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/socks/fields/package-fields.yml +++ b/packages/zeek/dataset/socks/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/socks/manifest.yml b/packages/zeek/dataset/socks/manifest.yml index fe1179d3675..036167d7900 100644 --- a/packages/zeek/dataset/socks/manifest.yml +++ b/packages/zeek/dataset/socks/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek socks logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: socks.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/socks.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.socks - template_path: log.yml.hbs - title: Zeek socks.log - description: Collect Zeek socks logs + - input: logfile + vars: + - name: paths + type: text + title: socks.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/socks.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.socks + template_path: log.yml.hbs + title: Zeek socks.log + description: Collect Zeek socks logs diff --git a/packages/zeek/dataset/ssh/fields/beats.yml b/packages/zeek/dataset/ssh/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/ssh/fields/beats.yml +++ b/packages/zeek/dataset/ssh/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/ssh/fields/ecs.yml b/packages/zeek/dataset/ssh/fields/ecs.yml index c6f14b5f1ce..daec42b0314 100644 --- a/packages/zeek/dataset/ssh/fields/ecs.yml +++ b/packages/zeek/dataset/ssh/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -93,8 +92,7 @@ ignore_above: 1024 name: event.kind type: keyword -- description: The outcome of the event. The lowest level categorization field in - the hierarchy. +- description: The outcome of the event. The lowest level categorization field in the hierarchy. example: success ignore_above: 1024 name: event.outcome @@ -133,10 +131,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/ssh/fields/fields.yml b/packages/zeek/dataset/ssh/fields/fields.yml index e1899c601eb..bc2f658f4b0 100644 --- a/packages/zeek/dataset/ssh/fields/fields.yml +++ b/packages/zeek/dataset/ssh/fields/fields.yml @@ -1,62 +1,62 @@ - name: zeek.ssh type: group fields: - - name: client - type: keyword - description: | - The client's version string. - - name: direction - type: keyword - description: | - Direction of the connection. If the client was a local host logging into - an external host, this would be OUTBOUND. INBOUND would be set for the - opposite situation. - - name: host_key - type: keyword - description: | - The server's key thumbprint. - - name: server - type: keyword - description: | - The server's version string. - - name: version - type: integer - description: | - SSH major version (1 or 2). - - name: algorithm - type: group - fields: - - name: cipher + - name: client type: keyword description: | - The encryption algorithm in use. - - name: compression + The client's version string. + - name: direction type: keyword description: | - The compression algorithm in use. + Direction of the connection. If the client was a local host logging into + an external host, this would be OUTBOUND. INBOUND would be set for the + opposite situation. - name: host_key type: keyword description: | - The server host key's algorithm. - - name: key_exchange + The server's key thumbprint. + - name: server type: keyword description: | - The key exchange algorithm in use. - - name: mac - type: keyword - description: | - The signing (MAC) algorithm in use. - - name: auth - type: group - fields: - - name: attempts + The server's version string. + - name: version type: integer description: | - The number of authentication attemps we observed. There's always at - least one, since some servers might support no authentication at all. - It's important to note that not all of these are failures, since some - servers require two-factor auth (e.g. password AND pubkey). - - name: success - type: boolean - description: | - Authentication result. + SSH major version (1 or 2). + - name: algorithm + type: group + fields: + - name: cipher + type: keyword + description: | + The encryption algorithm in use. + - name: compression + type: keyword + description: | + The compression algorithm in use. + - name: host_key + type: keyword + description: | + The server host key's algorithm. + - name: key_exchange + type: keyword + description: | + The key exchange algorithm in use. + - name: mac + type: keyword + description: | + The signing (MAC) algorithm in use. + - name: auth + type: group + fields: + - name: attempts + type: integer + description: | + The number of authentication attemps we observed. There's always at + least one, since some servers might support no authentication at all. + It's important to note that not all of these are failures, since some + servers require two-factor auth (e.g. password AND pubkey). + - name: success + type: boolean + description: | + Authentication result. diff --git a/packages/zeek/dataset/ssh/fields/package-fields.yml b/packages/zeek/dataset/ssh/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/ssh/fields/package-fields.yml +++ b/packages/zeek/dataset/ssh/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/ssh/manifest.yml b/packages/zeek/dataset/ssh/manifest.yml index dca3633b3fd..f4790f57cc3 100644 --- a/packages/zeek/dataset/ssh/manifest.yml +++ b/packages/zeek/dataset/ssh/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek ssh logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: ssh.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/ssh.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.ssh - template_path: log.yml.hbs - title: Zeek ssh.log - description: Collect Zeek ssh logs + - input: logfile + vars: + - name: paths + type: text + title: ssh.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/ssh.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.ssh + template_path: log.yml.hbs + title: Zeek ssh.log + description: Collect Zeek ssh logs diff --git a/packages/zeek/dataset/ssl/fields/beats.yml b/packages/zeek/dataset/ssl/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/ssl/fields/beats.yml +++ b/packages/zeek/dataset/ssl/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/ssl/fields/ecs.yml b/packages/zeek/dataset/ssl/fields/ecs.yml index 158f55424b0..ce385abca20 100644 --- a/packages/zeek/dataset/ssl/fields/ecs.yml +++ b/packages/zeek/dataset/ssl/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Client network address. ignore_above: 1024 name: client.address @@ -15,10 +14,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -130,10 +129,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. @@ -186,8 +185,7 @@ ignore_above: 1024 name: tls.cipher type: keyword -- description: Distinguished name of subject of the issuer of the x.509 certificate - presented by the client. +- description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com ignore_above: 1024 name: tls.client.issuer @@ -226,12 +224,10 @@ ignore_above: 1024 name: tls.curve type: keyword -- description: Boolean flag indicating if the TLS negotiation was successful and transitioned - to an encrypted tunnel. +- description: Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. name: tls.established type: boolean -- description: Boolean flag indicating if this TLS connection was resumed from an - existing TLS negotiation. +- description: Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. name: tls.resumed type: boolean - description: Subject of the issuer of the x.509 certificate presented by the server. diff --git a/packages/zeek/dataset/ssl/fields/fields.yml b/packages/zeek/dataset/ssl/fields/fields.yml index 84482fa63c2..13d506136c1 100644 --- a/packages/zeek/dataset/ssl/fields/fields.yml +++ b/packages/zeek/dataset/ssl/fields/fields.yml @@ -1,178 +1,178 @@ - name: zeek.ssl type: group fields: - - name: version - type: keyword - description: | - SSL/TLS version that was logged. - - name: cipher - type: keyword - description: | - SSL/TLS cipher suite that was logged. - - name: curve - type: keyword - description: | - Elliptic curve that was logged when using ECDH/ECDHE. - - name: resumed - type: boolean - description: | - Flag to indicate if the session was resumed reusing the key material exchanged in an - earlier connection. - - name: next_protocol - type: keyword - description: | - Next protocol the server chose using the application layer next protocol extension. - - name: established - type: boolean - description: | - Flag to indicate if this ssl session has been established successfully. - - name: validation - type: group - fields: - - name: status + - name: version type: keyword description: | - Result of certificate validation for this connection. - - name: code + SSL/TLS version that was logged. + - name: cipher type: keyword description: | - Result of certificate validation for this connection, given as OpenSSL validation code. - - name: last_alert - type: keyword - description: | - Last alert that was seen during the connection. - - name: server - type: group - fields: - - name: name + SSL/TLS cipher suite that was logged. + - name: curve type: keyword description: | - Value of the Server Name Indicator SSL/TLS extension. It indicates the server name - that the client was requesting. - - name: cert_chain - type: keyword + Elliptic curve that was logged when using ECDH/ECDHE. + - name: resumed + type: boolean description: | - Chain of certificates offered by the server to validate its complete signing chain. - - name: cert_chain_fuids + Flag to indicate if the session was resumed reusing the key material exchanged in an + earlier connection. + - name: next_protocol type: keyword description: | - An ordered vector of certificate file identifiers for the certificates offered by the server. - - name: issuer - type: group - fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the server. - - name: subject + Next protocol the server chose using the application layer next protocol extension. + - name: established + type: boolean + description: | + Flag to indicate if this ssl session has been established successfully. + - name: validation type: group fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the server. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the server. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the server. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the server. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the server. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the server. - - name: client - type: group - fields: - - name: cert_chain - type: keyword - description: | - Chain of certificates offered by the client to validate its complete signing chain. - - name: cert_chain_fuids + - name: status + type: keyword + description: | + Result of certificate validation for this connection. + - name: code + type: keyword + description: | + Result of certificate validation for this connection, given as OpenSSL validation code. + - name: last_alert type: keyword description: | - An ordered vector of certificate file identifiers for the certificates offered by the client. - - name: issuer + Last alert that was seen during the connection. + - name: server type: group fields: - - name: common_name - type: keyword - description: | - Common name of the signer of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the signer of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the signer of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the signer of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the signer of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the signer of the X.509 certificate offered by the client. - - name: subject + - name: name + type: keyword + description: | + Value of the Server Name Indicator SSL/TLS extension. It indicates the server name + that the client was requesting. + - name: cert_chain + type: keyword + description: | + Chain of certificates offered by the server to validate its complete signing chain. + - name: cert_chain_fuids + type: keyword + description: | + An ordered vector of certificate file identifiers for the certificates offered by the server. + - name: issuer + type: group + fields: + - name: common_name + type: keyword + description: | + Common name of the signer of the X.509 certificate offered by the server. + - name: country + type: keyword + description: | + Country code of the signer of the X.509 certificate offered by the server. + - name: locality + type: keyword + description: | + Locality of the signer of the X.509 certificate offered by the server. + - name: organization + type: keyword + description: | + Organization of the signer of the X.509 certificate offered by the server. + - name: organizational_unit + type: keyword + description: | + Organizational unit of the signer of the X.509 certificate offered by the server. + - name: state + type: keyword + description: | + State or province name of the signer of the X.509 certificate offered by the server. + - name: subject + type: group + fields: + - name: common_name + type: keyword + description: | + Common name of the X.509 certificate offered by the server. + - name: country + type: keyword + description: | + Country code of the X.509 certificate offered by the server. + - name: locality + type: keyword + description: | + Locality of the X.509 certificate offered by the server. + - name: organization + type: keyword + description: | + Organization of the X.509 certificate offered by the server. + - name: organizational_unit + type: keyword + description: | + Organizational unit of the X.509 certificate offered by the server. + - name: state + type: keyword + description: | + State or province name of the X.509 certificate offered by the server. + - name: client type: group fields: - - name: common_name - type: keyword - description: | - Common name of the X.509 certificate offered by the client. - - name: country - type: keyword - description: | - Country code of the X.509 certificate offered by the client. - - name: locality - type: keyword - description: | - Locality of the X.509 certificate offered by the client. - - name: organization - type: keyword - description: | - Organization of the X.509 certificate offered by the client. - - name: organizational_unit - type: keyword - description: | - Organizational unit of the X.509 certificate offered by the client. - - name: state - type: keyword - description: | - State or province name of the X.509 certificate offered by the client. + - name: cert_chain + type: keyword + description: | + Chain of certificates offered by the client to validate its complete signing chain. + - name: cert_chain_fuids + type: keyword + description: | + An ordered vector of certificate file identifiers for the certificates offered by the client. + - name: issuer + type: group + fields: + - name: common_name + type: keyword + description: | + Common name of the signer of the X.509 certificate offered by the client. + - name: country + type: keyword + description: | + Country code of the signer of the X.509 certificate offered by the client. + - name: locality + type: keyword + description: | + Locality of the signer of the X.509 certificate offered by the client. + - name: organization + type: keyword + description: | + Organization of the signer of the X.509 certificate offered by the client. + - name: organizational_unit + type: keyword + description: | + Organizational unit of the signer of the X.509 certificate offered by the client. + - name: state + type: keyword + description: | + State or province name of the signer of the X.509 certificate offered by the client. + - name: subject + type: group + fields: + - name: common_name + type: keyword + description: | + Common name of the X.509 certificate offered by the client. + - name: country + type: keyword + description: | + Country code of the X.509 certificate offered by the client. + - name: locality + type: keyword + description: | + Locality of the X.509 certificate offered by the client. + - name: organization + type: keyword + description: | + Organization of the X.509 certificate offered by the client. + - name: organizational_unit + type: keyword + description: | + Organizational unit of the X.509 certificate offered by the client. + - name: state + type: keyword + description: | + State or province name of the X.509 certificate offered by the client. diff --git a/packages/zeek/dataset/ssl/fields/package-fields.yml b/packages/zeek/dataset/ssl/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/ssl/fields/package-fields.yml +++ b/packages/zeek/dataset/ssl/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/ssl/manifest.yml b/packages/zeek/dataset/ssl/manifest.yml index 7c75ded8a18..fcf1c0750dc 100644 --- a/packages/zeek/dataset/ssl/manifest.yml +++ b/packages/zeek/dataset/ssl/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek ssl logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: ssl.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/ssl.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.ssl - template_path: log.yml.hbs - title: Zeek ssl.log - description: Collect Zeek ssl logs + - input: logfile + vars: + - name: paths + type: text + title: ssl.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/ssl.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.ssl + template_path: log.yml.hbs + title: Zeek ssl.log + description: Collect Zeek ssl logs diff --git a/packages/zeek/dataset/stats/fields/beats.yml b/packages/zeek/dataset/stats/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/stats/fields/beats.yml +++ b/packages/zeek/dataset/stats/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/stats/fields/ecs.yml b/packages/zeek/dataset/stats/fields/ecs.yml index 20d91b5ba4d..0c6797cec74 100644 --- a/packages/zeek/dataset/stats/fields/ecs.yml +++ b/packages/zeek/dataset/stats/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: ECS version this event conforms to. example: 1.0.0 ignore_above: 1024 diff --git a/packages/zeek/dataset/stats/fields/fields.yml b/packages/zeek/dataset/stats/fields/fields.yml index 7bcdd1435bc..95fb318c923 100644 --- a/packages/zeek/dataset/stats/fields/fields.yml +++ b/packages/zeek/dataset/stats/fields/fields.yml @@ -1,136 +1,136 @@ - name: zeek.stats type: group fields: - - name: peer - type: keyword - description: | - Peer that generated this log. Mostly for clusters. - - name: memory - type: integer - description: | - Amount of memory currently in use in MB. - - name: packets - type: group - fields: - - name: processed - type: long + - name: peer + type: keyword description: | - Number of packets processed since the last stats interval. - - name: dropped - type: long - description: | - Number of packets dropped since the last stats interval if reading live traffic. - - name: received - type: long - description: | - Number of packets seen on the link since the last stats interval if reading live traffic. - - name: bytes - type: group - fields: - - name: received - type: long + Peer that generated this log. Mostly for clusters. + - name: memory + type: integer description: | - Number of bytes received since the last stats interval if reading live traffic. - - name: connections - type: group - fields: - - name: tcp + Amount of memory currently in use in MB. + - name: packets type: group fields: - - name: active - type: integer - description: | - TCP connections currently in memory. - - name: count - type: integer - description: | - TCP connections seen since last stats interval. - - name: udp + - name: processed + type: long + description: | + Number of packets processed since the last stats interval. + - name: dropped + type: long + description: | + Number of packets dropped since the last stats interval if reading live traffic. + - name: received + type: long + description: | + Number of packets seen on the link since the last stats interval if reading live traffic. + - name: bytes type: group fields: - - name: active - type: integer - description: | - UDP connections currently in memory. - - name: count - type: integer - description: | - UDP connections seen since last stats interval. - - name: icmp + - name: received + type: long + description: | + Number of bytes received since the last stats interval if reading live traffic. + - name: connections type: group fields: - - name: active - type: integer - description: | - ICMP connections currently in memory. - - name: count - type: integer - description: | - ICMP connections seen since last stats interval. - - name: events - type: group - fields: - - name: processed - type: integer - description: | - Number of events processed since the last stats interval. - - name: queued - type: integer - description: | - Number of events that have been queued since the last stats interval. - - name: timers - type: group - fields: - - name: count - type: integer - description: | - Number of timers scheduled since last stats interval. - - name: active - type: integer - description: | - Current number of scheduled timers. - - name: files - type: group - fields: - - name: count - type: integer - description: | - Number of files seen since last stats interval. - - name: active - type: integer - description: | - Current number of files actively being seen. - - name: dns_requests - type: group - fields: - - name: count - type: integer - description: | - Number of DNS requests seen since last stats interval. - - name: active - type: integer - description: | - Current number of DNS requests awaiting a reply. - - name: reassembly_size - type: group - fields: - - name: tcp - type: integer - description: | - Current size of TCP data in reassembly. - - name: file - type: integer - description: | - Current size of File data in reassembly. - - name: frag - type: integer - description: | - Current size of packet fragment data in reassembly. - - name: unknown + - name: tcp + type: group + fields: + - name: active + type: integer + description: | + TCP connections currently in memory. + - name: count + type: integer + description: | + TCP connections seen since last stats interval. + - name: udp + type: group + fields: + - name: active + type: integer + description: | + UDP connections currently in memory. + - name: count + type: integer + description: | + UDP connections seen since last stats interval. + - name: icmp + type: group + fields: + - name: active + type: integer + description: | + ICMP connections currently in memory. + - name: count + type: integer + description: | + ICMP connections seen since last stats interval. + - name: events + type: group + fields: + - name: processed + type: integer + description: | + Number of events processed since the last stats interval. + - name: queued + type: integer + description: | + Number of events that have been queued since the last stats interval. + - name: timers + type: group + fields: + - name: count + type: integer + description: | + Number of timers scheduled since last stats interval. + - name: active + type: integer + description: | + Current number of scheduled timers. + - name: files + type: group + fields: + - name: count + type: integer + description: | + Number of files seen since last stats interval. + - name: active + type: integer + description: | + Current number of files actively being seen. + - name: dns_requests + type: group + fields: + - name: count + type: integer + description: | + Number of DNS requests seen since last stats interval. + - name: active + type: integer + description: | + Current number of DNS requests awaiting a reply. + - name: reassembly_size + type: group + fields: + - name: tcp + type: integer + description: | + Current size of TCP data in reassembly. + - name: file + type: integer + description: | + Current size of File data in reassembly. + - name: frag + type: integer + description: | + Current size of packet fragment data in reassembly. + - name: unknown + type: integer + description: | + Current size of unknown data in reassembly (this is only PIA buffer right now). + - name: timestamp_lag type: integer description: | - Current size of unknown data in reassembly (this is only PIA buffer right now). - - name: timestamp_lag - type: integer - description: | - Lag between the wall clock and packet timestamps if reading live traffic. + Lag between the wall clock and packet timestamps if reading live traffic. diff --git a/packages/zeek/dataset/stats/fields/package-fields.yml b/packages/zeek/dataset/stats/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/stats/fields/package-fields.yml +++ b/packages/zeek/dataset/stats/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/stats/manifest.yml b/packages/zeek/dataset/stats/manifest.yml index 766cdb2412a..a9d09d1893a 100644 --- a/packages/zeek/dataset/stats/manifest.yml +++ b/packages/zeek/dataset/stats/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek stats logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: stats.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/stats.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.stats - template_path: log.yml.hbs - title: Zeek stats.log - description: Collect Zeek stats logs + - input: logfile + vars: + - name: paths + type: text + title: stats.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/stats.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.stats + template_path: log.yml.hbs + title: Zeek stats.log + description: Collect Zeek stats logs diff --git a/packages/zeek/dataset/syslog/fields/beats.yml b/packages/zeek/dataset/syslog/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/syslog/fields/beats.yml +++ b/packages/zeek/dataset/syslog/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/syslog/fields/ecs.yml b/packages/zeek/dataset/syslog/fields/ecs.yml index 9ded62587d7..6408a7df88b 100644 --- a/packages/zeek/dataset/syslog/fields/ecs.yml +++ b/packages/zeek/dataset/syslog/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -128,10 +127,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/syslog/fields/fields.yml b/packages/zeek/dataset/syslog/fields/fields.yml index 29b14cb1d32..36af6d78af8 100644 --- a/packages/zeek/dataset/syslog/fields/fields.yml +++ b/packages/zeek/dataset/syslog/fields/fields.yml @@ -1,15 +1,15 @@ - name: zeek.syslog type: group fields: - - name: facility - type: keyword - description: | - Syslog facility for the message. - - name: severity - type: keyword - description: | - Syslog severity for the message. - - name: message - type: keyword - description: | - The plain text message. + - name: facility + type: keyword + description: | + Syslog facility for the message. + - name: severity + type: keyword + description: | + Syslog severity for the message. + - name: message + type: keyword + description: | + The plain text message. diff --git a/packages/zeek/dataset/syslog/fields/package-fields.yml b/packages/zeek/dataset/syslog/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/syslog/fields/package-fields.yml +++ b/packages/zeek/dataset/syslog/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/syslog/manifest.yml b/packages/zeek/dataset/syslog/manifest.yml index aa93e37c623..a2213331600 100644 --- a/packages/zeek/dataset/syslog/manifest.yml +++ b/packages/zeek/dataset/syslog/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek syslog logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: syslog.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/syslog.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.syslog - template_path: log.yml.hbs - title: Zeek syslog.log - description: Collect Zeek syslog logs + - input: logfile + vars: + - name: paths + type: text + title: syslog.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/syslog.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.syslog + template_path: log.yml.hbs + title: Zeek syslog.log + description: Collect Zeek syslog logs diff --git a/packages/zeek/dataset/traceroute/fields/beats.yml b/packages/zeek/dataset/traceroute/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/traceroute/fields/beats.yml +++ b/packages/zeek/dataset/traceroute/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/traceroute/fields/ecs.yml b/packages/zeek/dataset/traceroute/fields/ecs.yml index 7ab181fa201..931ff1375b6 100644 --- a/packages/zeek/dataset/traceroute/fields/ecs.yml +++ b/packages/zeek/dataset/traceroute/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -109,10 +108,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/traceroute/fields/package-fields.yml b/packages/zeek/dataset/traceroute/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/traceroute/fields/package-fields.yml +++ b/packages/zeek/dataset/traceroute/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/traceroute/manifest.yml b/packages/zeek/dataset/traceroute/manifest.yml index f1d2f2c3f1e..ca22077bfaf 100644 --- a/packages/zeek/dataset/traceroute/manifest.yml +++ b/packages/zeek/dataset/traceroute/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek traceroute logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: traceroute.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/traceroute.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.traceroute - template_path: log.yml.hbs - title: Zeek traceroute.log - description: Collect Zeek traceroute logs + - input: logfile + vars: + - name: paths + type: text + title: traceroute.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/traceroute.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.traceroute + template_path: log.yml.hbs + title: Zeek traceroute.log + description: Collect Zeek traceroute logs diff --git a/packages/zeek/dataset/tunnel/fields/beats.yml b/packages/zeek/dataset/tunnel/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/tunnel/fields/beats.yml +++ b/packages/zeek/dataset/tunnel/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/tunnel/fields/ecs.yml b/packages/zeek/dataset/tunnel/fields/ecs.yml index ea6b4b172de..52a1cbe1230 100644 --- a/packages/zeek/dataset/tunnel/fields/ecs.yml +++ b/packages/zeek/dataset/tunnel/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -117,10 +116,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/tunnel/fields/fields.yml b/packages/zeek/dataset/tunnel/fields/fields.yml index 4576a86cd8e..576ddac9a3e 100644 --- a/packages/zeek/dataset/tunnel/fields/fields.yml +++ b/packages/zeek/dataset/tunnel/fields/fields.yml @@ -1,11 +1,11 @@ - name: zeek.tunnel type: group fields: - - name: type - type: keyword - description: | - The type of tunnel. - - name: action - type: keyword - description: | - The type of activity that occurred. + - name: type + type: keyword + description: | + The type of tunnel. + - name: action + type: keyword + description: | + The type of activity that occurred. diff --git a/packages/zeek/dataset/tunnel/fields/package-fields.yml b/packages/zeek/dataset/tunnel/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/tunnel/fields/package-fields.yml +++ b/packages/zeek/dataset/tunnel/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/tunnel/manifest.yml b/packages/zeek/dataset/tunnel/manifest.yml index 31a049ba47f..3bb7fd3867d 100644 --- a/packages/zeek/dataset/tunnel/manifest.yml +++ b/packages/zeek/dataset/tunnel/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek tunnel logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: tunnel.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/tunnel.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.tunnel - template_path: log.yml.hbs - title: Zeek tunnel.log - description: Collect Zeek tunnel logs + - input: logfile + vars: + - name: paths + type: text + title: tunnel.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/tunnel.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.tunnel + template_path: log.yml.hbs + title: Zeek tunnel.log + description: Collect Zeek tunnel logs diff --git a/packages/zeek/dataset/weird/fields/beats.yml b/packages/zeek/dataset/weird/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/weird/fields/beats.yml +++ b/packages/zeek/dataset/weird/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/weird/fields/ecs.yml b/packages/zeek/dataset/weird/fields/ecs.yml index 0c4552ad320..9bd0aeebc68 100644 --- a/packages/zeek/dataset/weird/fields/ecs.yml +++ b/packages/zeek/dataset/weird/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: Destination network address. ignore_above: 1024 name: destination.address @@ -11,10 +10,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: destination.as.organization.name.text - name: text - norms: false - type: text + - flat_name: destination.as.organization.name.text + name: text + norms: false + type: text name: destination.as.organization.name type: keyword - description: City name. @@ -114,10 +113,10 @@ example: Google LLC ignore_above: 1024 multi_fields: - - flat_name: source.as.organization.name.text - name: text - norms: false - type: text + - flat_name: source.as.organization.name.text + name: text + norms: false + type: text name: source.as.organization.name type: keyword - description: City name. diff --git a/packages/zeek/dataset/weird/fields/fields.yml b/packages/zeek/dataset/weird/fields/fields.yml index e3769127949..96b94388082 100644 --- a/packages/zeek/dataset/weird/fields/fields.yml +++ b/packages/zeek/dataset/weird/fields/fields.yml @@ -1,23 +1,23 @@ - name: zeek.weird type: group fields: - - name: name - type: keyword - description: | - The name of the weird that occurred. - - name: additional_info - type: keyword - description: | - Additional information accompanying the weird if any. - - name: notice - type: boolean - description: | - Indicate if this weird was also turned into a notice. - - name: peer - type: keyword - description: | - The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. - - name: identifier - type: keyword - description: | - This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. + - name: name + type: keyword + description: | + The name of the weird that occurred. + - name: additional_info + type: keyword + description: | + Additional information accompanying the weird if any. + - name: notice + type: boolean + description: | + Indicate if this weird was also turned into a notice. + - name: peer + type: keyword + description: | + The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. + - name: identifier + type: keyword + description: | + This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. diff --git a/packages/zeek/dataset/weird/fields/package-fields.yml b/packages/zeek/dataset/weird/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/weird/fields/package-fields.yml +++ b/packages/zeek/dataset/weird/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/weird/manifest.yml b/packages/zeek/dataset/weird/manifest.yml index 32127b98a45..07fa632e76f 100644 --- a/packages/zeek/dataset/weird/manifest.yml +++ b/packages/zeek/dataset/weird/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek weird logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: weird.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/weird.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.weird - template_path: log.yml.hbs - title: Zeek weird.log - description: Collect Zeek weird logs + - input: logfile + vars: + - name: paths + type: text + title: weird.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/weird.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.weird + template_path: log.yml.hbs + title: Zeek weird.log + description: Collect Zeek weird logs diff --git a/packages/zeek/dataset/x509/fields/beats.yml b/packages/zeek/dataset/x509/fields/beats.yml index e6b25047393..470f5fae484 100644 --- a/packages/zeek/dataset/x509/fields/beats.yml +++ b/packages/zeek/dataset/x509/fields/beats.yml @@ -1,4 +1,3 @@ ---- - description: Unique container id. ignore_above: 1024 name: container.id diff --git a/packages/zeek/dataset/x509/fields/ecs.yml b/packages/zeek/dataset/x509/fields/ecs.yml index d7c771e3b44..dc2381deccc 100644 --- a/packages/zeek/dataset/x509/fields/ecs.yml +++ b/packages/zeek/dataset/x509/fields/ecs.yml @@ -1,4 +1,3 @@ ---- - description: ECS version this event conforms to. example: 1.0.0 ignore_above: 1024 diff --git a/packages/zeek/dataset/x509/fields/fields.yml b/packages/zeek/dataset/x509/fields/fields.yml index f66accec451..7f79ef0720d 100644 --- a/packages/zeek/dataset/x509/fields/fields.yml +++ b/packages/zeek/dataset/x509/fields/fields.yml @@ -1,153 +1,153 @@ - name: zeek.x509 type: group fields: - - name: id - type: keyword - description: | - File id of this certificate. - - name: certificate - type: group - fields: - - name: version - type: integer - description: | - Version number. - - name: serial + - name: id type: keyword description: | - Serial number. - - name: subject - type: group - fields: - - name: country - type: keyword - description: | - Country provided in the certificate subject. - - name: common_name - type: keyword - description: | - Common name provided in the certificate subject. - - name: locality - type: keyword - description: | - Locality provided in the certificate subject. - - name: organization - type: keyword - description: | - Organization provided in the certificate subject. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate subject. - - name: state - type: keyword - description: | - State or province provided in the certificate subject. - - name: issuer + File id of this certificate. + - name: certificate type: group fields: - - name: country - type: keyword - description: | - Country provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Common name provided in the certificate issuer field. - - name: locality - type: keyword - description: | - Locality provided in the certificate issuer field. - - name: organization - type: keyword - description: | - Organization provided in the certificate issuer field. - - name: organizational_unit - type: keyword - description: | - Organizational unit provided in the certificate issuer field. - - name: state - type: keyword - description: | - State or province provided in the certificate issuer field. - - name: common_name - type: keyword - description: | - Last (most specific) common name. - - name: valid + - name: version + type: integer + description: | + Version number. + - name: serial + type: keyword + description: | + Serial number. + - name: subject + type: group + fields: + - name: country + type: keyword + description: | + Country provided in the certificate subject. + - name: common_name + type: keyword + description: | + Common name provided in the certificate subject. + - name: locality + type: keyword + description: | + Locality provided in the certificate subject. + - name: organization + type: keyword + description: | + Organization provided in the certificate subject. + - name: organizational_unit + type: keyword + description: | + Organizational unit provided in the certificate subject. + - name: state + type: keyword + description: | + State or province provided in the certificate subject. + - name: issuer + type: group + fields: + - name: country + type: keyword + description: | + Country provided in the certificate issuer field. + - name: common_name + type: keyword + description: | + Common name provided in the certificate issuer field. + - name: locality + type: keyword + description: | + Locality provided in the certificate issuer field. + - name: organization + type: keyword + description: | + Organization provided in the certificate issuer field. + - name: organizational_unit + type: keyword + description: | + Organizational unit provided in the certificate issuer field. + - name: state + type: keyword + description: | + State or province provided in the certificate issuer field. + - name: common_name + type: keyword + description: | + Last (most specific) common name. + - name: valid + type: group + fields: + - name: from + type: date + description: | + Timestamp before when certificate is not valid. + - name: until + type: date + description: | + Timestamp after when certificate is not valid. + - name: key + type: group + fields: + - name: algorithm + type: keyword + description: | + Name of the key algorithm. + - name: type + type: keyword + description: | + Key type, if key parseable by openssl (either rsa, dsa or ec). + - name: length + type: integer + description: | + Key length in bits. + - name: signature_algorithm + type: keyword + description: | + Name of the signature algorithm. + - name: exponent + type: keyword + description: | + Exponent, if RSA-certificate. + - name: curve + type: keyword + description: | + Curve, if EC-certificate. + - name: san type: group fields: - - name: from - type: date - description: | - Timestamp before when certificate is not valid. - - name: until - type: date - description: | - Timestamp after when certificate is not valid. - - name: key + - name: dns + type: keyword + description: | + List of DNS entries in SAN. + - name: uri + type: keyword + description: | + List of URI entries in SAN. + - name: email + type: keyword + description: | + List of email entries in SAN. + - name: ip + type: ip + description: | + List of IP entries in SAN. + - name: other_fields + type: boolean + description: | + True if the certificate contained other, not recognized or parsed name fields. + - name: basic_constraints type: group fields: - - name: algorithm - type: keyword - description: | - Name of the key algorithm. - - name: type - type: keyword - description: | - Key type, if key parseable by openssl (either rsa, dsa or ec). - - name: length - type: integer - description: | - Key length in bits. - - name: signature_algorithm - type: keyword - description: | - Name of the signature algorithm. - - name: exponent - type: keyword - description: | - Exponent, if RSA-certificate. - - name: curve - type: keyword - description: | - Curve, if EC-certificate. - - name: san - type: group - fields: - - name: dns - type: keyword - description: | - List of DNS entries in SAN. - - name: uri - type: keyword - description: | - List of URI entries in SAN. - - name: email - type: keyword - description: | - List of email entries in SAN. - - name: ip - type: ip - description: | - List of IP entries in SAN. - - name: other_fields + - name: certificate_authority + type: boolean + description: | + CA flag set or not. + - name: path_length + type: integer + description: | + Maximum path length. + - name: log_cert type: boolean description: | - True if the certificate contained other, not recognized or parsed name fields. - - name: basic_constraints - type: group - fields: - - name: certificate_authority - type: boolean - description: | - CA flag set or not. - - name: path_length - type: integer - description: | - Maximum path length. - - name: log_cert - type: boolean - description: | - Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded - Logging of certificate is suppressed if set to F. + Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded + Logging of certificate is suppressed if set to F. diff --git a/packages/zeek/dataset/x509/fields/package-fields.yml b/packages/zeek/dataset/x509/fields/package-fields.yml index b837cafbdac..4d6d6ea170f 100644 --- a/packages/zeek/dataset/x509/fields/package-fields.yml +++ b/packages/zeek/dataset/x509/fields/package-fields.yml @@ -1,7 +1,7 @@ - name: zeek type: group fields: - - name: session_id - type: keyword - description: | - A unique identifier of the session + - name: session_id + type: keyword + description: | + A unique identifier of the session diff --git a/packages/zeek/dataset/x509/manifest.yml b/packages/zeek/dataset/x509/manifest.yml index 089767e904c..f25f77cfc81 100644 --- a/packages/zeek/dataset/x509/manifest.yml +++ b/packages/zeek/dataset/x509/manifest.yml @@ -2,24 +2,24 @@ type: logs title: Zeek x509 logs release: experimental streams: -- input: logfile - vars: - - name: paths - type: text - title: x509.log paths - multi: true - required: true - show_user: true - default: - - /var/log/bro/current/x509.log - - name: tags - type: text - title: Tags - multi: true - required: true - show_user: true - default: - - zeek.x509 - template_path: log.yml.hbs - title: Zeek x509.log - description: Collect Zeek x509 logs + - input: logfile + vars: + - name: paths + type: text + title: x509.log paths + multi: true + required: true + show_user: true + default: + - /var/log/bro/current/x509.log + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - zeek.x509 + template_path: log.yml.hbs + title: Zeek x509.log + description: Collect Zeek x509 logs diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md index 4f05a0da9ac..2b964da0fd2 100644 --- a/packages/zeek/docs/README.md +++ b/packages/zeek/docs/README.md @@ -964,6 +964,18 @@ contains kerberos data. | source.ip | IP address of the source. | ip | | source.port | Port of the source. | long | | tags | List of keywords used to tag each event. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | | user.domain | Name of the directory the user is a member of. | keyword | | user.name | Short name or login of the user. | keyword | | zeek.kerberos.cert.client.fuid | File unique ID of client cert. | keyword | @@ -2298,10 +2310,22 @@ SSL/TLS handshake info. | tags | List of keywords used to tag each event. | keyword | | tls.cipher | String indicating the cipher used during the current connection. | keyword | | tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.client.x509.subject.country | List of country (C) code | keyword | +| tls.client.x509.subject.locality | List of locality names (L) | keyword | +| tls.client.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.client.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.client.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | | tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | | tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | | tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | | tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| tls.server.x509.subject.country | List of country (C) code | keyword | +| tls.server.x509.subject.locality | List of locality names (L) | keyword | +| tls.server.x509.subject.organization | List of organizations (O) of subject. | keyword | +| tls.server.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| tls.server.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | | tls.version | Numeric part of the version parsed from the original string. | keyword | | tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword | | zeek.session_id | A unique identifier of the session | keyword | @@ -2676,6 +2700,26 @@ X.509 certificate info. | event.ingested | Timestamp when an event arrived in the central data store. | date | | event.kind | The kind of the event. The highest categorization field in the hierarchy. | keyword | | event.type | Event type. The third categorization field in the hierarchy. | keyword | +| file.x509.alternative_names | List of subject alternative names (SAN). | keyword | +| file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | +| file.x509.issuer.country | List of country (C) codes | keyword | +| file.x509.issuer.locality | List of locality names (L) | keyword | +| file.x509.issuer.organization | List of organizations (O) of issuing certificate authority. | keyword | +| file.x509.issuer.organizational_unit | List of organizational units (OU) of issuing certificate authority. | keyword | +| file.x509.issuer.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.not_after | Time at which the certificate is no longer considered valid. | date | +| file.x509.not_before | Time at which the certificate is first considered valid. | date | +| file.x509.public_key_exponent | Exponent used to derive the public key. This is algorithm specific. | long | +| file.x509.public_key_size | The size of the public key space in bits. | long | +| file.x509.serial_number | Unique serial number issued by the certificate authority. | keyword | +| file.x509.signature_algorithm | Identifier for certificate signature algorithm. | keyword | +| file.x509.subject.common_name | List of common names (CN) of subject. | keyword | +| file.x509.subject.country | List of country (C) code | keyword | +| file.x509.subject.locality | List of locality names (L) | keyword | +| file.x509.subject.organization | List of organizations (O) of subject. | keyword | +| file.x509.subject.organizational_unit | List of organizational units (OU) of subject. | keyword | +| file.x509.subject.state_or_province | List of state or province names (ST, S, or P) | keyword | +| file.x509.version_number | Version of x509 format. | keyword | | input.type | Type of Filebeat input. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | diff --git a/packages/zeek/kibana/visualization/1df7ea80-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/1df7ea80-370d-11e9-aa6d-ff445a78330c.json index 79479bbc8b3..366416b9a53 100644 --- a/packages/zeek/kibana/visualization/1df7ea80-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/1df7ea80-370d-11e9-aa6d-ff445a78330c.json @@ -82,4 +82,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/466e5850-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/466e5850-370d-11e9-aa6d-ff445a78330c.json index 96c541df1ea..0a40d40867d 100644 --- a/packages/zeek/kibana/visualization/466e5850-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/466e5850-370d-11e9-aa6d-ff445a78330c.json @@ -82,4 +82,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/649acd40-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/649acd40-370d-11e9-aa6d-ff445a78330c.json index 70117b5b243..06b9ad28e15 100644 --- a/packages/zeek/kibana/visualization/649acd40-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/649acd40-370d-11e9-aa6d-ff445a78330c.json @@ -82,4 +82,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/9436c270-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/9436c270-370d-11e9-aa6d-ff445a78330c.json index a257b6cd7d3..4713cd5ae6e 100644 --- a/packages/zeek/kibana/visualization/9436c270-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/9436c270-370d-11e9-aa6d-ff445a78330c.json @@ -82,4 +82,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/bec2f0e0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/bec2f0e0-370d-11e9-aa6d-ff445a78330c.json index 235eae9c7d8..ac6fa150db2 100644 --- a/packages/zeek/kibana/visualization/bec2f0e0-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/bec2f0e0-370d-11e9-aa6d-ff445a78330c.json @@ -97,4 +97,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/e042fda0-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/e042fda0-370d-11e9-aa6d-ff445a78330c.json index 4d450c80c3c..f9f85aa2eac 100644 --- a/packages/zeek/kibana/visualization/e042fda0-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/e042fda0-370d-11e9-aa6d-ff445a78330c.json @@ -82,4 +82,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/f469f230-370c-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/f469f230-370c-11e9-aa6d-ff445a78330c.json index cd6523e093c..f35d42364d5 100644 --- a/packages/zeek/kibana/visualization/f469f230-370c-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/f469f230-370c-11e9-aa6d-ff445a78330c.json @@ -93,4 +93,4 @@ } ], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/kibana/visualization/f8c40810-370d-11e9-aa6d-ff445a78330c.json b/packages/zeek/kibana/visualization/f8c40810-370d-11e9-aa6d-ff445a78330c.json index 25b355f97e1..f130a4a7b40 100644 --- a/packages/zeek/kibana/visualization/f8c40810-370d-11e9-aa6d-ff445a78330c.json +++ b/packages/zeek/kibana/visualization/f8c40810-370d-11e9-aa6d-ff445a78330c.json @@ -62,4 +62,4 @@ ], "references": [], "type": "visualization" -} +} \ No newline at end of file diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml index a15fa8a3fc1..173c0b197b1 100644 --- a/packages/zeek/manifest.yml +++ b/packages/zeek/manifest.yml @@ -5,27 +5,27 @@ release: beta description: Zeek Integration type: integration icons: -- src: /img/zeek.svg - title: zeek - size: 214x203 - type: image/svg+xml + - src: /img/zeek.svg + title: zeek + size: 214x203 + type: image/svg+xml format_version: 1.0.0 license: basic categories: [network, monitoring, security] conditions: kibana.version: ^7.9.0 screenshots: -- src: /img/kibana-zeek.png - title: kibana zeek - size: 3530x2414 - type: image/png + - src: /img/kibana-zeek.png + title: kibana zeek + size: 3530x2414 + type: image/png config_templates: -- name: zeek - title: Zeek logs - description: Collect logs from Zeek instances - inputs: - - type: logfile - title: 'Collect Zeek logs' - description: 'Collects logs from Zeek instances. Supported logs include: capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp, rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509' + - name: zeek + title: Zeek logs + description: Collect logs from Zeek instances + inputs: + - type: logfile + title: 'Collect Zeek logs' + description: 'Collects logs from Zeek instances. Supported logs include: capture_loss, connection, dce_rpc, dhcp, dnp3, dns, dpd, files, ftp, http, intel, irc, kerberos, modbus, mysql, notice, ntlm, ocsp, pe, radius, rdp, rfb, sip, smb_cmd, smb_files, smb_mapping, smtp, snmp, socks, ssh, ssl, stats, syslog, traceroute, tunnel, weird and x509' owner: github: elastic/security-ingest