diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 1534c7b1a..95d09fe8d 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'arkime/**' - 'Dockerfiles/arkime.Dockerfile' diff --git a/.github/workflows/elasticsearch-build-and-push-ghcr.yml b/.github/workflows/elasticsearch-build-and-push-ghcr.yml index 1ceee0de6..27e032900 100644 --- a/.github/workflows/elasticsearch-build-and-push-ghcr.yml +++ b/.github/workflows/elasticsearch-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'Dockerfiles/elasticsearch.Dockerfile' - 'shared/bin/*' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index 0dff11662..ff3124bb0 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'file-monitor/**' - 'Dockerfiles/file-monitor.Dockerfile' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index 1a376d6ef..211adc7c1 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'file-upload/**' - 'Dockerfiles/file-upload.Dockerfile' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index 8d8495f75..21e6fb0ad 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'filebeat/**' - 'Dockerfiles/filebeat.Dockerfile' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index 4507475ba..d61465a97 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'freq-server/**' - 'Dockerfiles/freq.Dockerfile' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index 2cf6c4b77..4fa74a724 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'htadmin/**' - 'Dockerfiles/htadmin.Dockerfile' diff --git a/.github/workflows/kibana-build-and-push-ghcr.yml b/.github/workflows/kibana-build-and-push-ghcr.yml index cf5d4a4b4..2815611b4 100644 --- a/.github/workflows/kibana-build-and-push-ghcr.yml +++ b/.github/workflows/kibana-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'kibana/**' - 'Dockerfiles/kibana.Dockerfile' diff --git a/.github/workflows/kibana-helper-build-and-push-ghcr.yml b/.github/workflows/kibana-helper-build-and-push-ghcr.yml index d453c54f3..4f2295f5b 100644 --- a/.github/workflows/kibana-helper-build-and-push-ghcr.yml +++ b/.github/workflows/kibana-helper-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'kibana/**' - 'Dockerfiles/kibana-helper.Dockerfile' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index 14b6c0a23..62ec61da7 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'logstash/**' - 'Dockerfiles/logstash.Dockerfile' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml new file mode 100644 index 000000000..30c8f2b2f --- /dev/null +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -0,0 +1,116 @@ +name: malcolm-iso-build-docker-wrap-push-ghcr + +on: + push: + branches: + - main + - development + paths: + - 'malcolm-iso/**' + - 'shared/bin/*' + workflow_dispatch: + repository_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + actions: write + packages: write + contents: read + defaults: + run: + shell: bash + steps: + - + name: Cancel previous run in progress + uses: styfle/cancel-workflow-action@0.9.1 + with: + ignore_sha: true + all_but_latest: true + access_token: ${{ secrets.GITHUB_TOKEN }} + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - + name: Build environment setup + run: | + sudo apt-get -q update + sudo env DEBIAN_FRONTEND=noninteractive apt-get install -t focal-backports --no-install-recommends -y -q \ + apt-transport-https \ + bc \ + build-essential \ + ca-certificates \ + curl \ + debhelper-compat \ + debian-archive-keyring \ + debootstrap \ + genisoimage \ + gettext \ + git \ + gnupg2 \ + imagemagick \ + jq \ + pandoc \ + po4a \ + rsync \ + software-properties-common \ + squashfs-tools \ + virt-what \ + xorriso + git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20210407' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build + cd /tmp/live-build + dpkg-buildpackage -b -uc -us + sudo dpkg -i /tmp/live-build*.deb + - + name: Checkout + uses: actions/checkout@v2 + - + name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - + name: Extract short hash + shell: bash + run: echo "##[set-output name=hash;]$(git rev-parse --short $GITHUB_SHA)" + id: extract_short_hash + - + name: Extract Malcolm version + shell: bash + run: echo "##[set-output name=mversion;]$(grep -P "^\s+image:\s*malcolm" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" + id: extract_malcolm_version + - + name: Build image + run: | + IMAGES=( $(grep image: docker-compose.yml | awk '{print $2}') ) + for IMAGE in "${IMAGES[@]}"; do + REPO_IMAGE="$(echo "$IMAGE" | sed "s@^\(malcolmnetsec\)@ghcr.io/${{ github.repository_owner }}/\1@" | sed "s/:.*/:${{ steps.extract_branch.outputs.branch }}/")" + docker pull "$REPO_IMAGE" && \ + docker tag "$REPO_IMAGE" "$IMAGE" && \ + docker rmi "$REPO_IMAGE" + done + DEST_IMAGES_TGZ=$(pwd)/malcolm_"$(date +%Y.%m.%d_%H:%M:%S)"_${{ steps.extract_short_hash.outputs.hash }}_images.tar.gz + docker save "${IMAGES[@]}" | gzip > "$DEST_IMAGES_TGZ" + pushd ./malcolm-iso + sudo /usr/bin/env bash ./build.sh -d "$DEST_IMAGES_TGZ" + rm -rf ./shared/ + sudo chmod 644 ./malcolm-*.* + popd + - + name: ghcr.io login + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Build and push ISO image + uses: docker/build-push-action@v2 + with: + context: ./malcolm-iso + push: true + tags: ghcr.io/${{ github.repository_owner }}/malcolmnetsec/malcolm:${{ steps.extract_branch.outputs.branch }} \ No newline at end of file diff --git a/.github/workflows/name-map-ui-build-and-push-ghcr.yml b/.github/workflows/name-map-ui-build-and-push-ghcr.yml index 780473739..3c866ff9b 100644 --- a/.github/workflows/name-map-ui-build-and-push-ghcr.yml +++ b/.github/workflows/name-map-ui-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'name-map-ui/**' - 'Dockerfiles/name-map-ui.Dockerfile' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index e0ea6c8b1..209f3053a 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'nginx/**' - 'Dockerfiles/nginx.Dockerfile' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 6ec4a182f..fd54ec8f7 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'pcap-capture/**' - 'Dockerfiles/pcap-capture.Dockerfile' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index 0e98532f0..9a79ec16f 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'pcap-monitor/**' - 'Dockerfiles/pcap-monitor.Dockerfile' diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml new file mode 100644 index 000000000..3ff59fb5b --- /dev/null +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -0,0 +1,105 @@ +name: sensor-iso-build-docker-wrap-push-ghcr + +on: + push: + branches: + - main + - development + paths: + - 'sensor-iso/**' + - 'shared/bin/*' + workflow_dispatch: + repository_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + actions: write + packages: write + contents: read + defaults: + run: + shell: bash + steps: + - + name: Cancel previous run in progress + uses: styfle/cancel-workflow-action@0.9.1 + with: + ignore_sha: true + all_but_latest: true + access_token: ${{ secrets.GITHUB_TOKEN }} + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - + name: Build environment setup + run: | + sudo apt-get -q update + sudo env DEBIAN_FRONTEND=noninteractive apt-get install -t focal-backports --no-install-recommends -y -q \ + apt-transport-https \ + bc \ + build-essential \ + ca-certificates \ + curl \ + debhelper-compat \ + debian-archive-keyring \ + debootstrap \ + genisoimage \ + gettext \ + git \ + gnupg2 \ + imagemagick \ + jq \ + pandoc \ + po4a \ + rsync \ + software-properties-common \ + squashfs-tools \ + virt-what \ + xorriso + git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20210407' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build + cd /tmp/live-build + dpkg-buildpackage -b -uc -us + sudo dpkg -i /tmp/live-build*.deb + - + name: Checkout + uses: actions/checkout@v2 + - + name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - + name: Extract Malcolm version + shell: bash + run: echo "##[set-output name=mversion;]$(grep -P "^\s+image:\s*malcolm" docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" + id: extract_malcolm_version + - + name: Build image + run: | + cp -r ./shared ./sensor-iso + pushd ./sensor-iso + echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt + echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt + sudo /usr/bin/env bash ./build.sh + rm -rf ./shared/ + sudo chmod 644 ./hedgehog-*.* + popd + - + name: ghcr.io login + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - + name: Build and push ISO image + uses: docker/build-push-action@v2 + with: + context: ./sensor-iso + push: true + tags: ghcr.io/${{ github.repository_owner }}/malcolmnetsec/hedgehog:${{ steps.extract_branch.outputs.branch }} \ No newline at end of file diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index e5845b011..3eaa19b9f 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - development paths: - 'zeek/**' - 'Dockerfiles/zeek.Dockerfile' diff --git a/Dockerfiles/kibana-helper.Dockerfile b/Dockerfiles/kibana-helper.Dockerfile index 879ea47b6..902b988f3 100644 --- a/Dockerfiles/kibana-helper.Dockerfile +++ b/Dockerfiles/kibana-helper.Dockerfile @@ -52,7 +52,7 @@ ADD kibana/anomaly_detectors /opt/kibana/anomaly_detectors ADD kibana/maps /opt/maps ADD kibana/scripts /data/ ADD kibana/supervisord.conf /etc/supervisord.conf -ADD kibana/zeek_template.json /data/zeek_template.json +ADD kibana/malcolm_template.json /data/malcolm_template.json ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ ADD shared/bin/elastic_search_status.sh /data/ ADD shared/bin/elastic_index_size_prune.py /data/ @@ -73,7 +73,7 @@ RUN apk --no-cache add bash python3 py3-pip curl procps psmisc npm shadow jq && chown -R ${PUSER}:${PGROUP} /opt/kibana/dashboards /opt/maps /data/init /opt/kibana/anomaly_detectors && \ chmod 755 /data/*.sh /data/*.py /data/init && \ chmod 400 /opt/maps/* && \ - (echo -e "*/2 * * * * /data/kibana-create-arkime-sessions-index.sh\n0 10 * * * /data/kibana_index_refresh.py --template zeek_template\n*/20 * * * * /data/elastic_index_size_prune.py" > ${SUPERCRONIC_CRONTAB}) + (echo -e "*/2 * * * * /data/kibana-create-arkime-sessions-index.sh\n0 10 * * * /data/kibana_index_refresh.py --template malcolm_template\n*/20 * * * * /data/elastic_index_size_prune.py" > ${SUPERCRONIC_CRONTAB}) EXPOSE $KIBANA_OFFLINE_REGION_MAPS_PORT diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 2758e6fed..1262b59e6 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,48 +1,7 @@ -FROM amazonlinux:2 AS build +FROM docker.elastic.co/logstash/logstash-oss:7.10.2 # Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. -RUN amazon-linux-extras install -y epel && \ - yum install -y \ - autoconf \ - automake \ - bison \ - bzip2 \ - curl \ - gcc-c++ \ - glibc-devel \ - glibc-headers \ - java-latest-openjdk-devel \ - libffi-devel \ - libtool \ - libyaml-devel \ - make \ - openssl-devel \ - patch \ - procps \ - readline-devel \ - tar \ - wget \ - which \ - zlib-devel - -RUN /bin/bash -lc "command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -" && \ - /bin/bash -lc "command curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import -" && \ - /bin/bash -lc "curl -L get.rvm.io | bash -s stable" && \ - /bin/bash -lc "rvm autolibs fail" && \ - /bin/bash -lc "rvm install jruby-9.2.17.0" && \ - /bin/bash -lc "rvm use jruby-9.2.17.0 --default" && \ - /bin/bash -lc "gem install bundler --no-document" - -ENV OUIFILTER_URL "https://codeload.github.com/mmguero-dev/logstash-filter-ieee_oui/tar.gz/master" - -RUN cd /opt && \ - mkdir -p ./logstash-filter-ieee_oui && \ - curl -sSL "$OUIFILTER_URL" | tar xzvf - -C ./logstash-filter-ieee_oui --strip-components 1 && \ - /bin/bash -lc "export JAVA_HOME=$(realpath $(dirname $(find /usr/lib/jvm -name javac -type f))/../) && cd /opt/logstash-filter-ieee_oui && ( bundle install || bundle install ) && gem build logstash-filter-ieee_oui.gemspec && bundle info logstash-filter-ieee_oui" - -FROM docker.elastic.co/logstash/logstash-oss:7.10.2 - LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' @@ -77,22 +36,20 @@ ENV JAVA_HOME=/usr/share/logstash/jdk USER root -COPY --from=build /opt/logstash-filter-ieee_oui /opt/logstash-filter-ieee_oui - RUN yum install -y epel-release && \ yum update -y && \ - yum install -y curl gettext python-setuptools python-pip python-requests python-yaml openssl && \ + yum install -y curl gettext python3-setuptools python3-pip python3-requests openssl && \ yum clean all && \ - pip install py2-ipaddress supervisor && \ + pip3 install ipaddress supervisor manuf pyyaml && \ logstash-plugin install logstash-filter-translate logstash-filter-cidr logstash-filter-dns \ logstash-filter-json logstash-filter-prune logstash-filter-http \ logstash-filter-grok logstash-filter-geoip logstash-filter-uuid \ logstash-filter-kv logstash-filter-mutate logstash-filter-dissect \ logstash-input-beats logstash-output-elasticsearch && \ - logstash-plugin install /opt/logstash-filter-ieee_oui/logstash-filter-ieee_oui-1.0.6.gem && \ - rm -rf /opt/logstash-filter-ieee_oui /root/.cache /root/.gem /root/.bundle + rm -rf /root/.cache /root/.gem /root/.bundle ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ +ADD shared/bin/manuf-oui-parse.py /usr/local/bin/ ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ ADD logstash/maps/*.yaml /etc/ ADD logstash/config/log4j2.properties /usr/share/logstash/config/ @@ -108,9 +65,11 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" rmdir /usr/share/logstash/pipeline && \ mkdir /logstash-persistent-queue && \ chown --silent -R ${PUSER}:root /usr/share/logstash/malcolm-pipelines /logstash-persistent-queue && \ - curl -sSL -o /usr/share/logstash/config/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf" && \ - ( awk -F '\t' '{gsub(":", "", $1); if (length($1) == 6) {if ($3) {print $1"\t"$3} else if ($2) {print $1"\t"$2}}}' /usr/share/logstash/config/oui.txt > /usr/share/logstash/config/oui-logstash.txt) && \ - python /usr/local/bin/ja3_build_list.py -o /etc/ja3.yaml + echo "Retrieving and parsing Wireshark manufacturer database..." && \ + python3 /usr/local/bin/manuf-oui-parse.py -o /etc/vendor_macs.yaml && \ + echo "Retrieving JA3 fingerprint lists..." && \ + python3 /usr/local/bin/ja3_build_list.py -o /etc/ja3.yaml && \ + echo "Complete." # As the keystore is encapsulated in logstash, this isn't really necessary. It's included # here just to suppress the prompt when creating the keystore. If you're concerned about it @@ -126,7 +85,7 @@ EXPOSE 9600 ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"] -CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] +CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] # to be populated at build-time: diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 1879e789c..9b5677da4 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -141,8 +141,8 @@ ADD zeek/config/*.txt ${ZEEK_DIR}/share/zeek/site/ # these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 19 ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(_Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|Salesforce::GQUIC|Zeek::PROFINET|Zeek::S7comm|Zeek::TDS)" -ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 17 -ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|hassh/hassh|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)" +ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 18 +ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|hassh/hassh|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)" RUN mkdir -p /tmp/logs && \ cd /tmp/logs && \ diff --git a/README.md b/README.md index 85599e612..21c8ec71a 100644 --- a/README.md +++ b/README.md @@ -141,21 +141,21 @@ You can then observe that the images have been retrieved by running `docker imag ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/arkime 3.4.0 xxxxxxxxxxxx 39 hours ago 826MB -malcolmnetsec/elasticsearch-od 3.4.0 xxxxxxxxxxxx 40 hours ago 1.42GB -malcolmnetsec/file-monitor 3.4.0 xxxxxxxxxxxx 39 hours ago 603MB -malcolmnetsec/file-upload 3.4.0 xxxxxxxxxxxx 39 hours ago 605MB -malcolmnetsec/filebeat-oss 3.4.0 xxxxxxxxxxxx 39 hours ago 266MB -malcolmnetsec/freq 3.4.0 xxxxxxxxxxxx 39 hours ago 151MB -malcolmnetsec/htadmin 3.4.0 xxxxxxxxxxxx 39 hours ago 262MB -malcolmnetsec/kibana-helper 3.4.0 xxxxxxxxxxxx 40 hours ago 153MB -malcolmnetsec/kibana-od 3.4.0 xxxxxxxxxxxx 40 hours ago 1.35GB -malcolmnetsec/logstash-oss 3.4.0 xxxxxxxxxxxx 39 hours ago 1.36GB -malcolmnetsec/name-map-ui 3.4.0 xxxxxxxxxxxx 39 hours ago 142MB -malcolmnetsec/nginx-proxy 3.4.0 xxxxxxxxxxxx 39 hours ago 116MB -malcolmnetsec/pcap-capture 3.4.0 xxxxxxxxxxxx 39 hours ago 121MB -malcolmnetsec/pcap-monitor 3.4.0 xxxxxxxxxxxx 39 hours ago 221MB -malcolmnetsec/zeek 3.4.0 xxxxxxxxxxxx 39 hours ago 926MB +malcolmnetsec/arkime 4.0.0 xxxxxxxxxxxx 39 hours ago 826MB +malcolmnetsec/elasticsearch-od 4.0.0 xxxxxxxxxxxx 40 hours ago 1.42GB +malcolmnetsec/file-monitor 4.0.0 xxxxxxxxxxxx 39 hours ago 603MB +malcolmnetsec/file-upload 4.0.0 xxxxxxxxxxxx 39 hours ago 605MB +malcolmnetsec/filebeat-oss 4.0.0 xxxxxxxxxxxx 39 hours ago 266MB +malcolmnetsec/freq 4.0.0 xxxxxxxxxxxx 39 hours ago 151MB +malcolmnetsec/htadmin 4.0.0 xxxxxxxxxxxx 39 hours ago 262MB +malcolmnetsec/kibana-helper 4.0.0 xxxxxxxxxxxx 40 hours ago 153MB +malcolmnetsec/kibana-od 4.0.0 xxxxxxxxxxxx 40 hours ago 1.35GB +malcolmnetsec/logstash-oss 4.0.0 xxxxxxxxxxxx 39 hours ago 1.36GB +malcolmnetsec/name-map-ui 4.0.0 xxxxxxxxxxxx 39 hours ago 142MB +malcolmnetsec/nginx-proxy 4.0.0 xxxxxxxxxxxx 39 hours ago 116MB +malcolmnetsec/pcap-capture 4.0.0 xxxxxxxxxxxx 39 hours ago 121MB +malcolmnetsec/pcap-monitor 4.0.0 xxxxxxxxxxxx 39 hours ago 221MB +malcolmnetsec/zeek 4.0.0 xxxxxxxxxxxx 39 hours ago 926MB ``` #### Import from pre-packaged tarballs @@ -219,6 +219,7 @@ Malcolm leverages the following excellent open source tools, among others. * ICS protocol analyzers for Zeek published by [DHS CISA](https://github.com/cisagov/ICSNPP) and [Idaho National Lab](https://github.com/idaholab/ICSNPP) * Corelight's ["bad neighbor" (CVE-2020-16898)](https://github.com/corelight/CVE-2020-16898) plugin * Corelight's ["OMIGOD" (CVE-2021-38647)](https://github.com/corelight/CVE-2021-38647) plugin + * Corelight's [Microsoft Excel privilege escalation detection (CVE-2021-42292)](https://github.com/corelight/CVE-2021-42292) plugin * Corelight's [Apache HTTP server 2.4.49-2.4.50 path traversal/RCE vulnerability (CVE-2021-41773)](https://github.com/corelight/CVE-2021-41773) plugin * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin * Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin @@ -365,6 +366,8 @@ Then, go take a walk or something since it will be a while. When you're done, yo * `malcolmnetsec/pcap-monitor` (based on `debian:buster-slim`) * `malcolmnetsec/pcap-zeek` (based on `debian:buster-slim`) +Alternately, if you have forked Malcolm on GitHub, [workflow files](./.github/workflows/) are provided which contain instructions for GitHub to build the docker images and [sensor](#Hedgehog) and [Malcolm](#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolmnetsec/image:branch` (e.g., if you've forked Malcolm with the github user `romeogdetlevjr`, the `arkime` container built for the `main` would be named `ghcr.io/romeogdetlevjr/malcolmnetsec/arkime:main`). To run your local instance of Malcolm using these images instead of the official ones, you'll need to edit your `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern. + ## Pre-Packaged installation files ### Creating pre-packaged installation files @@ -930,7 +933,7 @@ A stock installation of Arkime extracts all of its network connection ("session" In this way, when full packet capture is an option, analysis of PCAP files can be enhanced by the additional information Zeek provides. When full packet capture is not an option, similar analysis can still be performed using the same interfaces and processes using the Zeek logs alone. -One value of particular mention is **Zeek Log Type** (`zeek.logType` in Elasticsearch). This value corresponds to the kind of Zeek `.log` file from which the record was created. In other words, a search could be restricted to records from `conn.log` by searching `zeek.logType == conn`, or restricted to records from `weird.log` by searching `zeek.logType == weird`. In this same way, to view *only* records from Zeek logs (excluding any from PCAP files), use the special Arkime `EXISTS` filter, as in `zeek.logType == EXISTS!`. On the other hand, to exclude Zeek logs and only view records from PCAP files, use `zeek.logType != EXISTS!`. +One value of particular mention is **Zeek Log Type** (`event.dataset` in Elasticsearch). This value corresponds to the kind of Zeek `.log` file from which the record was created. In other words, a search could be restricted to records from `conn.log` by searching `event.dataset == conn`, or restricted to records from `weird.log` by searching `event.dataset == weird`. In this same way, to view *only* records from Zeek logs (excluding any from PCAP files), use the special Arkime `EXISTS` filter, as in `event.dataset == EXISTS!`. On the other hand, to exclude Zeek logs and only view Arkime Sessions, use `fileId != EXISTS!`. Click the icon of the owl **πŸ¦‰** in the upper-left hand corner of to access the Arkime usage documentation (accessible at [https://localhost/help](https://localhost/help) if you are connecting locally), click the **Fields** label in the navigation pane, then search for `zeek` to see a list of the other Zeek log types and fields available to Malcolm. @@ -942,7 +945,7 @@ The values of records created from Zeek logs can be expanded and viewed like any The Arkime interface displays both Zeek logs and Arkime sessions alongside each other. Using fields common to both data sources, one can [craft queries](#SearchCheatSheet) to filter results matching desired criteria. -A few fields of particular mention that help limit returned results to those Zeek logs and Arkime session records generated from the same network connection are [Community ID](https://github.com/corelight/community-id-spec) (`network.community_id` and `zeek.community_id` in Arkime and Zeek, respectively) and Zeek's [connection UID](https://docs.zeek.org/en/stable/examples/logs/#using-uids) (`zeek.uid`), which Malcolm maps to Arkime's `rootId` field. +A few fields of particular mention that help limit returned results to those Zeek logs and Arkime session records generated from the same network connection are [Community ID](https://github.com/corelight/community-id-spec) (`network.community_id` and `network.community_id` in Arkime and Zeek, respectively) and Zeek's [connection UID](https://docs.zeek.org/en/stable/examples/logs/#using-uids) (`zeek.uid`), which Malcolm maps to both Arkime's `rootId` field and the [ECS](https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-id) `event.id` field. Community ID is specification for standard flow hashing [published by Corelight](https://github.com/corelight/community-id-spec) with the intent of making it easier to pivot from one dataset (e.g., Arkime sessions) to another (e.g., Zeek `conn.log` entries). In Malcolm both Arkime and [Zeek](https://github.com/corelight/zeek-community-id) populate this value, which makes it possible to filter for a specific network connection and see both data sources' results for that connection. @@ -967,7 +970,7 @@ The **Sessions** view contains many controls for filtering the sessions displaye * [search bar](https://localhost/help#search): Indicated by the magnifying glass **πŸ”** icon, the search bar allows defining filters on session/log metadata * [time bounding](https://localhost/help#timebounding) controls: The **πŸ•˜**, **Start**, **End**, **Bounding**, and **Interval** fields, and the **date histogram** can be used to visually zoom and pan the time range being examined. * search button: The **Search** button re-runs the sessions query with the filters currently specified. -* views button: Indicated by the eyeball **πŸ‘** icon, views allow overlaying additional previously-specified filters onto the current sessions filters. For convenience, Malcolm provides several Arkime preconfigured views including several on the `zeek.logType` field. +* views button: Indicated by the eyeball **πŸ‘** icon, views allow overlaying additional previously-specified filters onto the current sessions filters. For convenience, Malcolm provides several Arkime preconfigured views including filtering on the `event.dataset` field. ![Malcolm views](./docs/images/screenshots/arkime_log_filter.png) @@ -1062,7 +1065,7 @@ Once the hunt job is complete (and a minute or so has passed, as the `huntId` mu From this list of filtered sessions you can expand session details and explore packet payloads which matched the hunt search criteria. -The hunt feature is available only for sessions created from full packet capture data, not Zeek logs. This being the case, it is a good idea to click the eyeball **πŸ‘** icon and select the **PCAP Files** view to exclude Zeek logs from candidate sessions prior to using the hunt feature. +The hunt feature is available only for sessions created from full packet capture data, not Zeek logs. This being the case, it is a good idea to click the eyeball **πŸ‘** icon and select the **Arkime Sessions** view to exclude Zeek logs from candidate sessions prior to using the hunt feature. See also Arkime's usage documentation for more information on the [hunt feature](https://localhost/help#hunt). @@ -1195,8 +1198,8 @@ Kibana supports two query syntaxes: the legacy [Lucene](https://www.elastic.co/g | | [Arkime Search String](https://localhost/help#search) | [Kibana Search String (Lucene)](https://www.elastic.co/guide/en/kibana/current/lucene-query.html) | [Kibana Search String (KQL)](https://www.elastic.co/guide/en/kibana/current/kuery-query.html)| |---|:---:|:---:|:---:| -| Field exists |`zeek.logType == EXISTS!`|`_exists_:zeek.logType`|`zeek.logType:*`| -| Field does not exist |`zeek.logType != EXISTS!`|`NOT _exists_:zeek.logType`|`NOT zeek.logType:*`| +| Field exists |`event.dataset == EXISTS!`|`_exists_:event.dataset`|`event.dataset:*`| +| Field does not exist |`event.dataset != EXISTS!`|`NOT _exists_:event.dataset`|`NOT event.dataset:*`| | Field matches a value |`port.dst == 22`|`destination.port:22`|`destination.port:22`| | Field does not match a value |`port.dst != 22`|`NOT destination.port:22`|`NOT destination.port:22`| | Field matches at least one of a list of values |`tags == [external_source, external_destination]`|`tags:(external_source OR external_destination)`|`tags:(external_source or external_destination)`| @@ -1204,14 +1207,14 @@ Kibana supports two query syntaxes: the legacy [Lucene](https://www.elastic.co/g | Field range (exclusive) |`http.statuscode > 200 && http.statuscode < 300`|`http.statuscode:{200 TO 300}`|`http.statuscode > 200 and http.statuscode < 300`| | Field range (mixed exclusivity) |`http.statuscode >= 200 && http.statuscode < 300`|`http.statuscode:[200 TO 300}`|`http.statuscode >= 200 and http.statuscode < 300`| | Match all search terms (AND) |`(tags == [external_source, external_destination]) && (http.statuscode == 401)`|`tags:(external_source OR external_destination) AND http.statuscode:401`|`tags:(external_source or external_destination) and http.statuscode:401`| -| Match any search terms (OR) |`(zeek_ftp.password == EXISTS!) || (zeek_http.password == EXISTS!) || (zeek.user == "anonymous")`|`_exists_:zeek_ftp.password OR _exists_:zeek_http.password OR zeek.user:"anonymous"`|`zeek_ftp.password:* or zeek_http.password:* or zeek.user:"anonymous"`| +| Match any search terms (OR) |`(zeek.ftp.password == EXISTS!) || (zeek.http.password == EXISTS!) || (related.user == "anonymous")`|`_exists_:zeek.ftp.password OR _exists_:zeek.http.password OR related.user:"anonymous"`|`zeek.ftp.password:* or zeek.http.password:* or related.user:"anonymous"`| | Global string search (anywhere in the document) |all Arkime search expressions are field-based|`microsoft`|`microsoft`| | Wildcards|`host.dns == "*micro?oft*"` (`?` for single character, `*` for any characters)|`dns.host:*micro?oft*` (`?` for single character, `*` for any characters)|`dns.host:*micro*ft*` (`*` for any characters)| -| Regex |`host.http == /.*www\.f.*k\.com.*/`|`zeek_http.host:/.*www\.f.*k\.com.*/`|Kibana Query Language does not currently support regex| +| Regex |`host.http == /.*www\.f.*k\.com.*/`|`zeek.http.host:/.*www\.f.*k\.com.*/`|Kibana Query Language does not currently support regex| | IPv4 values |`ip == 0.0.0.0/0`|`source.ip:"0.0.0.0/0" OR destination.ip:"0.0.0.0/0"`|`source.ip:"0.0.0.0/0" OR destination.ip:"0.0.0.0/0"`| | IPv6 values |`(ip.src == EXISTS! || ip.dst == EXISTS!) && (ip != 0.0.0.0/0)`|`(_exists_:source.ip AND NOT source.ip:"0.0.0.0/0") OR (_exists_:destination.ip AND NOT destination.ip:"0.0.0.0/0")`|`(source.ip:* and not source.ip:"0.0.0.0/0") or (destination.ip:* and not destination.ip:"0.0.0.0/0")`| -| GeoIP information available |`country == EXISTS!`|`_exists_:zeek.destination_geo OR _exists_:zeek.source_geo`|`zeek.destination_geo:* or zeek.source_geo:*`| -| Zeek log type |`zeek.logType == notice`|`zeek.logType:notice`|`zeek.logType:notice`| +| GeoIP information available |`country == EXISTS!`|`_exists_:destination.geo OR _exists_:source.geo`|`destination.geo:* or source.geo:*`| +| Zeek log type |`event.dataset == notice`|`event.dataset:notice`|`event.dataset:notice`| | IP CIDR Subnets |`ip.src == 172.16.0.0/12`|`source.ip:"172.16.0.0/12"`|`source.ip:"172.16.0.0/12"`| | Search time frame |Use Arkime time bounding controls under the search bar|Use Kibana time range controls in the upper right-hand corner|Use Kibana time range controls in the upper right-hand corner| @@ -1219,35 +1222,35 @@ When building complex queries, it is **strongly recommended** that you enclose s As Zeek logs are ingested, Malcolm parses and normalizes the logs' fields to match Arkime's underlying Elasticsearch schema. A complete list of these fields can be found in the Arkime help (accessible at [https://localhost/help#fields](https://localhost/help#fields) if you are connecting locally). -Whenever possible, Zeek fields are mapped to existing corresponding Arkime fields: for example, the `orig_h` field in Zeek is mapped to Arkime's `source.ip` field. The original Zeek fields are also left intact. To complicate the issue, the Arkime interface uses its own aliases to reference those fields: the source IP field is referenced as `ip.src` (Arkime's alias) in Arkime and `source.ip` or `zeek.orig_h` in Kibana. +Whenever possible, Zeek fields are mapped to existing corresponding Arkime fields: for example, the `orig_h` field in Zeek is mapped to Arkime's `source.ip` field. The original Zeek fields are also left intact. To complicate the issue, the Arkime interface uses its own aliases to reference those fields: the source IP field is referenced as `ip.src` (Arkime's alias) in Arkime and `source.ip` or `source.ip` in Kibana. The table below shows the mapping of some of these fields. | Field Description |Arkime Field Alias(es)|Arkime-mapped Zeek Field(s)|Zeek Field(s)| |---|:---:|:---:|:---:| -| [Community ID](https://github.com/corelight/community-id-spec) Flow Hash ||`network.community_id`|`zeek.community_id`| -| Destination IP |`ip.dst`|`destination.ip`|`zeek.resp_h`| -| Destination MAC |`mac.dst`|`destination.mac`|`zeek.resp_l2_addr`| -| Destination Port |`port.dst`|`destination.port`|`zeek.resp_p`| -| Duration |`session.length`|`length`|`zeek_conn.duration`| +| [Community ID](https://github.com/corelight/community-id-spec) Flow Hash ||`network.community_id`|`network.community_id`| +| Destination IP |`ip.dst`|`destination.ip`|`destination.ip`| +| Destination MAC |`mac.dst`|`destination.mac`|`destination.mac`| +| Destination Port |`port.dst`|`destination.port`|`destination.port`| +| Duration |`session.length`|`length`|`zeek.conn.duration`| | First Packet Time |`starttime`|`firstPacket`|`zeek.ts`, `@timestamp`| -| IP Protocol |`ip.protocol`|`ipProtocol`|`zeek.proto`| +| IP Protocol |`ip.protocol`|`ipProtocol`|`network.transport`| | Last Packet Time |`stoptime`|`lastPacket`|| -| MIME Type |`email.bodymagic`, `http.bodymagic`|`http.bodyMagic`|`zeek.filetype`, `zeek_files.mime_type`, `zeek_ftp.mime_type`, `zeek_http.orig_mime_types`, `zeek_http.resp_mime_types`, `zeek_irc.dcc_mime_type`| -| Protocol/Service |`protocols`|`protocol`|`zeek.proto`, `zeek.service`| -| Request Bytes |`databytes.src`, `bytes.src`|`source.bytes`, `client.bytes`|`zeek_conn.orig_bytes`, `zeek_conn.orig_ip_bytes`| -| Request Packets |`packets.src`|`source.packets`|`zeek_conn.orig_pkts`| -| Response Bytes |`databytes.dst`, `bytes.dst`|`destination.bytes`, `server.bytes`|`zeek_conn.resp_bytes`, `zeek_conn.resp_ip_bytes`| -| Response Packets |`packets.dst`|`destination.packets`|`zeek_con.resp_pkts`| -| Source IP |`ip.src`|`source.ip`|`zeek.orig_h`| -| Source MAC |`mac.src`|`source.mac`|`zeek.orig_l2_addr`| -| Source Port |`port.src`|`source.port`|`zeek.orig_p`| +| MIME Type |`email.bodymagic`, `http.bodymagic`|`http.bodyMagic`|`file.mime_type`, `zeek.files.mime_type`, `zeek.ftp.mime_type`, `zeek.http.orig_mime_types`, `zeek.http.resp_mime_types`, `zeek.irc.dcc_mime_type`| +| Protocol/Service |`protocols`|`protocol`|`network.transport`, `network.protocol`| +| Request Bytes |`databytes.src`, `bytes.src`|`source.bytes`, `client.bytes`|`zeek.conn.orig_bytes`, `zeek.conn.orig_ip_bytes`| +| Request Packets |`packets.src`|`source.packets`|`zeek.conn.orig_pkts`| +| Response Bytes |`databytes.dst`, `bytes.dst`|`destination.bytes`, `server.bytes`|`zeek.conn.resp_bytes`, `zeek.conn.resp_ip_bytes`| +| Response Packets |`packets.dst`|`destination.packets`|`zeek.con.resp_pkts`| +| Source IP |`ip.src`|`source.ip`|`source.ip`| +| Source MAC |`mac.src`|`source.mac`|`source.mac`| +| Source Port |`port.src`|`source.port`|`source.port`| | Total Bytes |`databytes`, `bytes`|`totDataBytes`, `network.bytes`|| | Total Packets |`packets`|`network.packets`|| -| Username |`user`|`user`|`zeek.user`| -| Zeek Connection UID|||`zeek.uid`| -| Zeek File UID |||`zeek.fuid`| -| Zeek Log Type |||`zeek.logType`| +| Username |`user`|`user`|`related.user`| +| Zeek Connection UID|||`zeek.uid`, `event.id`| +| Zeek File UID |||`zeek.fuid`, `event.id`| +| Zeek Log Type |||`event.dataset`| In addition to the fields listed above, Arkime provides several special field aliases for matching any field of a particular type. While these aliases do not exist in Kibana *per se*, they can be approximated as illustrated below. @@ -1255,10 +1258,10 @@ In addition to the fields listed above, Arkime provides several special field al |---|:---:|:---:| | IP Address | `ip == 192.168.0.1` | `source.ip:192.168.0.1 OR destination.ip:192.168.0.1` | | Port | `port == [80, 443, 8080, 8443]` | `source.port:(80 OR 443 OR 8080 OR 8443) OR destination.port:(80 OR 443 OR 8080 OR 8443)` | -| Country (code) | `country == [RU,CN]` | `zeek.destination_geo.country_code2:(RU OR CN) OR zeek.source_geo.country_code2:(RU OR CN) OR dns.GEO:(RU OR CN)` | -| Country (name) | | `zeek.destination_geo.country_name:(Russia OR China) OR zeek.source_geo.country_name:(Russia OR China)` | +| Country (code) | `country == [RU,CN]` | `destination.geo.country_code2:(RU OR CN) OR source.geo.country_code2:(RU OR CN) OR dns.GEO:(RU OR CN)` | +| Country (name) | | `destination.geo.country_name:(Russia OR China) OR source.geo.country_name:(Russia OR China)` | | ASN | `asn == "*Mozilla*"` | `source.as.full:*Mozilla* OR destination.as.full:*Mozilla* OR dns.ASN:*Mozilla*` | -| Host | `host == www.microsoft.com` | `zeek_http.host:www.microsoft.com (or zeek_dhcp.host_name, zeek_dns.host, zeek_ntlm.host, smb.host, etc.)` | +| Host | `host == www.microsoft.com` | `zeek.http.host:www.microsoft.com (or zeek.dhcp.host_name, zeek.dns.host, zeek.ntlm.host, smb.host, etc.)` | | Protocol (layers >= 4) | `protocols == tls` | `protocol:tls` | | User | `user == EXISTS! && user != anonymous` | `_exists_:user AND (NOT user:anonymous)` | @@ -1322,9 +1325,9 @@ Each non-comment line (not beginning with a `#`), defines an address-to-name map ``` Each line consists of three `|`-separated fields: address(es), hostname, and, optionally, a tag which, if specified, must belong to a log for the matching to occur. -As Zeek logs are processed into Malcolm's Elasticsearch instance, the log's source and destination IP and MAC address fields (`zeek.orig_h`, `zeek.resp_h`, `zeek.orig_l2_addr`, and `zeek.resp_l2_addr`, respectively) are compared against the lists of addresses in `host-map.txt`. When a match is found, a new field is added to the log: `zeek.orig_hostname` or `zeek.resp_hostname`, depending on whether the matching address belongs to the originating or responding host. If the third field (the "required tag" field) is specified, a log must also contain that value in its `tags` field in addition to matching the IP or MAC address specified in order for the corresponding `_hostname` field to be added. +As Zeek logs are processed into Malcolm's Elasticsearch instance, the log's source and destination IP and MAC address fields (`source.ip`, `destination.ip`, `source.mac`, and `destination.mac`, respectively) are compared against the lists of addresses in `host-map.txt`. When a match is found, a new field is added to the log: `source.hostname` or `destination.hostname`, depending on whether the matching address belongs to the originating or responding host. If the third field (the "required tag" field) is specified, a log must also contain that value in its `tags` field in addition to matching the IP or MAC address specified in order for the corresponding `_hostname` field to be added. -`zeek.orig_hostname` and `zeek.resp_hostname` may each contain multiple values. For example, if both a host's source IP address and source MAC address were matched by two different lines, `zeek.orig_hostname` would contain the hostname values from both matching lines. +`source.hostname` and `destination.hostname` may each contain multiple values. For example, if both a host's source IP address and source MAC address were matched by two different lines, `source.hostname` would contain the hostname values from both matching lines. #### CIDR subnet to network segment name mapping via `cidr-map.txt` @@ -1352,11 +1355,11 @@ Each non-comment line (not beginning with a `#`), defines an subnet-to-name mapp ``` Each line consists of three `|`-separated fields: CIDR-formatted subnet IP range(s), subnet name, and, optionally, a tag which, if specified, must belong to a log for the matching to occur. -As Zeek logs are processed into Malcolm's Elasticsearch instance, the log's source and destination IP address fields (`zeek.orig_h` and `zeek.resp_h`, respectively) are compared against the lists of addresses in `cidr-map.txt`. When a match is found, a new field is added to the log: `zeek.orig_segment` or `zeek.resp_segment`, depending on whether the matching address belongs to the originating or responding host. If the third field (the "required tag" field) is specified, a log must also contain that value in its `tags` field in addition to its IP address falling within the subnet specified in order for the corresponding `_segment` field to be added. +As Zeek logs are processed into Malcolm's Elasticsearch instance, the log's source and destination IP address fields (`source.ip` and `destination.ip`, respectively) are compared against the lists of addresses in `cidr-map.txt`. When a match is found, a new field is added to the log: `source.segment` or `destination.segment`, depending on whether the matching address belongs to the originating or responding host. If the third field (the "required tag" field) is specified, a log must also contain that value in its `tags` field in addition to its IP address falling within the subnet specified in order for the corresponding `_segment` field to be added. -`zeek.orig_segment` and `zeek.resp_segment` may each contain multiple values. For example, if `cidr-map.txt` specifies multiple overlapping subnets on different lines, `zeek.orig_segment` would contain the hostname values from both matching lines if `zeek.orig_h` belonged to both subnets. +`source.segment` and `destination.segment` may each contain multiple values. For example, if `cidr-map.txt` specifies multiple overlapping subnets on different lines, `source.segment` would contain the hostname values from both matching lines if `source.ip` belonged to both subnets. -If both `zeek.orig_segment` and `zeek.resp_segment` are added to a log, and if they contain different values, the tag `cross_segment` will be added to the log's `tags` field for convenient identification of cross-segment traffic. This traffic could be easily visualized using Arkime's **Connections** graph, by setting the **Src:** value to **Originating Network Segment** and the **Dst:** value to **Responding Network Segment**: +If both `source.segment` and `destination.segment` are added to a log, and if they contain different values, the tag `cross_segment` will be added to the log's `tags` field for convenient identification of cross-segment traffic. This traffic could be easily visualized using Arkime's **Connections** graph, by setting the **Src:** value to **Originating Network Segment** and the **Dst:** value to **Responding Network Segment**: ![Cross-segment traffic in Connections](./docs/images/screenshots/arkime_connections_segments.png) @@ -1423,7 +1426,7 @@ These categories' severity scores can be customized by editing `logstash/maps/ma * Each category can be assigned a number between `1` and `100` for severity scoring. * Any category may be disabled by assigning it a score of `0`. -* A severity score can be assigned for any [supported protocol](#Protocols) by adding an entry with the key formatted like `"PROTOCOL_XYZ"`, where `XYZ` is the uppercased value of the protocol as stored in the `zeek.service` field. For example, to assign a score of `40` to Zeek logs generated for SSH traffic, you could add the following line to `malcolm_severity.yaml`: +* A severity score can be assigned for any [supported protocol](#Protocols) by adding an entry with the key formatted like `"PROTOCOL_XYZ"`, where `XYZ` is the uppercased value of the protocol as stored in the `network.protocol` field. For example, to assign a score of `40` to Zeek logs generated for SSH traffic, you could add the following line to `malcolm_severity.yaml`: ``` "PROTOCOL_SSH": 40 @@ -1513,7 +1516,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-3.4.0.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-4.0.0.iso" … ``` @@ -1526,6 +1529,8 @@ $ ./malcolm-iso/build_via_vagrant.sh -f -d malcolm_YYYYMMDD_HHNNSS_xxxxxxx_image A system installed from the resulting ISO will load the Malcolm Docker images upon first boot. This method is desirable when the ISO is to be installed in an "air gapped" environment or for distribution to non-networked machines. +Alternately, if you have forked Malcolm on GitHub, [workflow files](./.github/workflows/) are provided which contain instructions for GitHub to build the docker images and [sensor](#Hedgehog) and [Malcolm](#ISO) installer ISOs, specifically [`malcolm-iso-build-docker-wrap-push-ghcr.yml`](./.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) for the Malcolm ISO. You'll need to run the workflows to build and push your fork's Malcolm docker images before building the ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded. + ### Installation The installer is designed to require as little user input as possible. For this reason, there are NO user prompts and confirmations about partitioning and reformatting hard disks for use by the operating system. The installer assumes that all non-removable storage media (eg., SSD, HDD, NVMe, etc.) are available for use and β›”πŸ†˜πŸ˜­πŸ’€ ***will partition and format them without warning*** πŸ’€πŸ˜­πŸ†˜β›”. @@ -1896,21 +1901,21 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -malcolmnetsec/arkime 3.4.0 xxxxxxxxxxxx 39 hours ago 826MB -malcolmnetsec/elasticsearch-od 3.4.0 xxxxxxxxxxxx 40 hours ago 1.42GB -malcolmnetsec/file-monitor 3.4.0 xxxxxxxxxxxx 39 hours ago 603MB -malcolmnetsec/file-upload 3.4.0 xxxxxxxxxxxx 39 hours ago 605MB -malcolmnetsec/filebeat-oss 3.4.0 xxxxxxxxxxxx 39 hours ago 266MB -malcolmnetsec/freq 3.4.0 xxxxxxxxxxxx 39 hours ago 151MB -malcolmnetsec/htadmin 3.4.0 xxxxxxxxxxxx 39 hours ago 262MB -malcolmnetsec/kibana-helper 3.4.0 xxxxxxxxxxxx 40 hours ago 153MB -malcolmnetsec/kibana-od 3.4.0 xxxxxxxxxxxx 40 hours ago 1.35GB -malcolmnetsec/logstash-oss 3.4.0 xxxxxxxxxxxx 39 hours ago 1.36GB -malcolmnetsec/name-map-ui 3.4.0 xxxxxxxxxxxx 39 hours ago 142MB -malcolmnetsec/nginx-proxy 3.4.0 xxxxxxxxxxxx 39 hours ago 116MB -malcolmnetsec/pcap-capture 3.4.0 xxxxxxxxxxxx 39 hours ago 121MB -malcolmnetsec/pcap-monitor 3.4.0 xxxxxxxxxxxx 39 hours ago 221MB -malcolmnetsec/zeek 3.4.0 xxxxxxxxxxxx 39 hours ago 926MB +malcolmnetsec/arkime 4.0.0 xxxxxxxxxxxx 39 hours ago 826MB +malcolmnetsec/elasticsearch-od 4.0.0 xxxxxxxxxxxx 40 hours ago 1.42GB +malcolmnetsec/file-monitor 4.0.0 xxxxxxxxxxxx 39 hours ago 603MB +malcolmnetsec/file-upload 4.0.0 xxxxxxxxxxxx 39 hours ago 605MB +malcolmnetsec/filebeat-oss 4.0.0 xxxxxxxxxxxx 39 hours ago 266MB +malcolmnetsec/freq 4.0.0 xxxxxxxxxxxx 39 hours ago 151MB +malcolmnetsec/htadmin 4.0.0 xxxxxxxxxxxx 39 hours ago 262MB +malcolmnetsec/kibana-helper 4.0.0 xxxxxxxxxxxx 40 hours ago 153MB +malcolmnetsec/kibana-od 4.0.0 xxxxxxxxxxxx 40 hours ago 1.35GB +malcolmnetsec/logstash-oss 4.0.0 xxxxxxxxxxxx 39 hours ago 1.36GB +malcolmnetsec/name-map-ui 4.0.0 xxxxxxxxxxxx 39 hours ago 142MB +malcolmnetsec/nginx-proxy 4.0.0 xxxxxxxxxxxx 39 hours ago 116MB +malcolmnetsec/pcap-capture 4.0.0 xxxxxxxxxxxx 39 hours ago 121MB +malcolmnetsec/pcap-monitor 4.0.0 xxxxxxxxxxxx 39 hours ago 221MB +malcolmnetsec/zeek 4.0.0 xxxxxxxxxxxx 39 hours ago 926MB ``` Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background. @@ -2027,6 +2032,10 @@ After upgrading following one of the previous outlines, give Malcolm several min Once the upgraded instance Malcolm has started up, you'll probably want to import the new dashboards and visualizations for Kibana. You can signal Malcolm to load the new visualizations by opening Kibana, clicking **Management** β†’ **Index Patterns**, then selecting the `arkime_sessions3-*` index pattern and clicking the delete **πŸ—‘** button near the upper-right of the window. Confirm the **Delete index pattern?** prompt by clicking **Delete**. Close the Kibana browser window. After a few minutes the missing index pattern will be detected and Kibana will be signalled to load its new dashboards and visualizations. +### Major releases + +The Malcolm project uses [semantic versioning](https://semver.org/) when choosing version numbers. If you are moving between major releases (e.g., from v3.4.0 to v4.0.0), you're likely to find that there are enough major backwards compatibility-breaking changes that upgrading may not be worth the time and trouble. A fresh install is strongly recommended between major releases. + ## Copyright [Malcolm](https://github.com/cisagov/Malcolm) is Copyright 2021 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/) of the [U.S. Department of Homeland Security](https://www.dhs.gov/). diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 1aac537df..abd53a2ef 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -33,7 +33,7 @@ dropGroup=arkime # The userAutoCreateTmpl should more or less match what's in /etc/user_settings.json # which is what's used when creating the default admin user. userNameHeader=http_auth_http_user -userAutoCreateTmpl={"userId": "${this.http_auth_http_user}", "userName": "${this.http_auth_http_user}", "enabled": true, "createEnabled": false, "webEnabled": true, "headerAuthEnabled": true, "emailSearch": true, "removeEnabled": false, "packetSearch": true, "hideStats": false, "hideFiles": false, "hidePcap": false, "disablePcapDownload": false, "settings": { "timezone": "local", "detailFormat": "last", "showTimestamps": "last", "sortColumn": "start", "sortDirection": "desc", "spiGraph": "protocol", "connSrcField": "source.ip", "connDstField": "destination.ip", "numPackets": "last", "theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF", "manualQuery": false }, "views": { "Public IP Addresses": { "expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24 && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24 && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)" }, "PCAP Files": { "expression": "zeek.logType != EXISTS!" }, "Zeek Logs": { "expression": "zeek.logType == EXISTS!" }, "Zeek conn.log": { "expression": "zeek.logType == conn" }, "Zeek Exclude conn.log": { "expression": "zeek.logType == EXISTS! && zeek.logType != conn" } }, "tableStates": { "sessionsNew": { "order": [ [ "firstPacket", "desc" ] ], "visibleHeaders": [ "protocol", "zeek.logType", "firstPacket", "lastPacket", "src", "source.port", "dst", "destination.port", "network.packets", "dbby", "tags", "info" ] } } } +userAutoCreateTmpl={"userId": "${this.http_auth_http_user}", "userName": "${this.http_auth_http_user}", "enabled": true, "createEnabled": false, "webEnabled": true, "headerAuthEnabled": true, "emailSearch": true, "removeEnabled": false, "packetSearch": true, "hideStats": false, "hideFiles": false, "hidePcap": false, "disablePcapDownload": false, "settings": { "timezone": "local", "detailFormat": "last", "showTimestamps": "last", "sortColumn": "start", "sortDirection": "desc", "spiGraph": "protocol", "connSrcField": "source.ip", "connDstField": "destination.ip", "numPackets": "last", "theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF", "manualQuery": false }, "views": { "Public IP Addresses": { "expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24 && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24 && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)" }, "Arkime Sessions": { "expression": "file == EXISTS!" }, "Zeek Logs": { "expression": "event.provider == zeek" }, "Zeek conn.log": { "expression": "event.provider == zeek && event.dataset == conn" }, "Zeek Exclude conn.log": { "expression": "event.provider == zeek && event.dataset != conn" } }, "tableStates": { "sessionsNew": { "order": [ [ "firstPacket", "desc" ] ], "visibleHeaders": [ "protocol", "event.dataset", "firstPacket", "lastPacket", "src", "source.port", "dst", "destination.port", "network.packets", "dbby", "tags", "info" ] } } } parseSMTP=true parseSMB=true parseQSValue=false @@ -67,1194 +67,1190 @@ valueAutoComplete=false # id information zeek.uid=db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID -zeek.community_id=db:zeek.community_id;kind:termfield;friendly:Zeek Connection Community ID;help:Zeek Connection Community ID -zeek.logType=db:zeek.logType;kind:termfield;friendly:Zeek Log Type;help:Zeek Log Type +malcolmDocId=db:malcolmDocId;group:malcolm;kind:termfield;friendly:Malcolm Log ID;help:Malcolm Log ID +event.provider=db:event.provider;group:malcolm;kind:termfield;friendly:Malcolm Data Source;help:Malcolm Data Source +event.dataset=db:event.dataset;group:malcolm;kind:termfield;friendly:Log Type;help:Log Type +event.id=db:event.id;group:malcolm;kind:termfield;friendly:Log ID;help:Log ID zeek.ts=db:zeek.ts;kind:termfield;friendly:Timestamp;help:Zeek Timestamp -host.name=db:host.name;kind:termfield;friendly:Zeek Node;help:Zeek Node -event.severity=db:event.severity;kind:integer;friendly:Severity;help:Severity -event.severity_tags=db:event.severity_tags;kind:termfield;friendly:Severity Tags;help:Severity Tags -event.risk_score=db:event.risk_score;kind:float;friendly:Risk Score;help:Risk Score -event.risk_score_norm=db:event.risk_score_norm;kind:float;friendly:Risk Score (Normalized);help:Risk Score (Normalized) +host.name=db:host.name;group:malcolm;kind:termfield;friendly:Malcolm Node;help:Malcolm Node # basic connection information -zeek.orig_h=db:zeek.orig_h;kind:termfield;friendly:Originating host;help:Originating Host -zeek.orig_p=db:zeek.orig_p;kind:integer;friendly:Originating port;help:Originating Port -zeek.orig_l2_addr=db:zeek.orig_l2_addr;kind:termfield;friendly:Originating MAC;help:Originating MAC -zeek.orig_l2_oui=db:zeek.orig_l2_oui;kind:termfield;friendly:Originating OUI;help:Originating OUI -zeek.orig_hostname=db:zeek.orig_hostname;kind:termfield;friendly:Originating Host Name;help:Originating Host Name -zeek.orig_segment=db:zeek.orig_segment;kind:termfield;friendly:Originating Network Segment;help:Originating Network Segment -zeek.source_ip_reverse_dns=db:zeek.source_ip_reverse_dns;kind:termfield;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS -zeek.source_geo.city_name=db:zeek.source_geo.city_name;kind:termfield;friendly:Originating GeoIP City;help:Originating GeoIP City -zeek.source_geo.country_name=db:zeek.source_geo.country_name;kind:termfield;friendly:Originating GeoIP Country;help:Originating GeoIP Country -zeek.resp_h=db:zeek.resp_h;kind:termfield;friendly:Responding host;help:Responding Host -zeek.resp_p=db:zeek.resp_p;kind:integer;friendly:Responding port;help:Responding Port -zeek.resp_l2_addr=db:zeek.resp_l2_addr;kind:termfield;friendly:Responding MAC;help:Responding MAC -zeek.resp_l2_oui=db:zeek.resp_l2_oui;kind:termfield;friendly:Responding OUI;help:Responding OUI -zeek.resp_hostname=db:zeek.resp_hostname;kind:termfield;friendly:Responding Host Name;help:Responding Host Name -zeek.resp_segment=db:zeek.resp_segment;kind:termfield;friendly:Responding Network Segment;help:Responding Network Segment -zeek.destination_ip_reverse_dns=db:zeek.destination_ip_reverse_dns;kind:termfield;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS -zeek.destination_geo.city_name=db:zeek.destination_geo.city_name;kind:termfield;friendly:Responding GeoIP City;help:Responding GeoIP City -zeek.destination_geo.country_name=db:zeek.destination_geo.country_name;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country -zeek.proto=db:zeek.proto;kind:lotermfield;friendly:Protocol;help:Protocol -zeek.service=db:zeek.service;kind:termfield;friendly:Service;help:Service -zeek.service_version=db:zeek.service_version;kind:termfield;friendly:Service Version;help:Service Version -zeek.action=db:zeek.action;kind:termfield;friendly:Action;help:Action -zeek.result=db:zeek.result;kind:termfield;friendly:Result;help:Result -zeek.user=db:zeek.user;kind:termfield;friendly:User;help:User -zeek.user_agent=db:zeek.user_agent;kind:termfield;friendly:User Agent;help:User Agent -zeek.password=db:zeek.password;kind:termfield;friendly:Password;help:Password -zeek.freq_score_v1=db:zeek_dns.freq_score_v1;kind:float;friendly:Freq Score v1;help:Freq Score v1 -zeek.freq_score_v2=db:zeek_dns.freq_score_v2;kind:float;friendly:Freq Score v2;help:Freq Score v2 +destination.geo.city_name=db:destination.geo.city_name;group:malcolm;kind:termfield;friendly:Responding GeoIP City;help:Responding GeoIP City +destination.geo.country_name=db:destination.geo.country_name;group:malcolm;kind:termfield;friendly:Responding GeoIP Country;help:Responding GeoIP Country +destination.hostname=db:destination.hostname;group:malcolm;kind:termfield;friendly:Responding Host Name;help:Responding Host Name +destination.ip_reverse_dns=db:destination.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Responding IP Reverse DNS;help:Responding IP Reverse DNS +destination.oui=db:destination.oui;group:malcolm;kind:termfield;friendly:Responding OUI;help:Responding OUI +destination.segment=db:destination.segment;group:malcolm;kind:termfield;friendly:Responding Network Segment;help:Responding Network Segment +event.action=db:event.action;group:malcolm;kind:termfield;friendly:Action;help:Action +event.freq_score_v1=db:event.freq_score_v1;group:malcolm;kind:float;friendly:Freq Score v1;help:Freq Score v1 +event.freq_score_v2=db:event.freq_score_v2;group:malcolm;kind:float;friendly:Freq Score v2;help:Freq Score v2 +event.result=db:event.result;group:malcolm;kind:termfield;friendly:Result;help:Result +event.risk_score=db:event.risk_score;group:malcolm;kind:float;friendly:Risk Score;help:Risk Score +event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;friendly:Risk Score (Normalized);help:Risk Score (Normalized) +event.severity=db:event.severity;group:malcolm;kind:integer;friendly:Severity;help:Severity +event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;friendly:Severity Tags;help:Severity Tags +network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:lotermfield;friendly:Inner VLAN ID;help:Inner VLAN ID +network.protocol=db:network.protocol;group:malcolm;kind:termfield;friendly:Service;help:Service +network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;friendly:Service Version;help:Service Version +network.transport=db:network.transport;group:malcolm;kind:lotermfield;friendly:Protocol;help:Protocol +network.vlan.id=db:network.vlan.id;group:malcolm;kind:lotermfield;friendly:VLAN ID;help:VLAN ID +related.hash=db:related.hash;group:malcolm;kind:termfield;friendly:Related Hash;help:Related Hash +related.ip=db:related.ip;group:malcolm;kind:termfield;friendly:Related IP;help:Related IP +related.password=db:related.password;group:malcolm;kind:termfield;friendly:Password;help:Password +related.user=db:related.user;group:malcolm;kind:termfield;friendly:User;help:User +source.geo.city_name=db:source.geo.city_name;group:malcolm;kind:termfield;friendly:Originating GeoIP City;help:Originating GeoIP City +source.geo.country_name=db:source.geo.country_name;group:malcolm;kind:termfield;friendly:Originating GeoIP Country;help:Originating GeoIP Country +source.hostname=db:source.hostname;group:malcolm;kind:termfield;friendly:Originating Host Name;help:Originating Host Name +source.ip_reverse_dns=db:source.ip_reverse_dns;group:malcolm;kind:termfield;friendly:Originating IP Reverse DNS;help:Originating IP Reverse DNS +source.nat.ip=db:source.nat.ip;group:malcolm;kind:termfield;friendly:NAT IP;help:NAT IP +source.nat.port=db:source.nat.port;group:malcolm;kind:integer;friendly:NAT Port;help:NAT Port +source.oui=db:source.oui;kind:termfield;group:malcolm;friendly:Originating OUI;help:Originating OUI +source.segment=db:source.segment;group:malcolm;kind:termfield;friendly:Originating Network Segment;help:Originating Network Segment +user_agent.original=db:user_agent.original;group:malcolm;kind:termfield;friendly:User Agent;help:User Agent # file information zeek.fuid=db:zeek.fuid;kind:termfield;friendly:File ID;help:File ID -zeek.filename=db:zeek.filename;kind:termfield;friendly:File Name;help:File Name -zeek.filetype=db:zeek.filetype;kind:termfield;friendly:File Magic;help:File Magic +file.path=db:file.path;group:malcolm;kind:termfield;friendly:File Path;help:File Path +file.mime_type=db:file.mime_type;group:malcolm;kind:termfield;friendly:File Magic;help:File Magic # conn.log # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info -zeek_conn.duration=db:zeek_conn.duration;kind:termfield;friendly:Duration;help:Duration -zeek_conn.orig_bytes=db:zeek_conn.orig_bytes;kind:integer;friendly:Originating Bytes;help:Originating Bytes -zeek_conn.resp_bytes=db:zeek_conn.resp_bytes;kind:integer;friendly:Responding Bytes;help:Responding Bytes -zeek_conn.conn_state=db:zeek_conn.conn_state;kind:termfield;friendly:Connection State Code;help:Connection State Code -zeek_conn.conn_state_description=db:zeek_conn.conn_state_description;kind:termfield;friendly:conn Connection State;help:conn Connection State -zeek_conn.local_orig=db:zeek_conn.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator -zeek_conn.local_resp=db:zeek_conn.local_resp;kind:termfield;friendly:Local Responder;help:Local Responder -zeek_conn.missed_bytes=db:zeek_conn.missed_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes -zeek_conn.history=db:zeek_conn.history;kind:termfield;friendly:Connection Flags History;help:Connection Flags History -zeek_conn.orig_pkts=db:zeek_conn.orig_pkts;kind:integer;friendly:Originating Packets;help:Originating Packets -zeek_conn.orig_ip_bytes=db:zeek_conn.orig_ip_bytes;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes -zeek_conn.resp_pkts=db:zeek_conn.resp_pkts;kind:integer;friendly:Responding Packets;help:Responding Packets -zeek_conn.resp_ip_bytes=db:zeek_conn.resp_ip_bytes;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes -zeek_conn.tunnel_parents=db:zeek_conn.tunnel_parents;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID -zeek_conn.vlan=db:zeek_conn.vlan;kind:integer;friendly:Outer VLAN;help:Outer VLAN -zeek_conn.inner_vlan=db:zeek_conn.inner_vlan;kind:integer;friendly:Inner VLAN;help:Inner VLAN +zeek.conn.duration=db:zeek.conn.duration;group:zeek_conn;kind:termfield;friendly:Duration;help:Duration +zeek.conn.orig_bytes=db:zeek.conn.orig_bytes;group:zeek_conn;kind:integer;friendly:Originating Bytes;help:Originating Bytes +zeek.conn.resp_bytes=db:zeek.conn.resp_bytes;group:zeek_conn;kind:integer;friendly:Responding Bytes;help:Responding Bytes +zeek.conn.conn_state=db:zeek.conn.conn_state;group:zeek_conn;kind:termfield;friendly:Connection State Code;help:Connection State Code +zeek.conn.conn_state_description=db:zeek.conn.conn_state_description;group:zeek_conn;kind:termfield;friendly:conn Connection State;help:conn Connection State +zeek.conn.local_orig=db:zeek.conn.local_orig;group:zeek_conn;kind:termfield;friendly:Local Originator;help:Local Originator +zeek.conn.local_resp=db:zeek.conn.local_resp;group:zeek_conn;kind:termfield;friendly:Local Responder;help:Local Responder +zeek.conn.missed_bytes=db:zeek.conn.missed_bytes;group:zeek_conn;kind:integer;friendly:Missed Bytes;help:Missed Bytes +zeek.conn.history=db:zeek.conn.history;group:zeek_conn;kind:termfield;friendly:Connection Flags History;help:Connection Flags History +zeek.conn.orig_pkts=db:zeek.conn.orig_pkts;group:zeek_conn;kind:integer;friendly:Originating Packets;help:Originating Packets +zeek.conn.orig_ip_bytes=db:zeek.conn.orig_ip_bytes;group:zeek_conn;kind:integer;friendly:Originating IP Bytes;help:Originating IP Bytes +zeek.conn.resp_pkts=db:zeek.conn.resp_pkts;group:zeek_conn;kind:integer;friendly:Responding Packets;help:Responding Packets +zeek.conn.resp_ip_bytes=db:zeek.conn.resp_ip_bytes;group:zeek_conn;kind:integer;friendly:Responding IP Bytes;help:Responding IP Bytes +zeek.conn.tunnel_parents=db:zeek.conn.tunnel_parents;group:zeek_conn;kind:termfield;friendly:Tunnel Connection ID;help:Tunnel Connection ID +zeek.conn.vlan=db:zeek.conn.vlan;group:zeek_conn;kind:integer;friendly:Outer VLAN;help:Outer VLAN +zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;friendly:Inner VLAN;help:Inner VLAN # bacnet.log # https://github.com/cisagov/ICSNPP -zeek_bacnet.bvlc_function=db:zeek_bacnet.bvlc_function;kind:termfield;friendly:BVLC Function;help:BVLC Function -zeek_bacnet.pdu_type=db:zeek_bacnet.pdu_type;kind:termfield;friendly:APDU Service Type;help:APDU Service Type -zeek_bacnet.pdu_service=db:zeek_bacnet.pdu_service;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice -zeek_bacnet.invoke_id=db:zeek_bacnet.invoke_id;kind:integer;friendly:Invoke ID;help:Invoke ID -zeek_bacnet.result_code=db:zeek_bacnet.result_code;kind:termfield;friendly:Result Code;help:Result Code +zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;friendly:BVLC Function;help:BVLC Function +zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;friendly:APDU Service Type;help:APDU Service Type +zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice +zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;friendly:Invoke ID;help:Invoke ID +zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;friendly:Result Code;help:Result Code # bacnet_discovery.log # https://github.com/cisagov/ICSNPP -zeek_bacnet_discovery.pdu_service=db:zeek_bacnet_discovery.pdu_service;kind:termfield;friendly:APDU Service;help:APDU Service -zeek_bacnet_discovery.object_type=db:zeek_bacnet_discovery.object_type;kind:termfield;friendly:Object Type;help:Object Type -zeek_bacnet_discovery.instance_number=db:zeek_bacnet_discovery.instance_number;kind:integer;friendly:Instance Number;help:Instance Number -zeek_bacnet_discovery.vendor=db:zeek_bacnet_discovery.vendor;kind:termfield;friendly:Vendor Name;help:Vendor Name -zeek_bacnet_discovery.range=db:zeek_bacnet_discovery.range;kind:termfield;friendly:Range;help:Range -zeek_bacnet_discovery.range_low=db:zeek_bacnet_discovery.range_low;kind:integer;friendly:Range Low;help:Range Low -zeek_bacnet_discovery.range_high=db:zeek_bacnet_discovery.range_high;kind:integer;friendly:Range High;help:Range High -zeek_bacnet_discovery.object_name=db:zeek_bacnet_discovery.object_name;kind:termfield;friendly:Object Name;help:Object Name +zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service +zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type +zeek.bacnet_discovery.instance_number=db:zeek.bacnet_discovery.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number +zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;friendly:Vendor Name;help:Vendor Name +zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;friendly:Range;help:Range +zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;friendly:Range Low;help:Range Low +zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;friendly:Range High;help:Range High +zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;friendly:Object Name;help:Object Name # bacnet_property.log # https://github.com/cisagov/ICSNPP -zeek_bacnet_property.pdu_service=db:zeek_bacnet_property.pdu_service;kind:termfield;friendly:APDU Service;help:APDU Service -zeek_bacnet_property.object_type=db:zeek_bacnet_property.object_type;kind:termfield;friendly:Object Type;help:Object Type -zeek_bacnet_property.instance_number=db:zeek_bacnet_property.instance_number;kind:integer;friendly:Instance Number;help:Instance Number -zeek_bacnet_property.property=db:zeek_bacnet_property.property;kind:termfield;friendly:Property Type;help:Property Type -zeek_bacnet_property.array_index=db:zeek_bacnet_property.array_index;kind:integer;friendly:Array Index;help:Array Index -zeek_bacnet_property.value=db:zeek_bacnet_property.value;kind:termfield;friendly:Value;help:Value +zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service +zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type +zeek.bacnet_property.instance_number=db:zeek.bacnet_property.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number +zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;friendly:Property Type;help:Property Type +zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;friendly:Array Index;help:Array Index +zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;friendly:Value;help:Value # bestguess.log -zeek_bestguess.name=db:zeek_bestguess.name;kind:termfield;friendly:Best Guess Name;help:Best Guess Name -zeek_bestguess.category=db:zeek_bestguess.category;kind:termfield;friendly:Best Guess Category;help:Best Guess Category +zeek.bestguess.name=db:zeek.bestguess.name;group:zeek_bestguess;kind:termfield;friendly:Best Guess Name;help:Best Guess Name +zeek.bestguess.category=db:zeek.bestguess.category;group:zeek_bestguess;kind:termfield;friendly:Best Guess Category;help:Best Guess Category # bsap_ip_header.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser -zeek_bsap_ip_header.num_msg=db:zeek_bsap_ip_header.num_msg;kind:termfield;friendly:Functions per Message;help:Functions per Message -zeek_bsap_ip_header.type_name=db:zeek_bsap_ip_header.type_name;kind:integer;friendly:Message Type;help:Message Type +zeek.bsap_ip_header.num_msg=db:zeek.bsap_ip_header.num_msg;group:zeek_bsap;kind:termfield;friendly:Functions per Message;help:Functions per Message +zeek.bsap_ip_header.type_name=db:zeek.bsap_ip_header.type_name;group:zeek_bsap;kind:integer;friendly:Message Type;help:Message Type # bsap_ip_rdb.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser -zeek_bsap_ip_rdb.app_func_code=db:zeek_bsap_ip_rdb.app_func_code;kind:termfield;friendly:Application Function;help:Application Function -zeek_bsap_ip_rdb.data_len=db:zeek_bsap_ip_rdb.data_len;kind:integer;friendly:Data Length;help:Data Length -zeek_bsap_ip_rdb.data=db:zeek_bsap_ip_rdb.data;kind:termfield;friendly:Subfunction Data;help:Subfunction Data -zeek_bsap_ip_rdb.func_code=db:zeek_bsap_ip_rdb.func_code;kind:termfield;friendly:Application Subfunction;help:Application Subfunction -zeek_bsap_ip_rdb.header_size=db:zeek_bsap_ip_rdb.header_size;kind:integer;friendly:Header Length;help:Header Length -zeek_bsap_ip_rdb.mes_seq=db:zeek_bsap_ip_rdb.mes_seq;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek_bsap_ip_rdb.node_status=db:zeek_bsap_ip_rdb.node_status;kind:integer;friendly:Node Status;help:friendly:Node Status -zeek_bsap_ip_rdb.res_seq=db:zeek_bsap_ip_rdb.res_seq;kind:integer;friendly:Response Sequence;help:Response Sequence -zeek_bsap_ip_rdb.sequence=db:zeek_bsap_ip_rdb.sequence;kind:integer;friendly:Function Sequence;help:Function Sequence +zeek.bsap_ip_rdb.app_func_code=db:zeek.bsap_ip_rdb.app_func_code;group:zeek_bsap;kind:termfield;friendly:Application Function;help:Application Function +zeek.bsap_ip_rdb.data_len=db:zeek.bsap_ip_rdb.data_len;group:zeek_bsap;kind:integer;friendly:Data Length;help:Data Length +zeek.bsap_ip_rdb.data=db:zeek.bsap_ip_rdb.data;group:zeek_bsap;kind:termfield;friendly:Subfunction Data;help:Subfunction Data +zeek.bsap_ip_rdb.func_code=db:zeek.bsap_ip_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:Application Subfunction;help:Application Subfunction +zeek.bsap_ip_rdb.header_size=db:zeek.bsap_ip_rdb.header_size;group:zeek_bsap;kind:integer;friendly:Header Length;help:Header Length +zeek.bsap_ip_rdb.mes_seq=db:zeek.bsap_ip_rdb.mes_seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence +zeek.bsap_ip_rdb.node_status=db:zeek.bsap_ip_rdb.node_status;group:zeek_bsap;kind:integer;friendly:Node Status;help:friendly:Node Status +zeek.bsap_ip_rdb.res_seq=db:zeek.bsap_ip_rdb.res_seq;group:zeek_bsap;kind:integer;friendly:Response Sequence;help:Response Sequence +zeek.bsap_ip_rdb.sequence=db:zeek.bsap_ip_rdb.sequence;group:zeek_bsap;kind:integer;friendly:Function Sequence;help:Function Sequence # bsap_ip_unknown.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_ip_parser -zeek_bsap_ip_unknown.data=db:zeek_bsap_ip_unknown.data;kind:termfield;friendly:Unknown Data;help:Unknown Data +zeek.bsap_ip_unknown.data=db:zeek.bsap_ip_unknown.data;group:zeek_bsap;kind:termfield;friendly:Unknown Data;help:Unknown Data # bsap_serial_header.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek_bsap_serial_header.ctl=db:zeek_bsap_serial_header.ctl;kind:integer;friendly:Control Byte;help:Control Byte -zeek_bsap_serial_header.dadd=db:zeek_bsap_serial_header.dadd;kind:integer;friendly:Destination Address;help:Destination Address -zeek_bsap_serial_header.dfun=db:zeek_bsap_serial_header.dfun;kind:termfield;friendly:Destination Function;help:Destination Function -zeek_bsap_serial_header.nsb=db:zeek_bsap_serial_header.nsb;kind:integer;friendly:Node Status;help:Node Statussb -zeek_bsap_serial_header.sadd=db:zeek_bsap_serial_header.sadd;kind:integer;friendly:Source Address;help:Source Address -zeek_bsap_serial_header.seq=db:zeek_bsap_serial_header.seq;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek_bsap_serial_header.ser=db:zeek_bsap_serial_header.ser;kind:termfield;friendly:Message Serial Number;help:Message Serial Number -zeek_bsap_serial_header.sfun=db:zeek_bsap_serial_header.sfun;kind:termfield;friendly:Source Function;help:Source Function -zeek_bsap_serial_header.type_name=db:zeek_bsap_serial_header.type_name;kind:termfield;friendly:Message Type;help:Message Type +zeek.bsap_serial_header.ctl=db:zeek.bsap_serial_header.ctl;group:zeek_bsap;kind:integer;friendly:Control Byte;help:Control Byte +zeek.bsap_serial_header.dadd=db:zeek.bsap_serial_header.dadd;group:zeek_bsap;kind:integer;friendly:Destination Address;help:Destination Address +zeek.bsap_serial_header.dfun=db:zeek.bsap_serial_header.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function +zeek.bsap_serial_header.nsb=db:zeek.bsap_serial_header.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Statussb +zeek.bsap_serial_header.sadd=db:zeek.bsap_serial_header.sadd;group:zeek_bsap;kind:integer;friendly:Source Address;help:Source Address +zeek.bsap_serial_header.seq=db:zeek.bsap_serial_header.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence +zeek.bsap_serial_header.ser=db:zeek.bsap_serial_header.ser;group:zeek_bsap;kind:termfield;friendly:Message Serial Number;help:Message Serial Number +zeek.bsap_serial_header.sfun=db:zeek.bsap_serial_header.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function +zeek.bsap_serial_header.type_name=db:zeek.bsap_serial_header.type_name;group:zeek_bsap;kind:termfield;friendly:Message Type;help:Message Type # bsap_serial_rdb.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek_bsap_serial_rdb.data=db:zeek_bsap_serial_rdb.data;kind:termfield;friendly:RDB Function Data;help:RDB Function Data -zeek_bsap_serial_rdb.func_code=db:zeek_bsap_serial_rdb.func_code;kind:termfield;friendly:RDB Function;help:RDB Function +zeek.bsap_serial_rdb.data=db:zeek.bsap_serial_rdb.data;group:zeek_bsap;kind:termfield;friendly:RDB Function Data;help:RDB Function Data +zeek.bsap_serial_rdb.func_code=db:zeek.bsap_serial_rdb.func_code;group:zeek_bsap;kind:termfield;friendly:RDB Function;help:RDB Function # bsap_serial_rdb_ext.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek_bsap_serial_rdb_ext.data=db:zeek_bsap_serial_rdb_ext.data;kind:termfield;friendly:RDB Ext Function Data;help:RDB Ext Function Data -zeek_bsap_serial_rdb_ext.dfun=db:zeek_bsap_serial_rdb_ext.dfun;kind:termfield;friendly:Destination Function;help:Destination Function -zeek_bsap_serial_rdb_ext.extfun=db:zeek_bsap_serial_rdb_ext.extfun;kind:termfield;friendly:RDB Ext Function;help:RDB Ext Function -zeek_bsap_serial_rdb_ext.nsb=db:zeek_bsap_serial_rdb_ext.nsb;kind:integer;friendly:Node Status;help:Node Status -zeek_bsap_serial_rdb_ext.seq=db:zeek_bsap_serial_rdb_ext.seq;kind:integer;friendly:Message Sequence;help:Message Sequence -zeek_bsap_serial_rdb_ext.sfun=db:zeek_bsap_serial_rdb_ext.sfun;kind:termfield;friendly:Source Function;help:Source Function +zeek.bsap_serial_rdb_ext.data=db:zeek.bsap_serial_rdb_ext.data;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function Data;help:RDB Ext Function Data +zeek.bsap_serial_rdb_ext.dfun=db:zeek.bsap_serial_rdb_ext.dfun;group:zeek_bsap;kind:termfield;friendly:Destination Function;help:Destination Function +zeek.bsap_serial_rdb_ext.extfun=db:zeek.bsap_serial_rdb_ext.extfun;group:zeek_bsap;kind:termfield;friendly:RDB Ext Function;help:RDB Ext Function +zeek.bsap_serial_rdb_ext.nsb=db:zeek.bsap_serial_rdb_ext.nsb;group:zeek_bsap;kind:integer;friendly:Node Status;help:Node Status +zeek.bsap_serial_rdb_ext.seq=db:zeek.bsap_serial_rdb_ext.seq;group:zeek_bsap;kind:integer;friendly:Message Sequence;help:Message Sequence +zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;kind:termfield;friendly:Source Function;help:Source Function # bsap_serial_unknown.log # https://github.com/cisagov/ICSNPP/tree/master/zeek_bsap_serial_parser -zeek_bsap_serial_unknown.data=db:zeek_bsap_serial_unknown.data;kind:termfield;friendly:Unknown Data;help:Unknown Data +zeek.bsap_serial_unknown.data=db:zeek.bsap_serial_unknown.data;group:zeek_bsap;kind:termfield;friendly:Unknown Data;help:Unknown Data # cip.log # https://github.com/cisagov/ICSNPP -zeek_cip.cip_sequence_count=db:zeek_cip.cip_sequence_count;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number -zeek_cip.direction=db:zeek_cip.direction;kind:termfield;friendly:Direction;help:Direction -zeek_cip.cip_service=db:zeek_cip.cip_service;kind:termfield;friendly:CIP Service;help:CIP Service -zeek_cip.cip_status=db:zeek_cip.cip_status;kind:termfield;friendly:CIP Status;help:CIP Status -zeek_cip.class_id=db:zeek_cip.class_id;kind:termfield;friendly:Class ID;help:Class ID -zeek_cip.class_name=db:zeek_cip.class_name;kind:termfield;friendly:Class Name;help:Class Name -zeek_cip.instance_id=db:zeek_cip.instance_id;kind:termfield;friendly:Instance ID;help:Instance ID -zeek_cip.attribute_id=db:zeek_cip.attribute_id;kind:termfield;friendly:Attribute ID;help:Attribute ID -zeek_cip.data_id=db:zeek_cip.data_id;kind:termfield;friendly:Data ID;help:Data ID -zeek_cip.other_id=db:zeek_cip.other_id;kind:termfield;friendly:Other ID;help:Other ID +zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number +zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction +zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;friendly:CIP Service;help:CIP Service +zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;friendly:CIP Status;help:CIP Status +zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;friendly:Class ID;help:Class ID +zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;friendly:Class Name;help:Class Name +zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;friendly:Instance ID;help:Instance ID +zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;friendly:Attribute ID;help:Attribute ID +zeek.cip.data_id=db:zeek.cip.data_id;group:zeek_cip;kind:termfield;friendly:Data ID;help:Data ID +zeek.cip.other_id=db:zeek.cip.other_id;group:zeek_cip;kind:termfield;friendly:Other ID;help:Other ID # cip_identity.log # https://github.com/cisagov/ICSNPP -zeek_cip_identity.encapsulation_version=db:zeek_cip_identity.encapsulation_version;kind:integer;friendly:Encapsulation Version;help:Encapsulation Version -zeek_cip_identity.socket_address=db:zeek_cip_identity.socket_address;kind:termfield;friendly:Socket Address;help:Socket Address -zeek_cip_identity.socket_address_geo.city_name=db:zeek_cip_identity.socket_address_geo.city_name;kind:termfield;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City -zeek_cip_identity.socket_address_geo.country_name=db:zeek_cip_identity.socket_address_geo.country_name;kind:termfield;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country -zeek_cip_identity.socket_address_asn=db:zeek_cip_identity.socket_address_asn;kind:termfield;friendly:Socket Address ASN;help:Socket Address ASN -zeek_cip_identity.socket_port=db:zeek_cip_identity.socket_port;kind:integer;friendly:Socket Port;help:Socket Port -zeek_cip_identity.vendor_id=db:zeek_cip_identity.vendor_id;kind:integer;friendly:Vendor ID;help:Vendor ID -zeek_cip_identity.vendor_name=db:zeek_cip_identity.vendor_name;kind:termfield;friendly:Vendor Name;help:Vendor Name -zeek_cip_identity.device_type_id=db:zeek_cip_identity.device_type_id;kind:integer;friendly:Device Type ID;help:Device Type ID -zeek_cip_identity.device_type_name=db:zeek_cip_identity.device_type_name;kind:termfield;friendly:Device Type Name;help:Device Type Name -zeek_cip_identity.product_code=db:zeek_cip_identity.product_code;kind:integer;friendly:Product Code;help:Product Code -zeek_cip_identity.revision=db:zeek_cip_identity.revision;kind:termfield;friendly:Device Revision;help:Device Revision -zeek_cip_identity.device_status=db:zeek_cip_identity.device_status;kind:termfield;friendly:Device Status;help:Device Status -zeek_cip_identity.serial_number=db:zeek_cip_identity.serial_number;kind:termfield;friendly:Serial Number;help:Serial Number -zeek_cip_identity.product_name=db:zeek_cip_identity.product_name;kind:termfield;friendly:Product Name;help:Product Name -zeek_cip_identity.device_state=db:zeek_cip_identity.device_state;kind:termfield;friendly:Device State;help:Device State +zeek.cip_identity.encapsulation_version=db:zeek.cip_identity.encapsulation_version;group:zeek_cip;kind:integer;friendly:Encapsulation Version;help:Encapsulation Version +zeek.cip_identity.socket_address=db:zeek.cip_identity.socket_address;group:zeek_cip;kind:termfield;friendly:Socket Address;help:Socket Address +zeek.cip_identity.socket_address_geo.city_name=db:zeek.cip_identity.socket_address_geo.city_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP City;help:Socket Address GeoIP City +zeek.cip_identity.socket_address_geo.country_name=db:zeek.cip_identity.socket_address_geo.country_name;group:zeek_cip;kind:termfield;friendly:Socket Address GeoIP Country;help:Socket Address GeoIP Country +zeek.cip_identity.socket_address_asn=db:zeek.cip_identity.socket_address_asn;group:zeek_cip;kind:termfield;friendly:Socket Address ASN;help:Socket Address ASN +zeek.cip_identity.socket_port=db:zeek.cip_identity.socket_port;group:zeek_cip;kind:integer;friendly:Socket Port;help:Socket Port +zeek.cip_identity.vendor_id=db:zeek.cip_identity.vendor_id;group:zeek_cip;kind:integer;friendly:Vendor ID;help:Vendor ID +zeek.cip_identity.vendor_name=db:zeek.cip_identity.vendor_name;group:zeek_cip;kind:termfield;friendly:Vendor Name;help:Vendor Name +zeek.cip_identity.device_type_id=db:zeek.cip_identity.device_type_id;group:zeek_cip;kind:integer;friendly:Device Type ID;help:Device Type ID +zeek.cip_identity.device_type_name=db:zeek.cip_identity.device_type_name;group:zeek_cip;kind:termfield;friendly:Device Type Name;help:Device Type Name +zeek.cip_identity.product_code=db:zeek.cip_identity.product_code;group:zeek_cip;kind:integer;friendly:Product Code;help:Product Code +zeek.cip_identity.revision=db:zeek.cip_identity.revision;group:zeek_cip;kind:termfield;friendly:Device Revision;help:Device Revision +zeek.cip_identity.device_status=db:zeek.cip_identity.device_status;group:zeek_cip;kind:termfield;friendly:Device Status;help:Device Status +zeek.cip_identity.serial_number=db:zeek.cip_identity.serial_number;group:zeek_cip;kind:termfield;friendly:Serial Number;help:Serial Number +zeek.cip_identity.product_name=db:zeek.cip_identity.product_name;group:zeek_cip;kind:termfield;friendly:Product Name;help:Product Name +zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;kind:termfield;friendly:Device State;help:Device State # cip_io.log # https://github.com/cisagov/ICSNPP -zeek_cip_io.connection_id=db:zeek_cip_io.connection_id;kind:termfield;friendly:Connection ID;help:Connection ID -zeek_cip_io.sequence_number=db:zeek_cip_io.sequence_number;kind:integer;friendly:Sequence Number;help:Sequence Number -zeek_cip_io.data_length=db:zeek_cip_io.data_length;kind:integer;friendly:Data Length;help:Data Length -zeek_cip_io.io_data=db:zeek_cip_io.io_data;kind:termfield;friendly:Transport Data;help:Transport Data +zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;friendly:Connection ID;help:Connection ID +zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;friendly:Sequence Number;help:Sequence Number +zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;friendly:Data Length;help:Data Length +zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;friendly:Transport Data;help:Transport Data # dce_rpc.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info -zeek_dce_rpc.rtt=db:zeek_dce_rpc.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek_dce_rpc.named_pipe=db:zeek_dce_rpc.named_pipe;kind:termfield;friendly:Remote Pipe;help:Remote Pipe -zeek_dce_rpc.endpoint=db:zeek_dce_rpc.endpoint;kind:termfield;friendly:Endpoint;help:Endpoint -zeek_dce_rpc.operation=db:zeek_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation +zeek.dce_rpc.rtt=db:zeek.dce_rpc.rtt;group:zeek_dce_rpc;kind:termfield;friendly:Round Trip Time;help:Round Trip Time +zeek.dce_rpc.named_pipe=db:zeek.dce_rpc.named_pipe;group:zeek_dce_rpc;kind:termfield;friendly:Remote Pipe;help:Remote Pipe +zeek.dce_rpc.endpoint=db:zeek.dce_rpc.endpoint;group:zeek_dce_rpc;kind:termfield;friendly:Endpoint;help:Endpoint +zeek.dce_rpc.operation=db:zeek.dce_rpc.operation;group:zeek_dce_rpc;kind:termfield;friendly:Operation;help:Operation # dhcp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info -zeek_dhcp.mac=db:zeek_dhcp.mac;kind:termfield;friendly:Client MAC;help:Client MAC -zeek_dhcp.assigned_ip=db:zeek_dhcp.assigned_ip;kind:termfield;friendly:Assigned IP;help:Assigned IP -zeek_dhcp.lease_time=db:zeek_dhcp.lease_time;kind:termfield;friendly:Lease Time;help:Lease Time -zeek_dhcp.trans_id=db:zeek_dhcp.trans_id;kind:termfield;friendly:dhcp Transaction ID;help:dhcp Transaction ID -zeek_dhcp.client_fqdn=db:zeek_dhcp.client_fqdn;kind:termfield;friendly:Client FQDN;help:Client FQDN -zeek_dhcp.client_message=db:zeek_dhcp.client_message;kind:termfield;friendly:Client Message;help:Client Message -zeek_dhcp.domain=db:zeek_dhcp.domain;kind:termfield;friendly:Domain;help:Domain -zeek_dhcp.duration=db:zeek_dhcp.duration;kind:termfield;friendly:Duration;help:Duration -zeek_dhcp.host_name=db:zeek_dhcp.host_name;kind:termfield;friendly:Hostname;help:Hostname -zeek_dhcp.msg_types=db:zeek_dhcp.msg_types;kind:termfield;friendly:Message Types;help:Message Types -zeek_dhcp.requested_ip=db:zeek_dhcp.requested_ip;kind:termfield;friendly:Requested IP;help:Requested IP -zeek_dhcp.server_message=db:zeek_dhcp.server_message;kind:termfield;friendly:Server Message;help:Server Message -zeek_dhcp.client_software=db:zeek_dhcp.client_software;kind:termfield;friendly:Client Software;help:Client Software -zeek_dhcp.server_software=db:zeek_dhcp.server_software;kind:termfield;friendly:Server Software;help:Server Software +zeek.dhcp.mac=db:zeek.dhcp.mac;group:zeek_dhcp;kind:termfield;friendly:Client MAC;help:Client MAC +zeek.dhcp.assigned_ip=db:zeek.dhcp.assigned_ip;group:zeek_dhcp;kind:termfield;friendly:Assigned IP;help:Assigned IP +zeek.dhcp.lease_time=db:zeek.dhcp.lease_time;group:zeek_dhcp;kind:termfield;friendly:Lease Time;help:Lease Time +zeek.dhcp.trans_id=db:zeek.dhcp.trans_id;group:zeek_dhcp;kind:termfield;friendly:dhcp Transaction ID;help:dhcp Transaction ID +zeek.dhcp.client_fqdn=db:zeek.dhcp.client_fqdn;group:zeek_dhcp;kind:termfield;friendly:Client FQDN;help:Client FQDN +zeek.dhcp.client_message=db:zeek.dhcp.client_message;group:zeek_dhcp;kind:termfield;friendly:Client Message;help:Client Message +zeek.dhcp.domain=db:zeek.dhcp.domain;group:zeek_dhcp;kind:termfield;friendly:Domain;help:Domain +zeek.dhcp.duration=db:zeek.dhcp.duration;group:zeek_dhcp;kind:termfield;friendly:Duration;help:Duration +zeek.dhcp.host_name=db:zeek.dhcp.host_name;group:zeek_dhcp;kind:termfield;friendly:Hostname;help:Hostname +zeek.dhcp.msg_types=db:zeek.dhcp.msg_types;group:zeek_dhcp;kind:termfield;friendly:Message Types;help:Message Types +zeek.dhcp.requested_ip=db:zeek.dhcp.requested_ip;group:zeek_dhcp;kind:termfield;friendly:Requested IP;help:Requested IP +zeek.dhcp.server_message=db:zeek.dhcp.server_message;group:zeek_dhcp;kind:termfield;friendly:Server Message;help:Server Message +zeek.dhcp.client_software=db:zeek.dhcp.client_software;group:zeek_dhcp;kind:termfield;friendly:Client Software;help:Client Software +zeek.dhcp.server_software=db:zeek.dhcp.server_software;group:zeek_dhcp;kind:termfield;friendly:Server Software;help:Server Software # dnp3.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info -zeek_dnp3.fc_request=db:zeek_dnp3.fc_request;kind:termfield;friendly:Request Function Message;help:Request Function Message -zeek_dnp3.fc_reply=db:zeek_dnp3.fc_reply;kind:termfield;friendly:Reply Function Message;help:Reply Function Message -zeek_dnp3.iin=db:zeek_dnp3.iin;kind:termfield;friendly:Internal Indication Number;help:Internal Indication Number -zeek_dnp3.iin_flags=db:zeek_dnp3.iin_flags;kind:termfield;friendly:Internal Indicators;help:Internal Indicators +zeek.dnp3.fc_request=db:zeek.dnp3.fc_request;group:zeek_dnp3;kind:termfield;friendly:Request Function Message;help:Request Function Message +zeek.dnp3.fc_reply=db:zeek.dnp3.fc_reply;group:zeek_dnp3;kind:termfield;friendly:Reply Function Message;help:Reply Function Message +zeek.dnp3.iin=db:zeek.dnp3.iin;group:zeek_dnp3;kind:termfield;friendly:Internal Indication Number;help:Internal Indication Number +zeek.dnp3.iin_flags=db:zeek.dnp3.iin_flags;group:zeek_dnp3;kind:termfield;friendly:Internal Indicators;help:Internal Indicators # dnp3_control.log # https://github.com/cisagov/ICSNPP -zeek_dnp3_control.block_type=db:zeek_dnp3_control.block_type;kind:termfield;friendly:Control Block Type;help:Control Block Type -zeek_dnp3_control.function_code=db:zeek_dnp3_control.function_code;kind:termfield;friendly:DNP3 Function Code;help:DNP3 Function Code -zeek_dnp3_control.index_number=db:zeek_dnp3_control.index_number;kind:integer;friendly:Object Index Number;help:Object Index Number -zeek_dnp3_control.trip_control_code=db:zeek_dnp3_control.trip_control_code;kind:termfield;friendly:Trip Control Code;help:Trip Control Code -zeek_dnp3_control.operation_type=db:zeek_dnp3_control.operation_type;kind:termfield;friendly:Operation Type;help:Operation Type -zeek_dnp3_control.execute_count=db:zeek_dnp3_control.execute_count;kind:integer;friendly:Execute Count;help:Execute Count -zeek_dnp3_control.on_time=db:zeek_dnp3_control.on_time;kind:integer;friendly:On Time;help:On Time -zeek_dnp3_control.off_time=db:zeek_dnp3_control.off_time;kind:integer;friendly:Off Time;help:Off Time -zeek_dnp3_control.status_code=db:zeek_dnp3_control.status_code;kind:termfield;friendly:Status Code;help:Status Code +zeek.dnp3_control.block_type=db:zeek.dnp3_control.block_type;group:zeek_dnp3;kind:termfield;friendly:Control Block Type;help:Control Block Type +zeek.dnp3_control.function_code=db:zeek.dnp3_control.function_code;group:zeek_dnp3;kind:termfield;friendly:DNP3 Function Code;help:DNP3 Function Code +zeek.dnp3_control.index_number=db:zeek.dnp3_control.index_number;group:zeek_dnp3;kind:integer;friendly:Object Index Number;help:Object Index Number +zeek.dnp3_control.trip_control_code=db:zeek.dnp3_control.trip_control_code;group:zeek_dnp3;kind:termfield;friendly:Trip Control Code;help:Trip Control Code +zeek.dnp3_control.operation_type=db:zeek.dnp3_control.operation_type;group:zeek_dnp3;kind:termfield;friendly:Operation Type;help:Operation Type +zeek.dnp3_control.execute_count=db:zeek.dnp3_control.execute_count;group:zeek_dnp3;kind:integer;friendly:Execute Count;help:Execute Count +zeek.dnp3_control.on_time=db:zeek.dnp3_control.on_time;group:zeek_dnp3;kind:integer;friendly:On Time;help:On Time +zeek.dnp3_control.off_time=db:zeek.dnp3_control.off_time;group:zeek_dnp3;kind:integer;friendly:Off Time;help:Off Time +zeek.dnp3_control.status_code=db:zeek.dnp3_control.status_code;group:zeek_dnp3;kind:termfield;friendly:Status Code;help:Status Code # dnp3_objects.log # https://github.com/cisagov/ICSNPP -zeek_dnp3_objects.function_code=db:zeek_dnp3_objects.function_code;kind:termfield;friendly:Function Code;help:Function Code -zeek_dnp3_objects.object_type=db:zeek_dnp3_objects.object_type;kind:termfield;friendly:Object Type;help:Object Type -zeek_dnp3_objects.object_count=db:zeek_dnp3_objects.object_count;kind:integer;friendly:Object Count;help:Object Count -zeek_dnp3_objects.range_low=db:zeek_dnp3_objects.range_low;kind:integer;friendly:Range Low;help:Range Low -zeek_dnp3_objects.range_high=db:zeek_dnp3_objects.range_high;kind:integer;friendly:Range High;help:Range High +zeek.dnp3_objects.function_code=db:zeek.dnp3_objects.function_code;group:zeek_dnp3;kind:termfield;friendly:Function Code;help:Function Code +zeek.dnp3_objects.object_type=db:zeek.dnp3_objects.object_type;group:zeek_dnp3;kind:termfield;friendly:Object Type;help:Object Type +zeek.dnp3_objects.object_count=db:zeek.dnp3_objects.object_count;group:zeek_dnp3;kind:integer;friendly:Object Count;help:Object Count +zeek.dnp3_objects.range_low=db:zeek.dnp3_objects.range_low;group:zeek_dnp3;kind:integer;friendly:Range Low;help:Range Low +zeek.dnp3_objects.range_high=db:zeek.dnp3_objects.range_high;group:zeek_dnp3;kind:integer;friendly:Range High;help:Range High # dns.log # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info -zeek_dns.trans_id=db:zeek_dns.trans_id;kind:termfield;friendly:Transaction ID;help:Transaction ID -zeek_dns.rtt=db:zeek_dns.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek_dns.query=db:zeek_dns.query;kind:termfield;friendly:Query;help:Query -zeek_dns.qclass=db:zeek_dns.qclass;kind:termfield;friendly:Query Class Code;help:Query Class Code -zeek_dns.qclass_name=db:zeek_dns.qclass_name;kind:termfield;friendly:Query Class;help:Query Class -zeek_dns.qtype=db:zeek_dns.qtype;kind:termfield;friendly:Query Type Code;help:Query Type Code -zeek_dns.qtype_name=db:zeek_dns.qtype_name;kind:termfield;friendly:Query Type;help:Query Type -zeek_dns.rcode=db:zeek_dns.rcode;kind:integer;friendly:Response Code;help:Response Code -zeek_dns.rcode_name=db:zeek_dns.rcode_name;kind:termfield;friendly:Response;help:Response -zeek_dns.AA=db:zeek_dns.AA;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit -zeek_dns.TC=db:zeek_dns.TC;kind:termfield;friendly:Truncation Bit;help:Truncation Bit -zeek_dns.RD=db:zeek_dns.RD;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit -zeek_dns.RA=db:zeek_dns.RA;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit -zeek_dns.Z=db:zeek_dns.Z;kind:termfield;friendly:Z Bit;help:Z Bit -zeek_dns.answers=db:zeek_dns.answers;kind:termfield;friendly:Answer;help:Answer -zeek_dns.TTLs=db:zeek_dns.TTLs;kind:termfield;friendly:TTL;help:TTL -zeek_dns.rejected=db:zeek_dns.rejected;kind:termfield;friendly:Rejected;help:Rejected +zeek.dns.trans_id=db:zeek.dns.trans_id;group:zeek_dns;kind:termfield;friendly:Transaction ID;help:Transaction ID +zeek.dns.rtt=db:zeek.dns.rtt;group:zeek_dns;kind:termfield;friendly:Round Trip Time;help:Round Trip Time +zeek.dns.query=db:zeek.dns.query;group:zeek_dns;kind:termfield;friendly:Query;help:Query +zeek.dns.qclass=db:zeek.dns.qclass;group:zeek_dns;kind:termfield;friendly:Query Class Code;help:Query Class Code +zeek.dns.qclass_name=db:zeek.dns.qclass_name;group:zeek_dns;kind:termfield;friendly:Query Class;help:Query Class +zeek.dns.qtype=db:zeek.dns.qtype;group:zeek_dns;kind:termfield;friendly:Query Type Code;help:Query Type Code +zeek.dns.qtype_name=db:zeek.dns.qtype_name;group:zeek_dns;kind:termfield;friendly:Query Type;help:Query Type +zeek.dns.rcode=db:zeek.dns.rcode;group:zeek_dns;kind:integer;friendly:Response Code;help:Response Code +zeek.dns.rcode_name=db:zeek.dns.rcode_name;group:zeek_dns;kind:termfield;friendly:Response;help:Response +zeek.dns.AA=db:zeek.dns.AA;group:zeek_dns;kind:termfield;friendly:Authoritative Answer Bit;help:Authoritative Answer Bit +zeek.dns.TC=db:zeek.dns.TC;group:zeek_dns;kind:termfield;friendly:Truncation Bit;help:Truncation Bit +zeek.dns.RD=db:zeek.dns.RD;group:zeek_dns;kind:termfield;friendly:Recursion Desired Bit;help:Recursion Desired Bit +zeek.dns.RA=db:zeek.dns.RA;group:zeek_dns;kind:termfield;friendly:Recursion Available Bit;help:Recursion Available Bit +zeek.dns.Z=db:zeek.dns.Z;group:zeek_dns;kind:termfield;friendly:Z Bit;help:Z Bit +zeek.dns.answers=db:zeek.dns.answers;group:zeek_dns;kind:termfield;friendly:Answer;help:Answer +zeek.dns.TTLs=db:zeek.dns.TTLs;group:zeek_dns;kind:termfield;friendly:TTL;help:TTL +zeek.dns.rejected=db:zeek.dns.rejected;group:zeek_dns;kind:termfield;friendly:Rejected;help:Rejected # dpd.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info -zeek_dpd.service=db:zeek_dpd.service;kind:termfield;friendly:Protocol;help:Protocol -zeek_dpd.failure_reason=db:zeek_dpd.failure_reason;kind:termfield;friendly:Failure Reason;help:Failure Reason +zeek.dpd.service=db:zeek.dpd.service;group:zeek_dpd;kind:termfield;friendly:Protocol;help:Protocol +zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield;friendly:Failure Reason;help:Failure Reason # enip.log # https://github.com/cisagov/ICSNPP -zeek_enip.enip_command=db:zeek_enip.enip_command;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command -zeek_enip.length=db:zeek_enip.length;kind:integer;friendly:Packet Length;help:Packet Length -zeek_enip.session_handle=db:zeek_enip.session_handle;kind:termfield;friendly:Session Number;help:Session Number -zeek_enip.enip_status=db:zeek_enip.enipstatus;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status -zeek_enip.sender_context=db:zeek_enip.sender_context;kind:termfield;friendly:Sender Context;help:Sender Context -zeek_enip.options=db:zeek_enip.options;kind:termfield;friendly:Options;help:Options +zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command +zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length +zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number +zeek.enip.enip_status=db:zeek.enip.enipstatus;group:zeek_enip;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status +zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;friendly:Sender Context;help:Sender Context +zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;friendly:Options;help:Options # ecat_registers.log # https://github.com/cisagov/ICSNPP -zeek_ecat_registers.command=db:zeek_ecat_registers.command;kind:termfield;friendly:Command;help:Command -zeek_ecat_registers.server_addr=db:zeek_ecat_registers.server_addr;kind:termfield;friendly:Server Address;help:Server Address -zeek_ecat_registers.register_type=db:zeek_ecat_registers.register_type;kind:termfield;friendly:Register Information;help:Register Information -zeek_ecat_registers.register_addr=db:zeek_ecat_registers.register_addr;kind:termfield;friendly:Register Address;help:Register Address -zeek_ecat_registers.data=db:zeek_ecat_registers.data;kind:termfield;friendly:Data;help:Data +zeek.ecat_registers.command=db:zeek.ecat_registers.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command +zeek.ecat_registers.server_addr=db:zeek.ecat_registers.server_addr;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address +zeek.ecat_registers.register_type=db:zeek.ecat_registers.register_type;group:zeek_ecat;kind:termfield;friendly:Register Information;help:Register Information +zeek.ecat_registers.register_addr=db:zeek.ecat_registers.register_addr;group:zeek_ecat;kind:termfield;friendly:Register Address;help:Register Address +zeek.ecat_registers.data=db:zeek.ecat_registers.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data # ecat_log_address.log # https://github.com/cisagov/ICSNPP -zeek_ecat_log_address.log_addr=db:zeek_ecat_log_address.log_addr;kind:termfield;friendly:Data Address;help:Data Address -zeek_ecat_log_address.length=db:zeek_ecat_log_address.length;kind:integer;friendly:Data Length;help:Data Length -zeek_ecat_log_address.command=db:zeek_ecat_log_address.command;kind:termfield;friendly:Command;help:Command -zeek_ecat_log_address.data=db:zeek_ecat_log_address.data;kind:termfield;friendly:Data;help:Data +zeek.ecat_log_address.log_addr=db:zeek.ecat_log_address.log_addr;group:zeek_ecat;kind:termfield;friendly:Data Address;help:Data Address +zeek.ecat_log_address.length=db:zeek.ecat_log_address.length;group:zeek_ecat;kind:integer;friendly:Data Length;help:Data Length +zeek.ecat_log_address.command=db:zeek.ecat_log_address.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command +zeek.ecat_log_address.data=db:zeek.ecat_log_address.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data # ecat_dev_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_dev_info.server_id=db:zeek_ecat_dev_info.server_id;kind:termfield;friendly:Server Address;help:Server Address -zeek_ecat_dev_info.revision=db:zeek_ecat_dev_info.revision;kind:termfield;friendly:Revision;help:Revision -zeek_ecat_dev_info.dev_type=db:zeek_ecat_dev_info.dev_type;kind:termfield;friendly:Device Type;help:Device Type -zeek_ecat_dev_info.build=db:zeek_ecat_dev_info.build;kind:termfield;friendly:Build Version;help:Build Version -zeek_ecat_dev_info.fmmucnt=db:zeek_ecat_dev_info.fmmucnt;kind:termfield;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels -zeek_ecat_dev_info.smcount=db:zeek_ecat_dev_info.smcount;kind:termfield;friendly:Sync Managers;help:Sync Managers -zeek_ecat_dev_info.ports=db:zeek_ecat_dev_info.ports;kind:termfield;friendly:Port Descriptor;help:Port Descriptor -zeek_ecat_dev_info.dpram=db:zeek_ecat_dev_info.dpram;kind:termfield;friendly:RAM Size;help:RAM Size -zeek_ecat_dev_info.features=db:zeek_ecat_dev_info.features;kind:termfield;friendly:Features;help:Features +zeek.ecat_dev_info.server_id=db:zeek.ecat_dev_info.server_id;group:zeek_ecat;kind:termfield;friendly:Server Address;help:Server Address +zeek.ecat_dev_info.revision=db:zeek.ecat_dev_info.revision;group:zeek_ecat;kind:termfield;friendly:Revision;help:Revision +zeek.ecat_dev_info.dev_type=db:zeek.ecat_dev_info.dev_type;group:zeek_ecat;kind:termfield;friendly:Device Type;help:Device Type +zeek.ecat_dev_info.build=db:zeek.ecat_dev_info.build;group:zeek_ecat;kind:termfield;friendly:Build Version;help:Build Version +zeek.ecat_dev_info.fmmucnt=db:zeek.ecat_dev_info.fmmucnt;group:zeek_ecat;kind:termfield;friendly:Fieldbus MMU Channels;help:Fieldbus MMU Channels +zeek.ecat_dev_info.smcount=db:zeek.ecat_dev_info.smcount;group:zeek_ecat;kind:termfield;friendly:Sync Managers;help:Sync Managers +zeek.ecat_dev_info.ports=db:zeek.ecat_dev_info.ports;group:zeek_ecat;kind:termfield;friendly:Port Descriptor;help:Port Descriptor +zeek.ecat_dev_info.dpram=db:zeek.ecat_dev_info.dpram;group:zeek_ecat;kind:termfield;friendly:RAM Size;help:RAM Size +zeek.ecat_dev_info.features=db:zeek.ecat_dev_info.features;group:zeek_ecat;kind:termfield;friendly:Features;help:Features # ecat_aoe_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_aoe_info.resp_port=db:zeek_ecat_aoe_info.resp_port;kind:termfield;friendly:Target Port;help:Target Port -zeek_ecat_aoe_info.orig_port=db:zeek_ecat_aoe_info.orig_port;kind:termfield;friendly:Sender Port;help:Sender Port -zeek_ecat_aoe_info.command=db:zeek_ecat_aoe_info.command;kind:termfield;friendly:Command;help:Command -zeek_ecat_aoe_info.state=db:zeek_ecat_aoe_info.state;kind:termfield;friendly:State Flags;help:State Flags -zeek_ecat_aoe_info.data=db:zeek_ecat_aoe_info.data;kind:termfield;friendly:Data;help:Data +zeek.ecat_aoe_info.resp_port=db:zeek.ecat_aoe_info.resp_port;group:zeek_ecat;kind:termfield;friendly:Target Port;help:Target Port +zeek.ecat_aoe_info.orig_port=db:zeek.ecat_aoe_info.orig_port;group:zeek_ecat;kind:termfield;friendly:Sender Port;help:Sender Port +zeek.ecat_aoe_info.command=db:zeek.ecat_aoe_info.command;group:zeek_ecat;kind:termfield;friendly:Command;help:Command +zeek.ecat_aoe_info.state=db:zeek.ecat_aoe_info.state;group:zeek_ecat;kind:termfield;friendly:State Flags;help:State Flags +zeek.ecat_aoe_info.data=db:zeek.ecat_aoe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data # ecat_coe_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_coe_info.number=db:zeek_ecat_coe_info.number;kind:termfield;friendly:Message Number;help:Message Number -zeek_ecat_coe_info.type=db:zeek_ecat_coe_info.type;kind:termfield;friendly:Message Type;help:Message Type -zeek_ecat_coe_info.req_resp=db:zeek_ecat_coe_info.req_resp;kind:termfield;friendly:Request or Response;help:Request or Response -zeek_ecat_coe_info.index=db:zeek_ecat_coe_info.index;kind:termfield;friendly:Message Index;help:Message Index -zeek_ecat_coe_info.subindex=db:zeek_ecat_coe_info.subindex;kind:termfield;friendly:Message Subindex;help:Message Subindex -zeek_ecat_coe_info.dataoffset=db:zeek_ecat_coe_info.dataoffset;kind:termfield;friendly:Data Offset;help:Data Offset +zeek.ecat_coe_info.number=db:zeek.ecat_coe_info.number;group:zeek_ecat;kind:termfield;friendly:Message Number;help:Message Number +zeek.ecat_coe_info.type=db:zeek.ecat_coe_info.type;group:zeek_ecat;kind:termfield;friendly:Message Type;help:Message Type +zeek.ecat_coe_info.req_resp=db:zeek.ecat_coe_info.req_resp;group:zeek_ecat;kind:termfield;friendly:Request or Response;help:Request or Response +zeek.ecat_coe_info.index=db:zeek.ecat_coe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index +zeek.ecat_coe_info.subindex=db:zeek.ecat_coe_info.subindex;group:zeek_ecat;kind:termfield;friendly:Message Subindex;help:Message Subindex +zeek.ecat_coe_info.dataoffset=db:zeek.ecat_coe_info.dataoffset;group:zeek_ecat;kind:termfield;friendly:Data Offset;help:Data Offset # ecat_foe_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_foe_info.opcode=db:zeek_ecat_foe_info.opcode;kind:termfield;friendly:Operation;help:Operation -zeek_ecat_foe_info.reserved=db:zeek_ecat_foe_info.reserved;kind:termfield;friendly:Reserver;help:Reserver -zeek_ecat_foe_info.packet_num=db:zeek_ecat_foe_info.packet_num;kind:termfield;friendly:Packet Number;help:Packet Number -zeek_ecat_foe_info.error_code=db:zeek_ecat_foe_info.error_code;kind:termfield;friendly:Error Code;help:Error Code -zeek_ecat_foe_info.filename=db:zeek_ecat_foe_info.filename;kind:termfield;friendly:File Name;help:File Name -zeek_ecat_foe_info.data=db:zeek_ecat_foe_info.data;kind:termfield;friendly:Data;help:Data +zeek.ecat_foe_info.opcode=db:zeek.ecat_foe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation +zeek.ecat_foe_info.reserved=db:zeek.ecat_foe_info.reserved;group:zeek_ecat;kind:termfield;friendly:Reserver;help:Reserver +zeek.ecat_foe_info.packet_num=db:zeek.ecat_foe_info.packet_num;group:zeek_ecat;kind:termfield;friendly:Packet Number;help:Packet Number +zeek.ecat_foe_info.error_code=db:zeek.ecat_foe_info.error_code;group:zeek_ecat;kind:termfield;friendly:Error Code;help:Error Code +zeek.ecat_foe_info.filename=db:zeek.ecat_foe_info.filename;group:zeek_ecat;kind:termfield;friendly:File Name;help:File Name +zeek.ecat_foe_info.data=db:zeek.ecat_foe_info.data;group:zeek_ecat;kind:termfield;friendly:Data;help:Data # ecat_soe_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_soe_info.opcode=db:zeek_ecat_soe_info.opcode;kind:termfield;friendly:Operation;help:Operation -zeek_ecat_soe_info.incomplete=db:zeek_ecat_soe_info.incomplete;kind:termfield;friendly:Incomplete;help:Incomplete -zeek_ecat_soe_info.error=db:zeek_ecat_soe_info.error;kind:termfield;friendly:Error Message;help:Error Message -zeek_ecat_soe_info.drive_num=db:zeek_ecat_soe_info.drive_num;kind:termfield;friendly:Drive Number;help:Drive Number -zeek_ecat_soe_info.element=db:zeek_ecat_soe_info.element;kind:termfield;friendly:Element Flags;help:Element Flags -zeek_ecat_soe_info.index=db:zeek_ecat_soe_info.index;kind:termfield;friendly:Message Index;help:Message Index +zeek.ecat_soe_info.opcode=db:zeek.ecat_soe_info.opcode;group:zeek_ecat;kind:termfield;friendly:Operation;help:Operation +zeek.ecat_soe_info.incomplete=db:zeek.ecat_soe_info.incomplete;group:zeek_ecat;kind:termfield;friendly:Incomplete;help:Incomplete +zeek.ecat_soe_info.error=db:zeek.ecat_soe_info.error;group:zeek_ecat;kind:termfield;friendly:Error Message;help:Error Message +zeek.ecat_soe_info.drive_num=db:zeek.ecat_soe_info.drive_num;group:zeek_ecat;kind:termfield;friendly:Drive Number;help:Drive Number +zeek.ecat_soe_info.element=db:zeek.ecat_soe_info.element;group:zeek_ecat;kind:termfield;friendly:Element Flags;help:Element Flags +zeek.ecat_soe_info.index=db:zeek.ecat_soe_info.index;group:zeek_ecat;kind:termfield;friendly:Message Index;help:Message Index # ecat_arp_info.log # https://github.com/cisagov/ICSNPP -zeek_ecat_arp_info.arp_type=db:zeek_ecat_arp_info.arp_type;kind:termfield;friendly:ARP Command;help:ARP Command -zeek_ecat_arp_info.orig_proto_addr=db:zeek_ecat_arp_info.orig_proto_addr;kind:termfield;friendly:Originating host;help:Originating host -zeek_ecat_arp_info.orig_hw_addr=db:zeek_ecat_arp_info.orig_hw_addr;kind:termfield;friendly:Originating MAC;help:Originating MAC -zeek_ecat_arp_info.resp_proto_addr=db:zeek_ecat_arp_info.resp_proto_addr;kind:termfield;friendly:Responding host;help:Responding host -zeek_ecat_arp_info.resp_hw_addr=db:zeek_ecat_arp_info.resp_hw_addr;kind:termfield;friendly:Responding MAC;help:Responding MAC +zeek.ecat_arp_info.arp_type=db:zeek.ecat_arp_info.arp_type;group:zeek_ecat;kind:termfield;friendly:ARP Command;help:ARP Command +zeek.ecat_arp_info.orig_proto_addr=db:zeek.ecat_arp_info.orig_proto_addr;group:zeek_ecat;kind:termfield;friendly:Originating host;help:Originating host +zeek.ecat_arp_info.orig_hw_addr=db:zeek.ecat_arp_info.orig_hw_addr;group:zeek_ecat;kind:termfield;friendly:Originating MAC;help:Originating MAC +zeek.ecat_arp_info.resp_proto_addr=db:zeek.ecat_arp_info.resp_proto_addr;group:zeek_ecat;kind:termfield;friendly:Responding host;help:Responding host +zeek.ecat_arp_info.resp_hw_addr=db:zeek.ecat_arp_info.resp_hw_addr;group:zeek_ecat;kind:termfield;friendly:Responding MAC;help:Responding MAC # files.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info -zeek_files.tx_hosts=db:zeek_files.tx_hosts;kind:termfield;friendly:Transmitter;help:Transmitter -zeek_files.rx_hosts=db:zeek_files.rx_hosts;kind:termfield;friendly:Receiver;help:Receiver -zeek_files.conn_uids=db:zeek_files.conn_uids;kind:termfield;friendly:Connection ID;help:Connection ID -zeek_files.source=db:zeek_files.source;kind:termfield;friendly:Source;help:Source -zeek_files.depth=db:zeek_files.depth;kind:integer;friendly:Source Depth;help:Source Depth -zeek_files.analyzers=db:zeek_files.analyzers;kind:termfield;friendly:Analyzer;help:Analyzer -zeek_files.mime_type=db:zeek_files.mime_type;kind:termfield;friendly:File Magic;help:File Magic -zeek_files.filename=db:zeek_files.filename;kind:termfield;friendly:Filename;help:Filename -zeek_files.duration=db:zeek_files.duration;kind:termfield;friendly:Analysis Duration;help:Analysis Duration -zeek_files.local_orig=db:zeek_files.local_orig;kind:termfield;friendly:Local Originator;help:Local Originator -zeek_files.is_orig=db:zeek_files.is_orig;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter -zeek_files.seen_bytes=db:zeek_files.seen_bytes;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed -zeek_files.total_bytes=db:zeek_files.total_bytes;kind:integer;friendly:Total Bytes;help:Total Bytes -zeek_files.missing_bytes=db:zeek_files.missing_bytes;kind:integer;friendly:Missed Bytes;help:Missed Bytes -zeek_files.overflow_bytes=db:zeek_files.overflow_bytes;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes -zeek_files.timedout=db:zeek_files.timedout;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out -zeek_files.parent_fuid=db:zeek_files.parent_fuid;kind:termfield;friendly:Parent File ID;help:Parent File ID -zeek_files.md5=db:zeek_files.md5;kind:termfield;friendly:MD5 Digest;help:MD5 Digest -zeek_files.sha1=db:zeek_files.sha1;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest -zeek_files.sha256=db:zeek_files.sha256;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest -zeek_files.extracted=db:zeek_files.extracted;kind:termfield;friendly:Extracted Filename;help:Extracted Filename -zeek_files.extracted_cutoff=db:zeek_files.extracted_cutoff;kind:termfield;friendly:Truncated;help:Truncated -zeek_files.extracted_size=db:zeek_files.extracted_size;kind:integer;friendly:Extracted Bytes;help:Extracted Bytes +zeek.files.tx_hosts=db:zeek.files.tx_hosts;group:zeek_files;kind:termfield;friendly:Transmitter;help:Transmitter +zeek.files.rx_hosts=db:zeek.files.rx_hosts;group:zeek_files;kind:termfield;friendly:Receiver;help:Receiver +zeek.files.conn_uids=db:zeek.files.conn_uids;group:zeek_files;kind:termfield;friendly:Connection ID;help:Connection ID +zeek.files.source=db:zeek.files.source;group:zeek_files;kind:termfield;friendly:Source;help:Source +zeek.files.depth=db:zeek.files.depth;group:zeek_files;kind:integer;friendly:Source Depth;help:Source Depth +zeek.files.analyzers=db:zeek.files.analyzers;group:zeek_files;kind:termfield;friendly:Analyzer;help:Analyzer +zeek.files.mime_type=db:zeek.files.mime_type;group:zeek_files;kind:termfield;friendly:File Magic;help:File Magic +zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;friendly:Filename;help:Filename +zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;friendly:Analysis Duration;help:Analysis Duration +zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;friendly:Local Originator;help:Local Originator +zeek.files.is_orig=db:zeek.files.is_orig;group:zeek_files;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter +zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed +zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;friendly:Total Bytes;help:Total Bytes +zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;friendly:Missed Bytes;help:Missed Bytes +zeek.files.overflow_bytes=db:zeek.files.overflow_bytes;group:zeek_files;kind:integer;friendly:Overflow Bytes;help:Overflow Bytes +zeek.files.timedout=db:zeek.files.timedout;group:zeek_files;kind:termfield;friendly:Analysis Timed Out;help:Analysis Timed Out +zeek.files.parent_fuid=db:zeek.files.parent_fuid;group:zeek_files;kind:termfield;friendly:Parent File ID;help:Parent File ID +zeek.files.md5=db:zeek.files.md5;group:zeek_files;kind:termfield;friendly:MD5 Digest;help:MD5 Digest +zeek.files.sha1=db:zeek.files.sha1;group:zeek_files;kind:termfield;friendly:SHA1 Digest;help:SHA1 Digest +zeek.files.sha256=db:zeek.files.sha256;group:zeek_files;kind:termfield;friendly:SHA256 Digest;help:SHA256 Digest +zeek.files.extracted=db:zeek.files.extracted;group:zeek_files;kind:termfield;friendly:Extracted Filename;help:Extracted Filename +zeek.files.extracted_cutoff=db:zeek.files.extracted_cutoff;group:zeek_files;kind:termfield;friendly:Truncated;help:Truncated +zeek.files.extracted_size=db:zeek.files.extracted_size;group:zeek_files;kind:integer;friendly:Extracted Bytes;help:Extracted Bytes # ftp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info -zeek_ftp.command=db:zeek_ftp.command;kind:termfield;friendly:Command;help:Command -zeek_ftp.arg=db:zeek_ftp.arg;kind:termfield;friendly:Argument;help:Argument -zeek_ftp.mime_type=db:zeek_ftp.mime_type;kind:termfield;friendly:File Magic;help:File Magic -zeek_ftp.file_size=db:zeek_ftp.file_size;kind:integer;friendly:File Size;help:File Size -zeek_ftp.reply_code=db:zeek_ftp.reply_code;kind:integer;friendly:Reply Code;help:Reply Code -zeek_ftp.reply_msg=db:zeek_ftp.reply_msg;kind:termfield;friendly:Reply;help:Reply -zeek_ftp.data_channel_passive=db:zeek_ftp.data_channel_passive;kind:termfield;friendly:Passive;help:Passive -zeek_ftp.data_channel_orig_h=db:zeek_ftp.data_channel_orig_h;kind:termfield;friendly:Data Originating Host;help:Data Originating Host -zeek_ftp.data_channel_resp_h=db:zeek_ftp.data_channel_resp_h;kind:termfield;friendly:Data Responding Host;help:Data Responding Host -zeek_ftp.data_channel_resp_p=db:zeek_ftp.data_channel_resp_p;kind:integer;friendly:Data Responding Port;help:Data Responding Port +zeek.ftp.command=db:zeek.ftp.command;group:zeek_ftp;kind:termfield;friendly:Command;help:Command +zeek.ftp.arg=db:zeek.ftp.arg;group:zeek_ftp;kind:termfield;friendly:Argument;help:Argument +zeek.ftp.mime_type=db:zeek.ftp.mime_type;group:zeek_ftp;kind:termfield;friendly:File Magic;help:File Magic +zeek.ftp.file_size=db:zeek.ftp.file_size;group:zeek_ftp;kind:integer;friendly:File Size;help:File Size +zeek.ftp.reply_code=db:zeek.ftp.reply_code;group:zeek_ftp;kind:integer;friendly:Reply Code;help:Reply Code +zeek.ftp.reply_msg=db:zeek.ftp.reply_msg;group:zeek_ftp;kind:termfield;friendly:Reply;help:Reply +zeek.ftp.data_channel_passive=db:zeek.ftp.data_channel_passive;group:zeek_ftp;kind:termfield;friendly:Passive;help:Passive +zeek.ftp.data_channel_orig_h=db:zeek.ftp.data_channel_orig_h;group:zeek_ftp;kind:termfield;friendly:Data Originating Host;help:Data Originating Host +zeek.ftp.data_channel_resp_h=db:zeek.ftp.data_channel_resp_h;group:zeek_ftp;kind:termfield;friendly:Data Responding Host;help:Data Responding Host +zeek.ftp.data_channel_resp_p=db:zeek.ftp.data_channel_resp_p;group:zeek_ftp;kind:integer;friendly:Data Responding Port;help:Data Responding Port # gquic.log # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro -zeek_gquic.version=db:zeek_gquic.version;kind:termfield;friendly:QUIC version;help:gquic version -zeek_gquic.server_name=db:zeek_gquic.server_name;kind:termfield;friendly:Server Name;help:gquic server_name -zeek_gquic.user_agent=db:zeek_gquic.user_agent;kind:termfield;friendly:User Agent;help:gquic user_agent -zeek_gquic.tag_count=db:zeek_gquic.tag_count;kind:integer;friendly:Tag Count;help:gquic tag_count -zeek_gquic.cyu=db:zeek_gquic.cyu;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu -zeek_gquic.cyutags=db:zeek_gquic.cyutags;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags +zeek.gquic.version=db:zeek.gquic.version;group:zeek_gquic;kind:termfield;friendly:QUIC version;help:gquic version +zeek.gquic.server_name=db:zeek.gquic.server_name;group:zeek_gquic;kind:termfield;friendly:Server Name;help:gquic server_name +zeek.gquic.user_agent=db:zeek.gquic.user_agent;group:zeek_gquic;kind:termfield;friendly:User Agent;help:gquic user_agent +zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;friendly:Tag Count;help:gquic tag_count +zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint;help:gquic cyu +zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;friendly:CYU Fingerprint Digest;help:gquic cyutags # http.log # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info -zeek_http.trans_depth=db:zeek_http.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth -zeek_http.method=db:zeek_http.method;kind:termfield;friendly:Request Method;help:Request Method -zeek_http.host=db:zeek_http.host;kind:termfield;friendly:Host Header;help:Host Header -zeek_http.uri=db:zeek_http.uri;kind:termfield;friendly:URI;help:URI -zeek_http.referrer=db:zeek_http.referrer;kind:termfield;friendly:Referrer Header;help:Referrer Header -zeek_http.version=db:zeek_http.version;kind:termfield;friendly:Version;help:Version -zeek_http.user_agent=db:zeek_http.user_agent;kind:termfield;friendly:User Agent;help:User Agent -zeek_http.origin=db:zeek_http.origin;kind:termfield;friendly:Origin Header;help:Origin Header -zeek_http.request_body_len=db:zeek_http.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length -zeek_http.response_body_len=db:zeek_http.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length -zeek_http.status_code=db:zeek_http.status_code;kind:integer;friendly:Status Code;help:Status Code -zeek_http.status_msg=db:zeek_http.status_msg;kind:termfield;friendly:Status Message;help:Status Message -zeek_http.info_code=db:zeek_http.info_code;kind:integer;friendly:Informational Code;help:Informational Code -zeek_http.info_msg=db:zeek_http.info_msg;kind:termfield;friendly:Informational Message;help:Informational Message -zeek_http.tags=db:zeek_http.tags;kind:termfield;friendly:HTTP Tag;help:HTTP Tag -zeek_http.proxied=db:zeek_http.proxied;kind:termfield;friendly:Proxy Header;help:Proxy Header -zeek_http.orig_fuids=db:zeek_http.orig_fuids;kind:termfield;friendly:Originating File ID;help:Originating File ID -zeek_http.orig_filenames=db:zeek_http.orig_filenames;kind:termfield;friendly:Originating Filename;help:Originating Filename -zeek_http.orig_mime_types=db:zeek_http.orig_mime_types;kind:termfield;friendly:Originating File Magic;help:Originating File Magic -zeek_http.resp_fuids=db:zeek_http.resp_fuids;kind:termfield;friendly:Responding File ID;help:Responding File ID -zeek_http.resp_filenames=db:zeek_http.resp_filenames;kind:termfield;friendly:Responding Filename;help:Responding Filename -zeek_http.resp_mime_types=db:zeek_http.resp_mime_types;kind:termfield;friendly:Responding File Magic;help:Responding File Magic -zeek_http.post_username=db:zeek_http.post_username;kind:termfield;friendly:POST User;help:POST User -zeek_http.post_password_plain=db:zeek_http.post_password_plain;kind:termfield;friendly:POST Password;help:POST Password +zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth +zeek.http.method=db:zeek.http.method;group:zeek_http;kind:termfield;friendly:Request Method;help:Request Method +zeek.http.host=db:zeek.http.host;group:zeek_http;kind:termfield;friendly:Host Header;help:Host Header +zeek.http.uri=db:zeek.http.uri;group:zeek_http;kind:termfield;friendly:URI;help:URI +zeek.http.referrer=db:zeek.http.referrer;group:zeek_http;kind:termfield;friendly:Referrer Header;help:Referrer Header +zeek.http.version=db:zeek.http.version;group:zeek_http;kind:termfield;friendly:Version;help:Version +zeek.http.user_agent=db:zeek.http.user_agent;group:zeek_http;kind:termfield;friendly:User Agent;help:User Agent +zeek.http.origin=db:zeek.http.origin;group:zeek_http;kind:termfield;friendly:Origin Header;help:Origin Header +zeek.http.request_body_len=db:zeek.http.request_body_len;group:zeek_http;kind:integer;friendly:Request Body Length;help:Request Body Length +zeek.http.response_body_len=db:zeek.http.response_body_len;group:zeek_http;kind:integer;friendly:Response Body Length;help:Response Body Length +zeek.http.status_code=db:zeek.http.status_code;group:zeek_http;kind:integer;friendly:Status Code;help:Status Code +zeek.http.status_msg=db:zeek.http.status_msg;group:zeek_http;kind:termfield;friendly:Status Message;help:Status Message +zeek.http.info_code=db:zeek.http.info_code;group:zeek_http;kind:integer;friendly:Informational Code;help:Informational Code +zeek.http.info_msg=db:zeek.http.info_msg;group:zeek_http;kind:termfield;friendly:Informational Message;help:Informational Message +zeek.http.tags=db:zeek.http.tags;group:zeek_http;kind:termfield;friendly:HTTP Tag;help:HTTP Tag +zeek.http.proxied=db:zeek.http.proxied;group:zeek_http;kind:termfield;friendly:Proxy Header;help:Proxy Header +zeek.http.orig_fuids=db:zeek.http.orig_fuids;group:zeek_http;kind:termfield;friendly:Originating File ID;help:Originating File ID +zeek.http.orig_filenames=db:zeek.http.orig_filenames;group:zeek_http;kind:termfield;friendly:Originating Filename;help:Originating Filename +zeek.http.orig_mime_types=db:zeek.http.orig_mime_types;group:zeek_http;kind:termfield;friendly:Originating File Magic;help:Originating File Magic +zeek.http.resp_fuids=db:zeek.http.resp_fuids;group:zeek_http;kind:termfield;friendly:Responding File ID;help:Responding File ID +zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfield;friendly:Responding Filename;help:Responding Filename +zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;friendly:Responding File Magic;help:Responding File Magic +zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;friendly:POST User;help:POST User +zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;friendly:POST Password;help:POST Password # intel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info -zeek_intel.indicator=db:zeek_intel.indicator;kind:termfield;friendly:Indicator;help:Indicator -zeek_intel.indicator_type=db:zeek_intel.indicator_type;kind:termfield;friendly:Indicator Type;help:Indicator Type -zeek_intel.seen_where=db:zeek_intel.seen_where;kind:termfield;friendly:Where Discovered;help:Where Discovered -zeek_intel.seen_node=db:zeek_intel.seen_node;kind:termfield;friendly:Discovered Node;help:Discovered Node -zeek_intel.matched=db:zeek_intel.matched;kind:termfield;friendly:Match Indicator;help:Match Indicator -zeek_intel.sources=db:zeek_intel.sources;kind:termfield;friendly:Match Source;help:Match Source -zeek_intel.file_mime_type=db:zeek_intel.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic -zeek_intel.file_description=db:zeek_intel.file_description;kind:termfield;friendly:File Description;help:File Description +zeek.intel.indicator=db:zeek.intel.indicator;group:zeek_intel;kind:termfield;friendly:Indicator;help:Indicator +zeek.intel.indicator_type=db:zeek.intel.indicator_type;group:zeek_intel;kind:termfield;friendly:Indicator Type;help:Indicator Type +zeek.intel.seen_where=db:zeek.intel.seen_where;group:zeek_intel;kind:termfield;friendly:Where Discovered;help:Where Discovered +zeek.intel.seen_node=db:zeek.intel.seen_node;group:zeek_intel;kind:termfield;friendly:Discovered Node;help:Discovered Node +zeek.intel.matched=db:zeek.intel.matched;group:zeek_intel;kind:termfield;friendly:Match Indicator;help:Match Indicator +zeek.intel.sources=db:zeek.intel.sources;group:zeek_intel;kind:termfield;friendly:Match Source;help:Match Source +zeek.intel.file_mime_type=db:zeek.intel.file_mime_type;group:zeek_intel;kind:termfield;friendly:File Magic;help:File Magic +zeek.intel.file_description=db:zeek.intel.file_description;group:zeek_intel;kind:termfield;friendly:File Description;help:File Description # ipsec.log # https://github.com/zeek/spicy-analyzers/blob/main/analyzer/protocol/ipsec/main.zeek -zeek_ipsec.is_orig=db:zeek_ipsec.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator -zeek_ipsec.initiator_spi=db:zeek_ipsec.initiator_spi;kind:termfield;friendly:Initiator SPI;help:Initiator SPI -zeek_ipsec.responder_spi=db:zeek_ipsec.responder_spi;kind:termfield;friendly:Responder SPI;help:Responder SPI -zeek_ipsec.maj_ver=db:zeek_ipsec.maj_ver;kind:integer;friendly:Major Version;help:Major Version -zeek_ipsec.min_ver=db:zeek_ipsec.min_ver;kind:integer;friendly:Minor Version;help:Minor Version -zeek_ipsec.exchange_type=db:zeek_ipsec.exchange_type;kind:integer;friendly:Exchange Type;help:Exchange Type -zeek_ipsec.flag_e=db:zeek_ipsec.flag_e;kind:termfield;friendly:Flag E;help:Flag E -zeek_ipsec.flag_c=db:zeek_ipsec.flag_c;kind:termfield;friendly:Flag C;help:Flac C -zeek_ipsec.flag_a=db:zeek_ipsec.flag_a;kind:termfield;friendly:Flag A;help:Flag A -zeek_ipsec.flag_i=db:zeek_ipsec.flag_i;kind:termfield;friendly:Flag I;help:Flag I -zeek_ipsec.flag_v=db:zeek_ipsec.flag_v;kind:termfield;friendly:Flag V;help:Flag V -zeek_ipsec.flag_r=db:zeek_ipsec.flag_r;kind:termfield;friendly:Flag R;help:Flag R -zeek_ipsec.flags=db:zeek_ipsec.flags;kind:termfield;friendly:Flags;help:Flags -zeek_ipsec.message_id=db:zeek_ipsec.message_id;kind:termfield;friendly:Message ID;help:Message ID -zeek_ipsec.vendor_ids=db:zeek_ipsec.vendor_ids;kind:termfield;friendly:Vendor ID;help:Vendor ID -zeek_ipsec.notify_messages=db:zeek_ipsec.notify_messages;kind:termfield;friendly:Notify Message Type;help:Notify Message Type -zeek_ipsec.transforms=db:zeek_ipsec.transforms;kind:termfield;friendly:Transform;help:Transform -zeek_ipsec.ke_dh_groups=db:zeek_ipsec.ke_dh_groups;kind:integer;friendly:KE DH Group;help:KE DH Group -zeek_ipsec.proposals=db:zeek_ipsec.proposals;kind:integer;friendly:Proposal;help:Proposal -zeek_ipsec.certificates=db:zeek_ipsec.certificates;kind:termfield;friendly:Certificate Hash;help:Certificate Hash -zeek_ipsec.transform_attributes=db:zeek_ipsec.transform_attributes;kind:termfield;friendly:Transform Attribute;help:Transform Attribute -zeek_ipsec.length=db:zeek_ipsec.length;kind:integer;friendly:Message Length;help:Message Length -zeek_ipsec.hash=db:zeek_ipsec.hash;kind:termfield;friendly:Transaction Hash;help:Transaction Hash +zeek.ipsec.is_orig=db:zeek.ipsec.is_orig;group:zeek_ipsec;kind:termfield;friendly:Is Originator;help:Is Originator +zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;friendly:Initiator SPI;help:Initiator SPI +zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;friendly:Responder SPI;help:Responder SPI +zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;friendly:Major Version;help:Major Version +zeek.ipsec.min_ver=db:zeek.ipsec.min_ver;group:zeek_ipsec;kind:integer;friendly:Minor Version;help:Minor Version +zeek.ipsec.exchange_type=db:zeek.ipsec.exchange_type;group:zeek_ipsec;kind:integer;friendly:Exchange Type;help:Exchange Type +zeek.ipsec.flag_e=db:zeek.ipsec.flag_e;group:zeek_ipsec;kind:termfield;friendly:Flag E;help:Flag E +zeek.ipsec.flag_c=db:zeek.ipsec.flag_c;group:zeek_ipsec;kind:termfield;friendly:Flag C;help:Flac C +zeek.ipsec.flag_a=db:zeek.ipsec.flag_a;group:zeek_ipsec;kind:termfield;friendly:Flag A;help:Flag A +zeek.ipsec.flag_i=db:zeek.ipsec.flag_i;group:zeek_ipsec;kind:termfield;friendly:Flag I;help:Flag I +zeek.ipsec.flag_v=db:zeek.ipsec.flag_v;group:zeek_ipsec;kind:termfield;friendly:Flag V;help:Flag V +zeek.ipsec.flag_r=db:zeek.ipsec.flag_r;group:zeek_ipsec;kind:termfield;friendly:Flag R;help:Flag R +zeek.ipsec.flags=db:zeek.ipsec.flags;group:zeek_ipsec;kind:termfield;friendly:Flags;help:Flags +zeek.ipsec.message_id=db:zeek.ipsec.message_id;group:zeek_ipsec;kind:termfield;friendly:Message ID;help:Message ID +zeek.ipsec.vendor_ids=db:zeek.ipsec.vendor_ids;group:zeek_ipsec;kind:termfield;friendly:Vendor ID;help:Vendor ID +zeek.ipsec.notify_messages=db:zeek.ipsec.notify_messages;group:zeek_ipsec;kind:termfield;friendly:Notify Message Type;help:Notify Message Type +zeek.ipsec.transforms=db:zeek.ipsec.transforms;group:zeek_ipsec;kind:termfield;friendly:Transform;help:Transform +zeek.ipsec.ke_dh_groups=db:zeek.ipsec.ke_dh_groups;group:zeek_ipsec;kind:integer;friendly:KE DH Group;help:KE DH Group +zeek.ipsec.proposals=db:zeek.ipsec.proposals;group:zeek_ipsec;kind:integer;friendly:Proposal;help:Proposal +zeek.ipsec.certificates=db:zeek.ipsec.certificates;group:zeek_ipsec;kind:termfield;friendly:Certificate Hash;help:Certificate Hash +zeek.ipsec.transform_attributes=db:zeek.ipsec.transform_attributes;group:zeek_ipsec;kind:termfield;friendly:Transform Attribute;help:Transform Attribute +zeek.ipsec.length=db:zeek.ipsec.length;group:zeek_ipsec;kind:integer;friendly:Message Length;help:Message Length +zeek.ipsec.hash=db:zeek.ipsec.hash;group:zeek_ipsec;kind:termfield;friendly:Transaction Hash;help:Transaction Hash # irc.log # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info -zeek_irc.nick=db:zeek_irc.nick;kind:termfield;friendly:Nickname;help:Nickname -zeek_irc.command=db:zeek_irc.command;kind:termfield;friendly:Command;help:Command -zeek_irc.value=db:zeek_irc.value;kind:termfield;friendly:Value;help:Value -zeek_irc.addl=db:zeek_irc.addl;kind:termfield;friendly:Additional Data;help:Additional Data -zeek_irc.dcc_file_name=db:zeek_irc.dcc_file_name;kind:termfield;friendly:DCC Filename;help:DCC Filename -zeek_irc.dcc_file_size=db:zeek_irc.dcc_file_size;kind:integer;friendly:DCC File Size;help:DCC File Size -zeek_irc.dcc_mime_type=db:zeek_irc.dcc_mime_type;kind:termfield;friendly:DCC File Magic;help:DCC File Magic +zeek.irc.nick=db:zeek.irc.nick;group:zeek_irc;kind:termfield;friendly:Nickname;help:Nickname +zeek.irc.command=db:zeek.irc.command;group:zeek_irc;kind:termfield;friendly:Command;help:Command +zeek.irc.value=db:zeek.irc.value;group:zeek_irc;kind:termfield;friendly:Value;help:Value +zeek.irc.addl=db:zeek.irc.addl;group:zeek_irc;kind:termfield;friendly:Additional Data;help:Additional Data +zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;friendly:DCC Filename;help:DCC Filename +zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;friendly:DCC File Size;help:DCC File Size +zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;friendly:DCC File Magic;help:DCC File Magic # iso_cotp.log # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek -zeek_iso_cotp.pdu_type=db:zeek_iso_cotp.pdu_type;kind:termfield;friendly:PDU Type;help:PDU Type +zeek.iso_cotp.pdu_type=db:zeek.iso_cotp.pdu_type;group:zeek_iso_cotp;kind:termfield;friendly:PDU Type;help:PDU Type # kerberos.log # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info -zeek_kerberos.cname=db:zeek_kerberos.cname;kind:termfield;friendly:Client;help:Client -zeek_kerberos.sname=db:zeek_kerberos.sname;kind:termfield;friendly:Service;help:Service -zeek_kerberos.success=db:zeek_kerberos.success;kind:termfield;friendly:Success;help:Success -zeek_kerberos.error_msg=db:zeek_kerberos.error_msg;kind:termfield;friendly:Error Message;help:Error Message -zeek_kerberos.from=db:zeek_kerberos.from;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From -zeek_kerberos.till=db:zeek_kerberos.till;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till -zeek_kerberos.cipher=db:zeek_kerberos.cipher;kind:termfield;friendly:Encryption Type;help:Encryption Type -zeek_kerberos.forwardable=db:zeek_kerberos.forwardable;kind:termfield;friendly:Forwardable;help:Forwardable -zeek_kerberos.renewable=db:zeek_kerberos.renewable;kind:termfield;friendly:Renewable;help:Renewable -zeek_kerberos.request_type=db:zeek_kerberos.request_type;kind:termfield;friendly:Request Type;help:Request Type -zeek_kerberos.client_cert_subject=db:zeek_kerberos.client_cert_subject;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject -zeek_kerberos.client_cert_fuid=db:zeek_kerberos.client_cert_fuid;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID -zeek_kerberos.server_cert_subject=db:zeek_kerberos.server_cert_subject;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject -zeek_kerberos.server_cert_fuid=db:zeek_kerberos.server_cert_fuid;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID +zeek.kerberos.cname=db:zeek.kerberos.cname;group:zeek_kerberos;kind:termfield;friendly:Client;help:Client +zeek.kerberos.sname=db:zeek.kerberos.sname;group:zeek_kerberos;kind:termfield;friendly:Service;help:Service +zeek.kerberos.success=db:zeek.kerberos.success;group:zeek_kerberos;kind:termfield;friendly:Success;help:Success +zeek.kerberos.error_msg=db:zeek.kerberos.error_msg;group:zeek_kerberos;kind:termfield;friendly:Error Message;help:Error Message +zeek.kerberos.from=db:zeek.kerberos.from;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid From;help:Ticket Valid From +zeek.kerberos.till=db:zeek.kerberos.till;group:zeek_kerberos;kind:termfield;friendly:Ticket Valid Till;help:Ticket Valid Till +zeek.kerberos.cipher=db:zeek.kerberos.cipher;group:zeek_kerberos;kind:termfield;friendly:Encryption Type;help:Encryption Type +zeek.kerberos.forwardable=db:zeek.kerberos.forwardable;group:zeek_kerberos;kind:termfield;friendly:Forwardable;help:Forwardable +zeek.kerberos.renewable=db:zeek.kerberos.renewable;group:zeek_kerberos;kind:termfield;friendly:Renewable;help:Renewable +zeek.kerberos.request_type=db:zeek.kerberos.request_type;group:zeek_kerberos;kind:termfield;friendly:Request Type;help:Request Type +zeek.kerberos.client_cert_subject=db:zeek.kerberos.client_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Client Certificate Subject;help:Client Certificate Subject +zeek.kerberos.client_cert_fuid=db:zeek.kerberos.client_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID +zeek.kerberos.server_cert_subject=db:zeek.kerberos.server_cert_subject;group:zeek_kerberos;kind:termfield;friendly:Server Certificate Subject;help:Server Certificate Subject +zeek.kerberos.server_cert_fuid=db:zeek.kerberos.server_cert_fuid;group:zeek_kerberos;kind:termfield;friendly:Server Certificate File ID;help:Server Certificate File ID # known_certs.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo -zeek_known_certs.subject=db:zeek_known_certs.subject;kind:termfield;friendly:Certificate Subject;help:Certificate Subject -zeek_known_certs.issuer_subject=db:zeek_known_certs.issuer_subject;kind:termfield;friendly:Issuer Subject;help:Issuer Subject -zeek_known_certs.serial=db:zeek_known_certs.serial;kind:termfield;friendly:Serial Number;help:Serial Number +zeek.known_certs.subject=db:zeek.known_certs.subject;group:zeek_x509;kind:termfield;friendly:Certificate Subject;help:Certificate Subject +zeek.known_certs.issuer_subject=db:zeek.known_certs.issuer_subject;group:zeek_x509;kind:termfield;friendly:Issuer Subject;help:Issuer Subject +zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number # known_modbus.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo -zeek_known_modbus.device_type=db:zeek_known_modbus.device_type;kind:termfield;friendly:Role;help:Role +zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;friendly:Role;help:Role # ldap.log # https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek -zeek_ldap.message_id=db:zeek_ldap.message_id;kind:termfield;friendly:Message ID;help:Message ID -zeek_ldap.version=db:zeek_ldap.version;kind:integer;friendly:LDAP Version;help:LDAP Version -zeek_ldap.operation=db:zeek_ldap.operation;kind:termfield;friendly:Operation;help:Operation -zeek_ldap.result_code=db:zeek_ldap.result_code;kind:termfield;friendly:Result Code;help:Result Code -zeek_ldap.result_message=db:zeek_ldap.result_message;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message -zeek_ldap.object=db:zeek_ldap.object;kind:termfield;friendly:Object;help:Object -zeek_ldap.argument=db:zeek_ldap.argument;kind:termfield;friendly:Arguments;help:Arguments +zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID +zeek.ldap.version=db:zeek.ldap.version;group:zeek_ldap;kind:integer;friendly:LDAP Version;help:LDAP Version +zeek.ldap.operation=db:zeek.ldap.operation;group:zeek_ldap;kind:termfield;friendly:Operation;help:Operation +zeek.ldap.result_code=db:zeek.ldap.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code +zeek.ldap.result_message=db:zeek.ldap.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message +zeek.ldap.object=db:zeek.ldap.object;group:zeek_ldap;kind:termfield;friendly:Object;help:Object +zeek.ldap.argument=db:zeek.ldap.argument;group:zeek_ldap;kind:termfield;friendly:Arguments;help:Arguments # ldap_search.log # https://github.com/mmguero-dev/spicy-analyzers/blob/main/analyzer/protocol/ldap/ldap.zeek -zeek_ldap_search.message_id=db:zeek_ldap_search.message_id;kind:termfield;friendly:Message ID;help:Message ID -zeek_ldap_search.scope=db:zeek_ldap_search.scope;kind:termfield;friendly:Scope;help:Scope -zeek_ldap_search.deref=db:zeek_ldap_search.deref;kind:termfield;friendly:Dereference Alias;help:Dereference Alias -zeek_ldap_search.base_object=db:zeek_ldap_search.base_object;kind:termfield;friendly:Base Object;help:Base Object -zeek_ldap_search.result_count=db:zeek_ldap_search.result_count;kind:integer;friendly:Result Count;help:Result Count -zeek_ldap_search.result_code=db:zeek_ldap_search.result_code;kind:termfield;friendly:Result Code;help:Result Code -zeek_ldap_search.result_message=db:zeek_ldap_search.result_message;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message +zeek.ldap_search.attributes=db:zeek.ldap_search.attributes;group:zeek_ldap;kind:termfield;friendly:Attributes;help:Attributes +zeek.ldap_search.base_object=db:zeek.ldap_search.base_object;group:zeek_ldap;kind:termfield;friendly:Base Object;help:Base Object +zeek.ldap_search.deref=db:zeek.ldap_search.deref;group:zeek_ldap;kind:termfield;friendly:Dereference Alias;help:Dereference Alias +zeek.ldap_search.filter=db:zeek.ldap_search.filter;group:zeek_ldap;kind:termfield;friendly:Filter;help:Filter +zeek.ldap_search.message_id=db:zeek.ldap_search.message_id;group:zeek_ldap;kind:termfield;friendly:Message ID;help:Message ID +zeek.ldap_search.result_code=db:zeek.ldap_search.result_code;group:zeek_ldap;kind:termfield;friendly:Result Code;help:Result Code +zeek.ldap_search.result_count=db:zeek.ldap_search.result_count;group:zeek_ldap;kind:integer;friendly:Result Count;help:Result Count +zeek.ldap_search.result_message=db:zeek.ldap_search.result_message;group:zeek_ldap;kind:termfield;friendly:Diagnostic Message;help:Diagnostic Message +zeek.ldap_search.scope=db:zeek.ldap_search.scope;group:zeek_ldap;kind:termfield;friendly:Scope;help:Scope # login.log - custom login.log module (rudimentary, login/rlogin/rsh analyzers are old and not the greatest) -zeek_login.success=db:zeek_login.success;kind:termfield;friendly:Successful Login;help:Successful Login -zeek_login.confused=db:zeek_login.confused;kind:termfield;friendly:Analyzer Confused;help:Analyzer Confused -zeek_login.client_user=db:zeek_login.client_user;kind:termfield;friendly:Client User;help:Client User +zeek.login.success=db:zeek.login.success;group:zeek_login;kind:termfield;friendly:Successful Login;help:Successful Login +zeek.login.confused=db:zeek.login.confused;group:zeek_login;kind:termfield;friendly:Analyzer Confused;help:Analyzer Confused +zeek.login.client_user=db:zeek.login.client_user;group:zeek_login;kind:termfield;friendly:Client User;help:Client User # modbus.log # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info -zeek_modbus.func=db:zeek_modbus.func;kind:termfield;friendly:Function;help:Function -zeek_modbus.exception=db:zeek_modbus.exception;kind:termfield;friendly:Exception;help:Exception +zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;friendly:Function;help:Function +zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;friendly:Exception;help:Exception # modbus_detailed.log # https://github.com/cisagov/ICSNPP -zeek_modbus_detailed.unit_id=db:zeek_modbus_detailed.unit_id;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID -zeek_modbus_detailed.func=db:zeek_modbus_detailed.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code -zeek_modbus_detailed.network_direction=db:zeek_modbus_detailed.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response -zeek_modbus_detailed.address=db:zeek_modbus_detailed.address;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address -zeek_modbus_detailed.quantity=db:zeek_modbus_detailed.quantity;kind:integer;friendly:Number of Values;help:Number of Values -zeek_modbus_detailed.values=db:zeek_modbus_detailed.values;kind:termfield;friendly:Values;help:Values +zeek.modbus_detailed.unit_id=db:zeek.modbus_detailed.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID +zeek.modbus_detailed.func=db:zeek.modbus_detailed.func;group:zeek_modbus;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code +zeek.modbus_detailed.network_direction=db:zeek.modbus_detailed.network_direction;group:zeek_modbus;kind:termfield;friendly:Request or Response;help:Request or Response +zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address +zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;friendly:Number of Values;help:Number of Values +zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;friendly:Values;help:Values # modbus_mask_write_register.log # https://github.com/cisagov/ICSNPP -zeek_modbus_mask_write_register.unit_id=db:zeek_modbus_mask_write_register.unit_id;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID -zeek_modbus_mask_write_register.func=db:zeek_modbus_mask_write_register.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code -zeek_modbus_mask_write_register.network_direction=db:zeek_modbus_mask_write_register.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response -zeek_modbus_mask_write_register.address=db:zeek_modbus_mask_write_register.address;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address -zeek_modbus_mask_write_register.and_mask=db:zeek_modbus_mask_write_register.and_mask;kind:integer;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register -zeek_modbus_mask_write_register.or_mask=db:zeek_modbus_mask_write_register.or_mask;kind:integer;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register +zeek.modbus_mask_write_register.unit_id=db:zeek.modbus_mask_write_register.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID +zeek.modbus_mask_write_register.func=db:zeek.modbus_mask_write_register.func;group:zeek_modbus;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code +zeek.modbus_mask_write_register.network_direction=db:zeek.modbus_mask_write_register.network_direction;group:zeek_modbus;kind:termfield;friendly:Request or Response;help:Request or Response +zeek.modbus_mask_write_register.address=db:zeek.modbus_mask_write_register.address;group:zeek_modbus;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address +zeek.modbus_mask_write_register.and_mask=db:zeek.modbus_mask_write_register.and_mask;group:zeek_modbus;kind:integer;friendly:Boolean AND mask to apply to target register;help:Boolean AND mask to apply to target register +zeek.modbus_mask_write_register.or_mask=db:zeek.modbus_mask_write_register.or_mask;group:zeek_modbus;kind:integer;friendly:Boolean OR mask to apply to target register;help:Boolean OR mask to apply to target register # modbus_read_write_multiple_registers.log # https://github.com/cisagov/ICSNPP -zeek_modbus_read_write_multiple_registers.unit_id=db:zeek_modbus_read_write_multiple_registers.unit_id;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID -zeek_modbus_read_write_multiple_registers.func=db:zeek_modbus_read_write_multiple_registers.func;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code -zeek_modbus_read_write_multiple_registers.network_direction=db:zeek_modbus_read_write_multiple_registers.network_direction;kind:termfield;friendly:Request or Response;help:Request or Response -zeek_modbus_read_write_multiple_registers.write_start_address=db:zeek_modbus_read_write_multiple_registers.write_start_address;kind:integer;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to -zeek_modbus_read_write_multiple_registers.write_registers=db:zeek_modbus_read_write_multiple_registers.write_registers;kind:termfield;friendly:Register values written;help:Register values written -zeek_modbus_read_write_multiple_registers.read_start_address=db:zeek_modbus_read_write_multiple_registers.read_start_address;kind:integer;friendly:Starting address of the registers to read;help:Starting address of the registers to read -zeek_modbus_read_write_multiple_registers.read_quantity=db:zeek_modbus_read_write_multiple_registers.read_quantity;kind:integer;friendly:Number of registers to read;help:Number of registers to read -zeek_modbus_read_write_multiple_registers.read_registers=db:zeek_modbus_read_write_multiple_registers.read_registers;kind:termfield;friendly:Register values read;help:Register values read - -# modbus_register_change.log -# https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/track-memmap.zeek.html#type-Modbus::MemmapInfo -zeek_modbus_register_change.register=db:zeek_modbus_register_change.register;kind:integer;friendly:Register;help:Register -zeek_modbus_register_change.old_val=db:zeek_modbus_register_change.old_val;kind:integer;friendly:Old Value;help:Old Value -zeek_modbus_register_change.new_val=db:zeek_modbus_register_change.new_val;kind:integer;friendly:New Value;help:New Value -zeek_modbus_register_change.delta=db:zeek_modbus_register_change.delta;kind:termfield;friendly:Change Interval;help:Change Interval +zeek.modbus_read_write_multiple_registers.unit_id=db:zeek.modbus_read_write_multiple_registers.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID +zeek.modbus_read_write_multiple_registers.func=db:zeek.modbus_read_write_multiple_registers.func;group:zeek_modbus;kind:termfield;friendly:Modbus Function Code;help:Modbus Function Code +zeek.modbus_read_write_multiple_registers.network_direction=db:zeek.modbus_read_write_multiple_registers.network_direction;group:zeek_modbus;kind:termfield;friendly:Request or Response;help:Request or Response +zeek.modbus_read_write_multiple_registers.write_start_address=db:zeek.modbus_read_write_multiple_registers.write_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to write to;help:Starting address of the registers to write to +zeek.modbus_read_write_multiple_registers.write_registers=db:zeek.modbus_read_write_multiple_registers.write_registers;group:zeek_modbus;kind:termfield;friendly:Register values written;help:Register values written +zeek.modbus_read_write_multiple_registers.read_start_address=db:zeek.modbus_read_write_multiple_registers.read_start_address;group:zeek_modbus;kind:integer;friendly:Starting address of the registers to read;help:Starting address of the registers to read +zeek.modbus_read_write_multiple_registers.read_quantity=db:zeek.modbus_read_write_multiple_registers.read_quantity;group:zeek_modbus;kind:integer;friendly:Number of registers to read;help:Number of registers to read +zeek.modbus_read_write_multiple_registers.read_registers=db:zeek.modbus_read_write_multiple_registers.read_registers;group:zeek_modbus;kind:termfield;friendly:Register values read;help:Register values read # mqtt_connect.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo -zeek_mqtt_connect.proto_name=db:zeek_mqtt_connect.proto_name;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol -zeek_mqtt_connect.proto_version=db:zeek_mqtt_connect.proto_version;kind:termfield;friendly:Protocol Version;help:Protocol Version -zeek_mqtt_connect.client_id=db:zeek_mqtt_connect.client_id;kind:termfield;friendly:Client ID;help:Client ID -zeek_mqtt_connect.connect_status=db:zeek_mqtt_connect.connect_status;kind:termfield;friendly:Connect Status;help:Connect Status -zeek_mqtt_connect.will_topic=db:zeek_mqtt_connect.will_topic;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic -zeek_mqtt_connect.will_payload=db:zeek_mqtt_connect.will_payload;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload +zeek.mqtt_connect.proto_name=db:zeek.mqtt_connect.proto_name;group:zeek_mqtt;kind:termfield;friendly:MQTT Protocol;help:MQTT Protocol +zeek.mqtt_connect.proto_version=db:zeek.mqtt_connect.proto_version;group:zeek_mqtt;kind:termfield;friendly:Protocol Version;help:Protocol Version +zeek.mqtt_connect.client_id=db:zeek.mqtt_connect.client_id;group:zeek_mqtt;kind:termfield;friendly:Client ID;help:Client ID +zeek.mqtt_connect.connect_status=db:zeek.mqtt_connect.connect_status;group:zeek_mqtt;kind:termfield;friendly:Connect Status;help:Connect Status +zeek.mqtt_connect.will_topic=db:zeek.mqtt_connect.will_topic;group:zeek_mqtt;kind:termfield;friendly:LWT Topic;help:Last Will and Testament Topic +zeek.mqtt_connect.will_payload=db:zeek.mqtt_connect.will_payload;group:zeek_mqtt;kind:termfield;friendly:LWT Payload;help:Last Will and Testament Payload # mqtt_publish.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo -zeek_mqtt_publish.from_client=db:zeek_mqtt_publish.from_client;kind:termfield;friendly:From Client;help:From Client -zeek_mqtt_publish.retain=db:zeek_mqtt_publish.retain;kind:termfield;friendly:Retain Flag;help:Retain Flag -zeek_mqtt_publish.qos=db:zeek_mqtt_publish.qos;kind:termfield;friendly:QoS Level;help:QoS Level -zeek_mqtt_publish.status=db:zeek_mqtt_publish.status;kind:termfield;friendly:Message Status;help:Message Status -zeek_mqtt_publish.topic=db:zeek_mqtt_publish.topic;kind:termfield;friendly:Topic;help:Topic -zeek_mqtt_publish.payload=db:zeek_mqtt_publish.payload;kind:termfield;friendly:Payload;help:Payload -zeek_mqtt_publish.payload_len=db:zeek_mqtt_publish.payload_len;kind:integer;friendly:Payload Length;help:Payload Length +zeek.mqtt_publish.from_client=db:zeek.mqtt_publish.from_client;group:zeek_mqtt;kind:termfield;friendly:From Client;help:From Client +zeek.mqtt_publish.retain=db:zeek.mqtt_publish.retain;group:zeek_mqtt;kind:termfield;friendly:Retain Flag;help:Retain Flag +zeek.mqtt_publish.qos=db:zeek.mqtt_publish.qos;group:zeek_mqtt;kind:termfield;friendly:QoS Level;help:QoS Level +zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfield;friendly:Message Status;help:Message Status +zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic +zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;friendly:Payload;help:Payload +zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;friendly:Payload Length;help:Payload Length # mqtt_subscribe.log # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo -zeek_mqtt_subscribe.action=db:zeek_mqtt_subscribe.action;kind:termfield;friendly:Action;help:Action -zeek_mqtt_subscribe.topics=db:zeek_mqtt_subscribe.topics;kind:termfield;friendly:Topic;help:Topic -zeek_mqtt_subscribe.qos_levels=db:zeek_mqtt_subscribe.qos_levels;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested -zeek_mqtt_subscribe.granted_qos_level=db:zeek_mqtt_subscribe.granted_qos_level;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted -zeek_mqtt_subscribe.ack=db:zeek_mqtt_subscribe.ack;kind:termfield;friendly:ACKed;help:ACKed +zeek.mqtt_subscribe.action=db:zeek.mqtt_subscribe.action;group:zeek_mqtt;kind:termfield;friendly:Action;help:Action +zeek.mqtt_subscribe.topics=db:zeek.mqtt_subscribe.topics;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic +zeek.mqtt_subscribe.qos_levels=db:zeek.mqtt_subscribe.qos_levels;group:zeek_mqtt;kind:integer;friendly:QoS Level Requested;help:QoS Level Requested +zeek.mqtt_subscribe.granted_qos_level=db:zeek.mqtt_subscribe.granted_qos_level;group:zeek_mqtt;kind:integer;friendly:QoS Level Granted;help:QoS Level Granted +zeek.mqtt_subscribe.ack=db:zeek.mqtt_subscribe.ack;group:zeek_mqtt;kind:termfield;friendly:ACKed;help:ACKed # mysql.log # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info -zeek_mysql.cmd=db:zeek_mysql.cmd;kind:termfield;friendly:Command;help:Command -zeek_mysql.arg=db:zeek_mysql.arg;kind:termfield;friendly:Argument;help:Argument -zeek_mysql.success=db:zeek_mysql.success;kind:termfield;friendly:Success;help:Success -zeek_mysql.rows=db:zeek_mysql.rows;kind:integer;friendly:Rows Affected;help:Rows Affected -zeek_mysql.response=db:zeek_mysql.response;kind:termfield;friendly:Response;help:Response +zeek.mysql.cmd=db:zeek.mysql.cmd;group:zeek_mysql;kind:termfield;friendly:Command;help:Command +zeek.mysql.arg=db:zeek.mysql.arg;group:zeek_mysql;kind:termfield;friendly:Argument;help:Argument +zeek.mysql.success=db:zeek.mysql.success;group:zeek_mysql;kind:termfield;friendly:Success;help:Success +zeek.mysql.rows=db:zeek.mysql.rows;group:zeek_mysql;kind:integer;friendly:Rows Affected;help:Rows Affected +zeek.mysql.response=db:zeek.mysql.response;group:zeek_mysql;kind:termfield;friendly:Response;help:Response # notice.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info -zeek_notice.file_mime_type=db:zeek_notice.file_mime_type;kind:termfield;friendly:File Magic;help:File Magic -zeek_notice.file_desc=db:zeek_notice.file_desc;kind:termfield;friendly:File Description;help:File Description -zeek_notice.note=db:zeek_notice.note;kind:termfield;friendly:Notice Type;help:Notice Type -zeek_notice.category=db:zeek_notice.category;kind:termfield;friendly:Category;help:Category -zeek_notice.sub_category=db:zeek_notice.sub_category;kind:termfield;friendly:Subcategory;help:Subcategory -zeek_notice.msg=db:zeek_notice.msg;kind:termfield;friendly:Message;help:Message -zeek_notice.sub=db:zeek_notice.sub;kind:termfield;friendly:Submessage;help:Submessage -zeek_notice.src=db:zeek_notice.src;kind:termfield;friendly:Notice Source;help:Notice Source -zeek_notice.dst=db:zeek_notice.dst;kind:termfield;friendly:Notice Destination;help:Notice Destination -zeek_notice.p=db:zeek_notice.p;kind:integer;friendly:Notice Port;help:Notice Port -zeek_notice.n=db:zeek_notice.n;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code -zeek_notice.peer_descr=db:zeek_notice.peer_descr;kind:termfield;friendly:Remote Peer;help:Remote Peer -zeek_notice.actions=db:zeek_notice.actions;kind:termfield;friendly:Action;help:Action -zeek_notice.suppress_for=db:zeek_notice.suppress_for;kind:termfield;friendly:Suppress Interval;help:Suppress Interval -zeek_notice.dropped=db:zeek_notice.dropped;kind:termfield;friendly:Dropped;help:Dropped -zeek_notice.remote_location_country_code=db:zeek_notice.remote_location_country_code;kind:termfield;friendly:Notice Country Code;help:Notice Country Code -zeek_notice.remote_location_region=db:zeek_notice.remote_location_region;kind:termfield;friendly:Notice Region;help:Notice Region -zeek_notice.remote_location_city=db:zeek_notice.remote_location_city;kind:termfield;friendly:Notice City;help:Notice City -zeek_notice.remote_location_latitude=db:zeek_notice.remote_location_latitude;kind:termfield;friendly:Notice Latitude;help:Notice Latitude -zeek_notice.remote_location_longitude=db:zeek_notice.remote_location_longitude;kind:termfield;friendly:Notice Longitude;help:Notice Longitude +zeek.notice.file_mime_type=db:zeek.notice.file_mime_type;group:zeek_notice;kind:termfield;friendly:File Magic;help:File Magic +zeek.notice.file_desc=db:zeek.notice.file_desc;group:zeek_notice;kind:termfield;friendly:File Description;help:File Description +zeek.notice.note=db:zeek.notice.note;group:zeek_notice;kind:termfield;friendly:Notice Type;help:Notice Type +zeek.notice.category=db:zeek.notice.category;group:zeek_notice;kind:termfield;friendly:Category;help:Category +zeek.notice.sub_category=db:zeek.notice.sub_category;group:zeek_notice;kind:termfield;friendly:Subcategory;help:Subcategory +zeek.notice.msg=db:zeek.notice.msg;group:zeek_notice;kind:termfield;friendly:Message;help:Message +zeek.notice.sub=db:zeek.notice.sub;group:zeek_notice;kind:termfield;friendly:Submessage;help:Submessage +zeek.notice.src=db:zeek.notice.src;group:zeek_notice;kind:termfield;friendly:Notice Source;help:Notice Source +zeek.notice.dst=db:zeek.notice.dst;group:zeek_notice;kind:termfield;friendly:Notice Destination;help:Notice Destination +zeek.notice.p=db:zeek.notice.p;group:zeek_notice;kind:integer;friendly:Notice Port;help:Notice Port +zeek.notice.n=db:zeek.notice.n;group:zeek_notice;kind:integer;friendly:Notice Count or Code;help:Notice Count or Code +zeek.notice.peer_descr=db:zeek.notice.peer_descr;group:zeek_notice;kind:termfield;friendly:Remote Peer;help:Remote Peer +zeek.notice.actions=db:zeek.notice.actions;group:zeek_notice;kind:termfield;friendly:Action;help:Action +zeek.notice.suppress_for=db:zeek.notice.suppress_for;group:zeek_notice;kind:termfield;friendly:Suppress Interval;help:Suppress Interval +zeek.notice.dropped=db:zeek.notice.dropped;group:zeek_notice;kind:termfield;friendly:Dropped;help:Dropped +zeek.notice.remote_location_country_code=db:zeek.notice.remote_location_country_code;group:zeek_notice;kind:termfield;friendly:Notice Country Code;help:Notice Country Code +zeek.notice.remote_location_region=db:zeek.notice.remote_location_region;group:zeek_notice;kind:termfield;friendly:Notice Region;help:Notice Region +zeek.notice.remote_location_city=db:zeek.notice.remote_location_city;group:zeek_notice;kind:termfield;friendly:Notice City;help:Notice City +zeek.notice.remote_location_latitude=db:zeek.notice.remote_location_latitude;group:zeek_notice;kind:termfield;friendly:Notice Latitude;help:Notice Latitude +zeek.notice.remote_location_longitude=db:zeek.notice.remote_location_longitude;group:zeek_notice;kind:termfield;friendly:Notice Longitude;help:Notice Longitude # ntlm.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info -zeek_ntlm.host=db:zeek_ntlm.host;kind:termfield;friendly:Client Hostname;help:Client Hostname -zeek_ntlm.domain=db:zeek_ntlm.domain;kind:termfield;friendly:Client Domain Name;help:Client Domain Name -zeek_ntlm.success=db:zeek_ntlm.success;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek_ntlm.status=db:zeek_ntlm.status;kind:termfield;friendly:Status;help:Status -zeek_ntlm.server_nb_computer=db:zeek_ntlm.server_nb_computer;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS -zeek_ntlm.server_dns_computer=db:zeek_ntlm.server_dns_computer;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS -zeek_ntlm.server_tree=db:zeek_ntlm.server_tree;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree +zeek.ntlm.host=db:zeek.ntlm.host;group:zeek_ntlm;kind:termfield;friendly:Client Hostname;help:Client Hostname +zeek.ntlm.domain=db:zeek.ntlm.domain;group:zeek_ntlm;kind:termfield;friendly:Client Domain Name;help:Client Domain Name +zeek.ntlm.success=db:zeek.ntlm.success;group:zeek_ntlm;kind:termfield;friendly:Authentication Success;help:Authentication Success +zeek.ntlm.status=db:zeek.ntlm.status;group:zeek_ntlm;kind:termfield;friendly:Status;help:Status +zeek.ntlm.server_nb_computer=db:zeek.ntlm.server_nb_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE NetBIOS;help:Server CHALLENGE NetBIOS +zeek.ntlm.server_dns_computer=db:zeek.ntlm.server_dns_computer;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE DNS;help:Server CHALLENGE DNS +zeek.ntlm.server_tree=db:zeek.ntlm.server_tree;group:zeek_ntlm;kind:termfield;friendly:Server CHALLENGE Tree;help:Server CHALLENGE Tree # ntp.log # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info -zeek_ntp.version=db:zeek_ntp.version;kind:integer;friendly:NTP Version;help:NTP Version -zeek_ntp.mode=db:zeek_ntp.mode;kind:termfield;friendly:NTP Mode Code;help:NTP Mode Code -zeek_ntp.mode_str=db:zeek_ntp.mode_str;kind:termfield;friendly:NTP Mode;help:NTP Mode -zeek_ntp.stratum=db:zeek_ntp.stratum;kind:termfield;friendly:Stratum;help:Stratum -zeek_ntp.poll=db:zeek_ntp.poll;kind:termfield;friendly:Poll Interval;help:Poll Interval -zeek_ntp.precision=db:zeek_ntp.precision;kind:termfield;friendly:Clock Precision;help:Clock Precision -zeek_ntp.root_delay=db:zeek_ntp.root_delay;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance -zeek_ntp.root_disp=db:zeek_ntp.root_disp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate -zeek_ntp.ref_id=db:zeek_ntp.ref_id;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier -zeek_ntp.ref_time=db:zeek_ntp.ref_time;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp -zeek_ntp.org_time=db:zeek_ntp.org_time;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp -zeek_ntp.rec_time=db:zeek_ntp.rec_time;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp -zeek_ntp.xmt_time=db:zeek_ntp.xmt_time;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp -zeek_ntp.num_exts=db:zeek_ntp.num_exts;kind:integer;friendly:Extension Fields;help:Extension Fields +zeek.ntp.version=db:zeek.ntp.version;group:zeek_ntp;kind:integer;friendly:NTP Version;help:NTP Version +zeek.ntp.mode=db:zeek.ntp.mode;group:zeek_ntp;kind:termfield;friendly:NTP Mode Code;help:NTP Mode Code +zeek.ntp.mode_str=db:zeek.ntp.mode_str;group:zeek_ntp;kind:termfield;friendly:NTP Mode;help:NTP Mode +zeek.ntp.stratum=db:zeek.ntp.stratum;group:zeek_ntp;kind:termfield;friendly:Stratum;help:Stratum +zeek.ntp.poll=db:zeek.ntp.poll;group:zeek_ntp;kind:termfield;friendly:Poll Interval;help:Poll Interval +zeek.ntp.precision=db:zeek.ntp.precision;group:zeek_ntp;kind:termfield;friendly:Clock Precision;help:Clock Precision +zeek.ntp.root_delay=db:zeek.ntp.root_delay;group:zeek_ntp;kind:termfield;friendly:Synchronizing Distance;help:Synchronizing Distance +zeek.ntp.root_disp=db:zeek.ntp.root_disp;group:zeek_ntp;kind:termfield;friendly:Estimated Drift Rate;help:Estimated Drift Rate +zeek.ntp.ref_id=db:zeek.ntp.ref_id;group:zeek_ntp;kind:termfield;friendly:Reference Clock Identifier;help:Reference Clock Identifier +zeek.ntp.ref_time=db:zeek.ntp.ref_time;group:zeek_ntp;kind:termfield;friendly:Reference Timestamp;help:Reference Timestamp +zeek.ntp.org_time=db:zeek.ntp.org_time;group:zeek_ntp;kind:termfield;friendly:Originate Timestamp;help:Originate Timestamp +zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;friendly:Receive Timestamp;help:Receive Timestamp +zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp +zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;friendly:Extension Fields;help:Extension Fields # ocsp.log # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info -zeek_ocsp.hashAlgorithm=db:zeek_ocsp.hashAlgorithm;kind:termfield;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm -zeek_ocsp.issuerNameHash=db:zeek_ocsp.issuerNameHash;kind:termfield;friendly:Issuer Name Hash;help:Issuer Name Hash -zeek_ocsp.issuerKeyHash=db:zeek_ocsp.issuerKeyHash;kind:termfield;friendly:Issuer Key Hash;help:Issuer Key Hash -zeek_ocsp.serialNumber=db:zeek_ocsp.serialNumber;kind:termfield;friendly:Certificate Serial Number;help:Certificate Serial Number -zeek_ocsp.certStatus=db:zeek_ocsp.certStatus;kind:termfield;friendly:Certificate Status;help:Certificate Status -zeek_ocsp.revoketime=db:zeek_ocsp.revoketime;kind:termfield;friendly:Time Revoked;help:Time Revoked -zeek_ocsp.revokereason=db:zeek_ocsp.revokereason;kind:termfield;friendly:Reason Revoked;help:Reason Revoked -zeek_ocsp.thisUpdate=db:zeek_ocsp.thisUpdate;kind:termfield;friendly:Update Time;help:Update Time -zeek_ocsp.nextUpdate=db:zeek_ocsp.nextUpdate;kind:termfield;friendly:Next Update Time;help:Next Update Time +zeek.ocsp.hashAlgorithm=db:zeek.ocsp.hashAlgorithm;group:zeek_ocsp;kind:termfield;friendly:Issuer Name and Key Hash Algorithm;help:Issuer Name and Key Hash Algorithm +zeek.ocsp.issuerNameHash=db:zeek.ocsp.issuerNameHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Name Hash;help:Issuer Name Hash +zeek.ocsp.issuerKeyHash=db:zeek.ocsp.issuerKeyHash;group:zeek_ocsp;kind:termfield;friendly:Issuer Key Hash;help:Issuer Key Hash +zeek.ocsp.serialNumber=db:zeek.ocsp.serialNumber;group:zeek_ocsp;kind:termfield;friendly:Certificate Serial Number;help:Certificate Serial Number +zeek.ocsp.certStatus=db:zeek.ocsp.certStatus;group:zeek_ocsp;kind:termfield;friendly:Certificate Status;help:Certificate Status +zeek.ocsp.revoketime=db:zeek.ocsp.revoketime;group:zeek_ocsp;kind:termfield;friendly:Time Revoked;help:Time Revoked +zeek.ocsp.revokereason=db:zeek.ocsp.revokereason;group:zeek_ocsp;kind:termfield;friendly:Reason Revoked;help:Reason Revoked +zeek.ocsp.thisUpdate=db:zeek.ocsp.thisUpdate;group:zeek_ocsp;kind:termfield;friendly:Update Time;help:Update Time +zeek.ocsp.nextUpdate=db:zeek.ocsp.nextUpdate;group:zeek_ocsp;kind:termfield;friendly:Next Update Time;help:Next Update Time # pe.log # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info -zeek_pe.machine=db:zeek_pe.machine;kind:termfield;friendly:Target Machine;help:Target Machine -zeek_pe.compile_ts=db:zeek_pe.compile_ts;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp -zeek_pe.os=db:zeek_pe.os;kind:termfield;friendly:Target OS;help:Target Operating System -zeek_pe.subsystem=db:zeek_pe.subsystem;kind:termfield;friendly:Target Subsystem;help:Target Subsystem -zeek_pe.is_exe=db:zeek_pe.is_exe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file) -zeek_pe.is_64bit=db:zeek_pe.is_64bit;kind:termfield;friendly:64 Bit;help:Is a 64-bit object -zeek_pe.uses_aslr=db:zeek_pe.uses_aslr;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization -zeek_pe.uses_dep=db:zeek_pe.uses_dep;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention -zeek_pe.uses_code_integrity=db:zeek_pe.uses_code_integrity;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks -zeek_pe.uses_seh=db:zeek_pe.uses_seh;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling -zeek_pe.has_import_table=db:zeek_pe.has_import_table;kind:termfield;friendly:Has Import Table;help:Has Import Table -zeek_pe.has_export_table=db:zeek_pe.has_export_table;kind:termfield;friendly:Has Export Table;help:Has Export Table -zeek_pe.has_cert_table=db:zeek_pe.has_cert_table;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table -zeek_pe.has_debug_data=db:zeek_pe.has_debug_data;kind:termfield;friendly:Has Debug Table;help:Has Debug Table -zeek_pe.section_names=db:zeek_pe.section_names;kind:termfield;friendly:Sections;help:Sections +zeek.pe.machine=db:zeek.pe.machine;group:zeek_pe;kind:termfield;friendly:Target Machine;help:Target Machine +zeek.pe.compile_ts=db:zeek.pe.compile_ts;group:zeek_pe;kind:termfield;friendly:Compile Timestamp;help:Compile Timestamp +zeek.pe.os=db:zeek.pe.os;group:zeek_pe;kind:termfield;friendly:Target OS;help:Target Operating System +zeek.pe.subsystem=db:zeek.pe.subsystem;group:zeek_pe;kind:termfield;friendly:Target Subsystem;help:Target Subsystem +zeek.pe.is_exe=db:zeek.pe.is_exe;group:zeek_pe;kind:termfield;friendly:Executable;help:Is an executable (vs. an object file) +zeek.pe.is_64bit=db:zeek.pe.is_64bit;group:zeek_pe;kind:termfield;friendly:64 Bit;help:Is a 64-bit object +zeek.pe.uses_aslr=db:zeek.pe.uses_aslr;group:zeek_pe;kind:termfield;friendly:Uses ASLR;help:Uses Address Space Layout Randomization +zeek.pe.uses_dep=db:zeek.pe.uses_dep;group:zeek_pe;kind:termfield;friendly:Uses DEP;help:Uses Data Execution Prevention +zeek.pe.uses_code_integrity=db:zeek.pe.uses_code_integrity;group:zeek_pe;kind:termfield;friendly:Enforces Integrity Checks;help:Enforces Code Integrity Checks +zeek.pe.uses_seh=db:zeek.pe.uses_seh;group:zeek_pe;kind:termfield;friendly:Uses SEH;help:Uses Structured Exception Handling +zeek.pe.has_import_table=db:zeek.pe.has_import_table;group:zeek_pe;kind:termfield;friendly:Has Import Table;help:Has Import Table +zeek.pe.has_export_table=db:zeek.pe.has_export_table;group:zeek_pe;kind:termfield;friendly:Has Export Table;help:Has Export Table +zeek.pe.has_cert_table=db:zeek.pe.has_cert_table;group:zeek_pe;kind:termfield;friendly:Has Certificate Table;help:Has Attribute Certificate Table +zeek.pe.has_debug_data=db:zeek.pe.has_debug_data;group:zeek_pe;kind:termfield;friendly:Has Debug Table;help:Has Debug Table +zeek.pe.section_names=db:zeek.pe.section_names;group:zeek_pe;kind:termfield;friendly:Sections;help:Sections # profinet.log # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek -zeek_profinet.operation_type=db:zeek_profinet.operation_type;kind:termfield;friendly:Operation;help:Operation -zeek_profinet.block_version=db:zeek_profinet.block_version;kind:termfield;friendly:Block Version;help:Block Version -zeek_profinet.slot_number=db:zeek_profinet.slot_number;kind:integer;friendly:Slot;help:Slot -zeek_profinet.subslot_number=db:zeek_profinet.subslot_number;kind:integer;friendly:Subslot;help:Subslot -zeek_profinet.index=db:zeek_profinet.index;kind:termfield;friendly:Index;help:Index +zeek.profinet.operation_type=db:zeek.profinet.operation_type;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation +zeek.profinet.block_version=db:zeek.profinet.block_version;group:zeek_profinet;kind:termfield;friendly:Block Version;help:Block Version +zeek.profinet.slot_number=db:zeek.profinet.slot_number;group:zeek_profinet;kind:integer;friendly:Slot;help:Slot +zeek.profinet.subslot_number=db:zeek.profinet.subslot_number;group:zeek_profinet;kind:integer;friendly:Subslot;help:Subslot +zeek.profinet.index=db:zeek.profinet.index;group:zeek_profinet;kind:termfield;friendly:Index;help:Index # profinet_dce_rpc.log # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek -zeek_profinet_dce_rpc.version=db:zeek_profinet_dce_rpc.version;kind:integer;friendly:Version;help:Version -zeek_profinet_dce_rpc.packet_type=db:zeek_profinet_dce_rpc.packet_type;kind:termfield;friendly:Packet Type;help:Packet Type -zeek_profinet_dce_rpc.object_uuid=db:zeek_profinet_dce_rpc.object_uuid;kind:termfield;friendly:Object UUID;help:Object UUID -zeek_profinet_dce_rpc.interface_uuid=db:zeek_profinet_dce_rpc.interface_uuid;kind:termfield;friendly:Interface UUID;help:Interface UUID -zeek_profinet_dce_rpc.activity_uuid=db:zeek_profinet_dce_rpc.activity_uuid;kind:termfield;friendly:Activity UUID;help:Activity UUID -zeek_profinet_dce_rpc.server_boot_time=db:zeek_profinet_dce_rpc.server_boot_time;kind:integer;friendly:Server Boot Time;help:Server Boot Time -zeek_profinet_dce_rpc.operation=db:zeek_profinet_dce_rpc.operation;kind:termfield;friendly:Operation;help:Operation +zeek.profinet_dce_rpc.version=db:zeek.profinet_dce_rpc.version;group:zeek_profinet;kind:integer;friendly:Version;help:Version +zeek.profinet_dce_rpc.packet_type=db:zeek.profinet_dce_rpc.packet_type;group:zeek_profinet;kind:termfield;friendly:Packet Type;help:Packet Type +zeek.profinet_dce_rpc.object_uuid=db:zeek.profinet_dce_rpc.object_uuid;group:zeek_profinet;kind:termfield;friendly:Object UUID;help:Object UUID +zeek.profinet_dce_rpc.interface_uuid=db:zeek.profinet_dce_rpc.interface_uuid;group:zeek_profinet;kind:termfield;friendly:Interface UUID;help:Interface UUID +zeek.profinet_dce_rpc.activity_uuid=db:zeek.profinet_dce_rpc.activity_uuid;group:zeek_profinet;kind:termfield;friendly:Activity UUID;help:Activity UUID +zeek.profinet_dce_rpc.server_boot_time=db:zeek.profinet_dce_rpc.server_boot_time;group:zeek_profinet;kind:integer;friendly:Server Boot Time;help:Server Boot Time +zeek.profinet_dce_rpc.operation=db:zeek.profinet_dce_rpc.operation;group:zeek_profinet;kind:termfield;friendly:Operation;help:Operation # radius.log # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info -zeek_radius.mac=db:zeek_radius.mac;kind:termfield;friendly:MAC Address;help:MAC Address -zeek_radius.framed_addr=db:zeek_radius.framed_addr;kind:termfield;friendly:Framed Address;help:Framed Address -zeek_radius.tunnel_client=db:zeek_radius.tunnel_client;kind:termfield;friendly:Initiator Address;help:Initiator Address -zeek_radius.connect_info=db:zeek_radius.connect_info;kind:termfield;friendly:Connect Info;help:Connect Info -zeek_radius.reply_msg=db:zeek_radius.reply_msg;kind:termfield;friendly:Reply Message;help:Reply Message -zeek_radius.result=db:zeek_radius.result;kind:termfield;friendly:Result;help:Result -zeek_radius.ttl=db:zeek_radius.ttl;kind:termfield;friendly:TTL;help:TTL +zeek.radius.mac=db:zeek.radius.mac;group:zeek_radius;kind:termfield;friendly:MAC Address;help:MAC Address +zeek.radius.framed_addr=db:zeek.radius.framed_addr;group:zeek_radius;kind:termfield;friendly:Framed Address;help:Framed Address +zeek.radius.tunnel_client=db:zeek.radius.tunnel_client;group:zeek_radius;kind:termfield;friendly:Initiator Address;help:Initiator Address +zeek.radius.connect_info=db:zeek.radius.connect_info;group:zeek_radius;kind:termfield;friendly:Connect Info;help:Connect Info +zeek.radius.reply_msg=db:zeek.radius.reply_msg;group:zeek_radius;kind:termfield;friendly:Reply Message;help:Reply Message +zeek.radius.result=db:zeek.radius.result;group:zeek_radius;kind:termfield;friendly:Result;help:Result +zeek.radius.ttl=db:zeek.radius.ttl;group:zeek_radius;kind:termfield;friendly:TTL;help:TTL # rdp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info -zeek_rdp.cookie=db:zeek_rdp.cookie;kind:termfield;friendly:Cookie;help:Cookie -zeek_rdp.result=db:zeek_rdp.result;kind:termfield;friendly:Connection Result;help:Connection Result -zeek_rdp.security_protocol=db:zeek_rdp.security_protocol;kind:termfield;friendly:Security Protocol;help:Security Protocol -zeek_rdp.client_channels=db:zeek_rdp.client_channels;kind:termfield;friendly:Channel;help:Channel -zeek_rdp.keyboard_layout=db:zeek_rdp.keyboard_layout;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout -zeek_rdp.client_build=db:zeek_rdp.client_build;kind:termfield;friendly:Client Version;help:Client Version -zeek_rdp.client_name=db:zeek_rdp.client_name;kind:termfield;friendly:Client Name;help:Client Name -zeek_rdp.client_dig_product_id=db:zeek_rdp.client_dig_product_id;kind:termfield;friendly:Client Product ID;help:Client Product ID -zeek_rdp.desktop_width=db:zeek_rdp.desktop_width;kind:integer;friendly:Desktop Width;help:Desktop Width -zeek_rdp.desktop_height=db:zeek_rdp.desktop_height;kind:integer;friendly:Desktop Height;help:Desktop Height -zeek_rdp.requested_color_depth=db:zeek_rdp.requested_color_depth;kind:termfield;friendly:Color Depth;help:Color Depth -zeek_rdp.cert_type=db:zeek_rdp.cert_type;kind:termfield;friendly:Certificate Type;help:Certificate Type -zeek_rdp.cert_count=db:zeek_rdp.cert_count;kind:integer;friendly:Certificate Count;help:Certificate Count -zeek_rdp.cert_permanent=db:zeek_rdp.cert_permanent;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent -zeek_rdp.encryption_level=db:zeek_rdp.encryption_level;kind:termfield;friendly:Encryption Level;help:Encryption Level -zeek_rdp.encryption_method=db:zeek_rdp.encryption_method;kind:termfield;friendly:Encryption Method;help:Encryption Method +zeek.rdp.cookie=db:zeek.rdp.cookie;group:zeek_rdp;kind:termfield;friendly:Cookie;help:Cookie +zeek.rdp.result=db:zeek.rdp.result;group:zeek_rdp;kind:termfield;friendly:Connection Result;help:Connection Result +zeek.rdp.security_protocol=db:zeek.rdp.security_protocol;group:zeek_rdp;kind:termfield;friendly:Security Protocol;help:Security Protocol +zeek.rdp.client_channels=db:zeek.rdp.client_channels;group:zeek_rdp;kind:termfield;friendly:Channel;help:Channel +zeek.rdp.keyboard_layout=db:zeek.rdp.keyboard_layout;group:zeek_rdp;kind:termfield;friendly:Keyboard Layout;help:Keyboard Layout +zeek.rdp.client_build=db:zeek.rdp.client_build;group:zeek_rdp;kind:termfield;friendly:Client Version;help:Client Version +zeek.rdp.client_name=db:zeek.rdp.client_name;group:zeek_rdp;kind:termfield;friendly:Client Name;help:Client Name +zeek.rdp.client_dig_product_id=db:zeek.rdp.client_dig_product_id;group:zeek_rdp;kind:termfield;friendly:Client Product ID;help:Client Product ID +zeek.rdp.desktop_width=db:zeek.rdp.desktop_width;group:zeek_rdp;kind:integer;friendly:Desktop Width;help:Desktop Width +zeek.rdp.desktop_height=db:zeek.rdp.desktop_height;group:zeek_rdp;kind:integer;friendly:Desktop Height;help:Desktop Height +zeek.rdp.requested_color_depth=db:zeek.rdp.requested_color_depth;group:zeek_rdp;kind:termfield;friendly:Color Depth;help:Color Depth +zeek.rdp.cert_type=db:zeek.rdp.cert_type;group:zeek_rdp;kind:termfield;friendly:Certificate Type;help:Certificate Type +zeek.rdp.cert_count=db:zeek.rdp.cert_count;group:zeek_rdp;kind:integer;friendly:Certificate Count;help:Certificate Count +zeek.rdp.cert_permanent=db:zeek.rdp.cert_permanent;group:zeek_rdp;kind:termfield;friendly:Certificate is Permanent;help:Certificate is Permanent +zeek.rdp.encryption_level=db:zeek.rdp.encryption_level;group:zeek_rdp;kind:termfield;friendly:Encryption Level;help:Encryption Level +zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:termfield;friendly:Encryption Method;help:Encryption Method # rfb.log # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info -zeek_rfb.client_major_version=db:zeek_rfb.client_major_version;kind:termfield;friendly:Client Major Version;help:Client Major Version -zeek_rfb.client_minor_version=db:zeek_rfb.client_minor_version;kind:termfield;friendly:Client Minor Version;help:Client Minor Version -zeek_rfb.server_major_version=db:zeek_rfb.server_major_version;kind:termfield;friendly:Server Major Version;help:Server Major Version -zeek_rfb.server_minor_version=db:zeek_rfb.server_minor_version;kind:termfield;friendly:Server Minor Version;help:Server Minor Version -zeek_rfb.authentication_method=db:zeek_rfb.authentication_method;kind:termfield;friendly:Authentication Method;help:Authentication Method -zeek_rfb.auth=db:zeek_rfb.auth;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek_rfb.share_flag=db:zeek_rfb.share_flag;kind:termfield;friendly:Shared Session;help:Shared Session -zeek_rfb.desktop_name=db:zeek_rfb.desktop_name;kind:termfield;friendly:Desktop Name;help:Desktop Name -zeek_rfb.width=db:zeek_rfb.width;kind:integer;friendly:Desktop Width;help:Desktop Width -zeek_rfb.height=db:zeek_rfb.height;kind:integer;friendly:Desktop Height;help:Desktop Height +zeek.rfb.client_major_version=db:zeek.rfb.client_major_version;group:zeek_rfb;kind:termfield;friendly:Client Major Version;help:Client Major Version +zeek.rfb.client_minor_version=db:zeek.rfb.client_minor_version;group:zeek_rfb;kind:termfield;friendly:Client Minor Version;help:Client Minor Version +zeek.rfb.server_major_version=db:zeek.rfb.server_major_version;group:zeek_rfb;kind:termfield;friendly:Server Major Version;help:Server Major Version +zeek.rfb.server_minor_version=db:zeek.rfb.server_minor_version;group:zeek_rfb;kind:termfield;friendly:Server Minor Version;help:Server Minor Version +zeek.rfb.authentication_method=db:zeek.rfb.authentication_method;group:zeek_rfb;kind:termfield;friendly:Authentication Method;help:Authentication Method +zeek.rfb.auth=db:zeek.rfb.auth;group:zeek_rfb;kind:termfield;friendly:Authentication Success;help:Authentication Success +zeek.rfb.share_flag=db:zeek.rfb.share_flag;group:zeek_rfb;kind:termfield;friendly:Shared Session;help:Shared Session +zeek.rfb.desktop_name=db:zeek.rfb.desktop_name;group:zeek_rfb;kind:termfield;friendly:Desktop Name;help:Desktop Name +zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;friendly:Desktop Width;help:Desktop Width +zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;friendly:Desktop Height;help:Desktop Height # s7comm.log # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek -zeek_s7comm.rosctr=db:zeek_s7comm.rosctr;kind:termfield;friendly:Message Type;help:Message Type -zeek_s7comm.parameter=db:zeek_s7comm.parameter;kind:termfield;friendly:Parameters;help:Parameters -zeek_s7comm.parameters.class=db:zeek_s7comm.parameters.class;kind:termfield;friendly:Class;help:Class -zeek_s7comm.parameters.code=db:zeek_s7comm.parameters.code;kind:termfield;friendly:Code;help:Code -zeek_s7comm.parameters.group=db:zeek_s7comm.parameters.group;kind:termfield;friendly:Group;help:Group -zeek_s7comm.parameters.mode=db:zeek_s7comm.parameters.mode;kind:termfield;friendly:Mode;help:Mode -zeek_s7comm.parameters.sub=db:zeek_s7comm.parameters.sub;kind:termfield;friendly:Sub;help:Sub -zeek_s7comm.parameters.type=db:zeek_s7comm.parameters.type;kind:termfield;friendly:Type;help:Type -zeek_s7comm.item_count=db:zeek_s7comm.item_count;kind:integer;friendly:Data Entries;help:Total number of data entries -zeek_s7comm.data_info=db:zeek_s7comm.data_info;kind:termfield;friendly:Data Entry;help:Data of first entry +zeek.s7comm.rosctr=db:zeek.s7comm.rosctr;group:zeek_s7comm;kind:termfield;friendly:Message Type;help:Message Type +zeek.s7comm.parameter=db:zeek.s7comm.parameter;group:zeek_s7comm;kind:termfield;friendly:Parameters;help:Parameters +zeek.s7comm.parameters.class=db:zeek.s7comm.parameters.class;group:zeek_s7comm;kind:termfield;friendly:Class;help:Class +zeek.s7comm.parameters.code=db:zeek.s7comm.parameters.code;group:zeek_s7comm;kind:termfield;friendly:Code;help:Code +zeek.s7comm.parameters.group=db:zeek.s7comm.parameters.group;group:zeek_s7comm;kind:termfield;friendly:Group;help:Group +zeek.s7comm.parameters.mode=db:zeek.s7comm.parameters.mode;group:zeek_s7comm;kind:termfield;friendly:Mode;help:Mode +zeek.s7comm.parameters.sub=db:zeek.s7comm.parameters.sub;group:zeek_s7comm;kind:termfield;friendly:Sub;help:Sub +zeek.s7comm.parameters.type=db:zeek.s7comm.parameters.type;group:zeek_s7comm;kind:termfield;friendly:Type;help:Type +zeek.s7comm.item_count=db:zeek.s7comm.item_count;group:zeek_s7comm;kind:integer;friendly:Data Entries;help:Total number of data entries +zeek.s7comm.data_info=db:zeek.s7comm.data_info;group:zeek_s7comm;kind:termfield;friendly:Data Entry;help:Data of first entry # signatures.log -zeek_signatures.note=db:zeek_signatures.note;kind:termfield;friendly:Note;help:Note -zeek_signatures.signature_id=db:zeek_signatures.signature_id;kind:termfield;friendly:Signature ID;help:Signature ID -zeek_signatures.event_message=db:zeek_signatures.event_message;kind:termfield;friendly:Message;help:Message -zeek_signatures.sub_message=db:zeek_signatures.sub_message;kind:termfield;friendly:Submessage;help:Submessage -zeek_signatures.signature_count=db:zeek_signatures.signature_count;kind:integer;friendly:Signatures Matched;help:Signatures Matched -zeek_signatures.host_count=db:zeek_signatures.host_count;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count -zeek_signatures.engine=db:zeek_signatures.engine;kind:termfield;friendly:Scan Engines;help:Scan Engines -zeek_signatures.hits=db:zeek_signatures.hits;kind:termfield;friendly:Hits;help:Hits +zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note +zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;friendly:Signature ID;help:Signature ID +zeek.signatures.event_message=db:zeek.signatures.event_message;group:zeek_signatures;kind:termfield;friendly:Message;help:Message +zeek.signatures.sub_message=db:zeek.signatures.sub_message;group:zeek_signatures;kind:termfield;friendly:Submessage;help:Submessage +zeek.signatures.signature_count=db:zeek.signatures.signature_count;group:zeek_signatures;kind:integer;friendly:Signatures Matched;help:Signatures Matched +zeek.signatures.host_count=db:zeek.signatures.host_count;group:zeek_signatures;kind:integer;friendly:Host or Engine Count;help:Host or Engine Count +zeek.signatures.engine=db:zeek.signatures.engine;group:zeek_signatures;kind:termfield;friendly:Scan Engines;help:Scan Engines +zeek.signatures.hits=db:zeek.signatures.hits;group:zeek_signatures;kind:termfield;friendly:Hits;help:Hits # sip.log # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info -zeek_sip.trans_depth=db:zeek_sip.trans_depth;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth -zeek_sip.method=db:zeek_sip.method;kind:termfield;friendly:Request Method;help:Request Method -zeek_sip.uri=db:zeek_sip.uri;kind:termfield;friendly:URI;help:URI -zeek_sip.date=db:zeek_sip.date;kind:termfield;friendly:Request Date Header;help:Request Date Header -zeek_sip.request_from=db:zeek_sip.request_from;kind:termfield;friendly:Request From Header;help:Request From Header -zeek_sip.request_to=db:zeek_sip.request_to;kind:termfield;friendly:Request To Header;help:Request To Header -zeek_sip.response_from=db:zeek_sip.response_from;kind:termfield;friendly:Response From Header;help:Response From Header -zeek_sip.response_to=db:zeek_sip.response_to;kind:termfield;friendly:Response To Header;help:Response To Header -zeek_sip.reply_to=db:zeek_sip.reply_to;kind:termfield;friendly:Reply-To Header;help:Reply-To Header -zeek_sip.call_id=db:zeek_sip.call_id;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header -zeek_sip.seq=db:zeek_sip.seq;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header -zeek_sip.subject=db:zeek_sip.subject;kind:termfield;friendly:Client Subject Header;help:Client Subject Header -zeek_sip.request_path=db:zeek_sip.request_path;kind:termfield;friendly:Request Path;help:Request Path -zeek_sip.response_path=db:zeek_sip.response_path;kind:termfield;friendly:Response Path;help:Response Path -zeek_sip.user_agent=db:zeek_sip.user_agent;kind:termfield;friendly:User Agent;help:User Agent -zeek_sip.status_code=db:zeek_sip.status_code;kind:termfield;friendly:Status Code;help:Status Code -zeek_sip.status_msg=db:zeek_sip.status_msg;kind:termfield;friendly:Status Message;help:Status Message -zeek_sip.warning=db:zeek_sip.warning;kind:termfield;friendly:Warning Header;help:Warning Header -zeek_sip.request_body_len=db:zeek_sip.request_body_len;kind:integer;friendly:Request Body Length;help:Request Body Length -zeek_sip.response_body_len=db:zeek_sip.response_body_len;kind:integer;friendly:Response Body Length;help:Response Body Length -zeek_sip.content_type=db:zeek_sip.content_type;kind:termfield;friendly:Content Type Header;help:Content Type Header -zeek_sip.version=db:zeek_sip.version;kind:termfield;friendly:Version;help:Version +zeek.sip.trans_depth=db:zeek.sip.trans_depth;group:zeek_sip;kind:integer;friendly:Pipeline Depth;help:Pipeline Depth +zeek.sip.method=db:zeek.sip.method;group:zeek_sip;kind:termfield;friendly:Request Method;help:Request Method +zeek.sip.uri=db:zeek.sip.uri;group:zeek_sip;kind:termfield;friendly:URI;help:URI +zeek.sip.date=db:zeek.sip.date;group:zeek_sip;kind:termfield;friendly:Request Date Header;help:Request Date Header +zeek.sip.request_from=db:zeek.sip.request_from;group:zeek_sip;kind:termfield;friendly:Request From Header;help:Request From Header +zeek.sip.request_to=db:zeek.sip.request_to;group:zeek_sip;kind:termfield;friendly:Request To Header;help:Request To Header +zeek.sip.response_from=db:zeek.sip.response_from;group:zeek_sip;kind:termfield;friendly:Response From Header;help:Response From Header +zeek.sip.response_to=db:zeek.sip.response_to;group:zeek_sip;kind:termfield;friendly:Response To Header;help:Response To Header +zeek.sip.reply_to=db:zeek.sip.reply_to;group:zeek_sip;kind:termfield;friendly:Reply-To Header;help:Reply-To Header +zeek.sip.call_id=db:zeek.sip.call_id;group:zeek_sip;kind:termfield;friendly:Client Call-ID Header;help:Client Call-ID Header +zeek.sip.seq=db:zeek.sip.seq;group:zeek_sip;kind:termfield;friendly:Client CSeq Header;help:Client CSeq Header +zeek.sip.subject=db:zeek.sip.subject;group:zeek_sip;kind:termfield;friendly:Client Subject Header;help:Client Subject Header +zeek.sip.request_path=db:zeek.sip.request_path;group:zeek_sip;kind:termfield;friendly:Request Path;help:Request Path +zeek.sip.response_path=db:zeek.sip.response_path;group:zeek_sip;kind:termfield;friendly:Response Path;help:Response Path +zeek.sip.user_agent=db:zeek.sip.user_agent;group:zeek_sip;kind:termfield;friendly:User Agent;help:User Agent +zeek.sip.status_code=db:zeek.sip.status_code;group:zeek_sip;kind:termfield;friendly:Status Code;help:Status Code +zeek.sip.status_msg=db:zeek.sip.status_msg;group:zeek_sip;kind:termfield;friendly:Status Message;help:Status Message +zeek.sip.warning=db:zeek.sip.warning;group:zeek_sip;kind:termfield;friendly:Warning Header;help:Warning Header +zeek.sip.request_body_len=db:zeek.sip.request_body_len;group:zeek_sip;kind:integer;friendly:Request Body Length;help:Request Body Length +zeek.sip.response_body_len=db:zeek.sip.response_body_len;group:zeek_sip;kind:integer;friendly:Response Body Length;help:Response Body Length +zeek.sip.content_type=db:zeek.sip.content_type;group:zeek_sip;kind:termfield;friendly:Content Type Header;help:Content Type Header +zeek.sip.version=db:zeek.sip.version;group:zeek_sip;kind:termfield;friendly:Version;help:Version # smb_cmd.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo -zeek_smb_cmd.command=db:zeek_smb_cmd.command;kind:termfield;friendly:Command;help:Command -zeek_smb_cmd.sub_command=db:zeek_smb_cmd.sub_command;kind:termfield;friendly:Subcommand;help:Subcommand -zeek_smb_cmd.argument=db:zeek_smb_cmd.argument;kind:termfield;friendly:Argument;help:Argument -zeek_smb_cmd.status=db:zeek_smb_cmd.status;kind:termfield;friendly:Status;help:Status -zeek_smb_cmd.rtt=db:zeek_smb_cmd.rtt;kind:termfield;friendly:Round Trip Time;help:Round Trip Time -zeek_smb_cmd.version=db:zeek_smb_cmd.version;kind:termfield;friendly:Version;help:Version -zeek_smb_cmd.tree=db:zeek_smb_cmd.tree;kind:termfield;friendly:Tree;help:Tree -zeek_smb_cmd.tree_service=db:zeek_smb_cmd.tree_service;kind:termfield;friendly:Tree Service;help:Tree Service +zeek.smb_cmd.command=db:zeek.smb_cmd.command;group:zeek_smb;kind:termfield;friendly:Command;help:Command +zeek.smb_cmd.sub_command=db:zeek.smb_cmd.sub_command;group:zeek_smb;kind:termfield;friendly:Subcommand;help:Subcommand +zeek.smb_cmd.argument=db:zeek.smb_cmd.argument;group:zeek_smb;kind:termfield;friendly:Argument;help:Argument +zeek.smb_cmd.status=db:zeek.smb_cmd.status;group:zeek_smb;kind:termfield;friendly:Status;help:Status +zeek.smb_cmd.rtt=db:zeek.smb_cmd.rtt;group:zeek_smb;kind:termfield;friendly:Round Trip Time;help:Round Trip Time +zeek.smb_cmd.version=db:zeek.smb_cmd.version;group:zeek_smb;kind:termfield;friendly:Version;help:Version +zeek.smb_cmd.tree=db:zeek.smb_cmd.tree;group:zeek_smb;kind:termfield;friendly:Tree;help:Tree +zeek.smb_cmd.tree_service=db:zeek.smb_cmd.tree_service;group:zeek_smb;kind:termfield;friendly:Tree Service;help:Tree Service # smb_files.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo -zeek_smb_files.action=db:zeek_smb_files.action;kind:termfield;friendly:Action;help:Action -zeek_smb_files.path=db:zeek_smb_files.path;kind:termfield;friendly:File Path;help:File Path -zeek_smb_files.name=db:zeek_smb_files.name;kind:termfield;friendly:File Name;help:File Name -zeek_smb_files.size=db:zeek_smb_files.size;kind:integer;friendly:File Size;help:File Size -zeek_smb_files.prev_name=db:zeek_smb_files.prev_name;kind:termfield;friendly:Previous File Name;help:Previous File Name -zeek_smb_files.times_modified=db:zeek_smb_files.times_modified;kind:termfield;friendly:Write Time;help:Write Time -zeek_smb_files.times_accessed=db:zeek_smb_files.times_accessed;kind:termfield;friendly:Access Time;help:Access Time -zeek_smb_files.times_created=db:zeek_smb_files.times_created;kind:termfield;friendly:Creation Time;help:Creation Time -zeek_smb_files.times_changed=db:zeek_smb_files.times_changed;kind:termfield;friendly:Modified Time;help:Modified Time -zeek_smb_files.data_offset_req=db:zeek_smb_files.data_offset_req;kind:integer;friendly:Data Offset Requested;help:Data Offset Requested -zeek_smb_files.data_len_req=db:zeek_smb_files.data_len_req;kind:integer;friendly:Data Length Requested;help:Data Length Requested -zeek_smb_files.data_len_rsp=db:zeek_smb_files.data_len_rsp;kind:integer;friendly:Data Length In Response;help:Data Length In Response +zeek.smb_files.action=db:zeek.smb_files.action;group:zeek_smb;kind:termfield;friendly:Action;help:Action +zeek.smb_files.path=db:zeek.smb_files.path;group:zeek_smb;kind:termfield;friendly:File Path;help:File Path +zeek.smb_files.name=db:zeek.smb_files.name;group:zeek_smb;kind:termfield;friendly:File Name;help:File Name +zeek.smb_files.size=db:zeek.smb_files.size;group:zeek_smb;kind:integer;friendly:File Size;help:File Size +zeek.smb_files.prev_name=db:zeek.smb_files.prev_name;group:zeek_smb;kind:termfield;friendly:Previous File Name;help:Previous File Name +zeek.smb_files.times_modified=db:zeek.smb_files.times_modified;group:zeek_smb;kind:termfield;friendly:Write Time;help:Write Time +zeek.smb_files.times_accessed=db:zeek.smb_files.times_accessed;group:zeek_smb;kind:termfield;friendly:Access Time;help:Access Time +zeek.smb_files.times_created=db:zeek.smb_files.times_created;group:zeek_smb;kind:termfield;friendly:Creation Time;help:Creation Time +zeek.smb_files.times_changed=db:zeek.smb_files.times_changed;group:zeek_smb;kind:termfield;friendly:Modified Time;help:Modified Time +zeek.smb_files.data_offset_req=db:zeek.smb_files.data_offset_req;group:zeek_smb;kind:integer;friendly:Data Offset Requested;help:Data Offset Requested +zeek.smb_files.data_len_req=db:zeek.smb_files.data_len_req;group:zeek_smb;kind:integer;friendly:Data Length Requested;help:Data Length Requested +zeek.smb_files.data_len_rsp=db:zeek.smb_files.data_len_rsp;group:zeek_smb;kind:integer;friendly:Data Length In Response;help:Data Length In Response # smb_mapping.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo -zeek_smb_mapping.path=db:zeek_smb_mapping.path;kind:termfield;friendly:Tree Path;help:Tree Path -zeek_smb_mapping.resource_type=db:zeek_smb_mapping.resource_type;kind:termfield;friendly:Resource Type;help:Resource Type -zeek_smb_mapping.native_file_system=db:zeek_smb_mapping.native_file_system;kind:termfield;friendly:File System;help:File System -zeek_smb_mapping.share_type=db:zeek_smb_mapping.share_type;kind:termfield;friendly:Share Type;help:Share Type +zeek.smb_mapping.path=db:zeek.smb_mapping.path;group:zeek_smb;kind:termfield;friendly:Tree Path;help:Tree Path +zeek.smb_mapping.resource_type=db:zeek.smb_mapping.resource_type;group:zeek_smb;kind:termfield;friendly:Resource Type;help:Resource Type +zeek.smb_mapping.native_file_system=db:zeek.smb_mapping.native_file_system;group:zeek_smb;kind:termfield;friendly:File System;help:File System +zeek.smb_mapping.share_type=db:zeek.smb_mapping.share_type;group:zeek_smb;kind:termfield;friendly:Share Type;help:Share Type # smtp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info -zeek_smtp.trans_depth=db:zeek_smtp.trans_depth;kind:integer;friendly:Transaction Depth;help:Transaction Depth -zeek_smtp.helo=db:zeek_smtp.helo;kind:termfield;friendly:HELO;help:HELO -zeek_smtp.mailfrom=db:zeek_smtp.mailfrom;kind:termfield;friendly:FROM Addresses;help:FROM Addresses -zeek_smtp.rcptto=db:zeek_smtp.rcptto;kind:termfield;friendly:RCPT TO;help:RCPT TO -zeek_smtp.date=db:zeek_smtp.date;kind:termfield;friendly:Date;help:Date -zeek_smtp.from=db:zeek_smtp.from;kind:termfield;friendly:FROM;help:FROM -zeek_smtp.to=db:zeek_smtp.to;kind:termfield;friendly:TO;help:TO -zeek_smtp.cc=db:zeek_smtp.cc;kind:termfield;friendly:CC;help:CC -zeek_smtp.reply_to=db:zeek_smtp.reply_to;kind:termfield;friendly:Reply-To;help:Reply-To -zeek_smtp.msg_id=db:zeek_smtp.msg_id;kind:termfield;friendly:MsgId;help:MsgId -zeek_smtp.in_reply_to=db:zeek_smtp.in_reply_to;kind:termfield;friendly:In-Reply-To;help:In-Reply-To -zeek_smtp.subject=db:zeek_smtp.subject;kind:termfield;friendly:Subject;help:Subject -zeek_smtp.x_originating_ip=db:zeek_smtp.x_originating_ip;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP -zeek_smtp.first_received=db:zeek_smtp.first_received;kind:termfield;friendly:First Received;help:First Received -zeek_smtp.second_received=db:zeek_smtp.second_received;kind:termfield;friendly:Second Received;help:Second Received -zeek_smtp.last_reply=db:zeek_smtp.last_reply;kind:termfield;friendly:Last Reply;help:Last Reply -zeek_smtp.last_reply_code=db:zeek_smtp.last_reply_code;kind:termfield;friendly:Last Reply Code;help:Last Reply Code -zeek_smtp.last_reply_msg=db:zeek_smtp.last_reply_msg;kind:termfield;friendly:Last Reply Message;help:Last Reply Message -zeek_smtp.path=db:zeek_smtp.path;kind:termfield;friendly:Tranmission Path;help:Tranmission Path -zeek_smtp.user_agent=db:zeek_smtp.user_agent;kind:termfield;friendly:User Agent;help:User Agent -zeek_smtp.tls=db:zeek_smtp.tls;kind:termfield;friendly:TLS;help:TLS -zeek_smtp.is_webmail=db:zeek_smtp.is_webmail;kind:termfield;friendly:Is Webmail;help:Is Webmail +zeek.smtp.trans_depth=db:zeek.smtp.trans_depth;group:zeek_smtp;kind:integer;friendly:Transaction Depth;help:Transaction Depth +zeek.smtp.helo=db:zeek.smtp.helo;group:zeek_smtp;kind:termfield;friendly:HELO;help:HELO +zeek.smtp.mailfrom=db:zeek.smtp.mailfrom;group:zeek_smtp;kind:termfield;friendly:FROM Addresses;help:FROM Addresses +zeek.smtp.rcptto=db:zeek.smtp.rcptto;group:zeek_smtp;kind:termfield;friendly:RCPT TO;help:RCPT TO +zeek.smtp.date=db:zeek.smtp.date;group:zeek_smtp;kind:termfield;friendly:Date;help:Date +zeek.smtp.from=db:zeek.smtp.from;group:zeek_smtp;kind:termfield;friendly:FROM;help:FROM +zeek.smtp.to=db:zeek.smtp.to;group:zeek_smtp;kind:termfield;friendly:TO;help:TO +zeek.smtp.cc=db:zeek.smtp.cc;group:zeek_smtp;kind:termfield;friendly:CC;help:CC +zeek.smtp.reply_to=db:zeek.smtp.reply_to;group:zeek_smtp;kind:termfield;friendly:Reply-To;help:Reply-To +zeek.smtp.msg_id=db:zeek.smtp.msg_id;group:zeek_smtp;kind:termfield;friendly:MsgId;help:MsgId +zeek.smtp.in_reply_to=db:zeek.smtp.in_reply_to;group:zeek_smtp;kind:termfield;friendly:In-Reply-To;help:In-Reply-To +zeek.smtp.subject=db:zeek.smtp.subject;group:zeek_smtp;kind:termfield;friendly:Subject;help:Subject +zeek.smtp.x_originating_ip=db:zeek.smtp.x_originating_ip;group:zeek_smtp;kind:termfield;friendly:X-Originating-IP;help:X-Originating-IP +zeek.smtp.first_received=db:zeek.smtp.first_received;group:zeek_smtp;kind:termfield;friendly:First Received;help:First Received +zeek.smtp.second_received=db:zeek.smtp.second_received;group:zeek_smtp;kind:termfield;friendly:Second Received;help:Second Received +zeek.smtp.last_reply=db:zeek.smtp.last_reply;group:zeek_smtp;kind:termfield;friendly:Last Reply;help:Last Reply +zeek.smtp.last_reply_code=db:zeek.smtp.last_reply_code;group:zeek_smtp;kind:termfield;friendly:Last Reply Code;help:Last Reply Code +zeek.smtp.last_reply_msg=db:zeek.smtp.last_reply_msg;group:zeek_smtp;kind:termfield;friendly:Last Reply Message;help:Last Reply Message +zeek.smtp.path=db:zeek.smtp.path;group:zeek_smtp;kind:termfield;friendly:Tranmission Path;help:Tranmission Path +zeek.smtp.user_agent=db:zeek.smtp.user_agent;group:zeek_smtp;kind:termfield;friendly:User Agent;help:User Agent +zeek.smtp.tls=db:zeek.smtp.tls;group:zeek_smtp;kind:termfield;friendly:TLS;help:TLS +zeek.smtp.is_webmail=db:zeek.smtp.is_webmail;group:zeek_smtp;kind:termfield;friendly:Is Webmail;help:Is Webmail # snmp.log # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info -zeek_snmp.duration=db:zeek_snmp.duration;kind:termfield;friendly:Duration;help:Duration -zeek_snmp.version=db:zeek_snmp.version;kind:termfield;friendly:Version;help:Version -zeek_snmp.community=db:zeek_snmp.community;kind:termfield;friendly:Community;help:Community -zeek_snmp.get_requests=db:zeek_snmp.get_requests;kind:integer;friendly:Get Requests;help:Get Requests -zeek_snmp.get_bulk_requests=db:zeek_snmp.get_bulk_requests;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests -zeek_snmp.get_responses=db:zeek_snmp.get_responses;kind:integer;friendly:Get Responses;help:Get Responses -zeek_snmp.set_requests=db:zeek_snmp.set_requests;kind:integer;friendly:Set Requests;help:Set Requests -zeek_snmp.display_string=db:zeek_snmp.display_string;kind:termfield;friendly:Display String;help:Display String -zeek_snmp.up_since=db:zeek_snmp.up_since;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp +zeek.snmp.duration=db:zeek.snmp.duration;group:zeek_snmp;kind:termfield;friendly:Duration;help:Duration +zeek.snmp.version=db:zeek.snmp.version;group:zeek_snmp;kind:termfield;friendly:Version;help:Version +zeek.snmp.community=db:zeek.snmp.community;group:zeek_snmp;kind:termfield;friendly:Community;help:Community +zeek.snmp.get_requests=db:zeek.snmp.get_requests;group:zeek_snmp;kind:integer;friendly:Get Requests;help:Get Requests +zeek.snmp.get_bulk_requests=db:zeek.snmp.get_bulk_requests;group:zeek_snmp;kind:integer;friendly:Get Bulk Requests;help:Get Bulk Requests +zeek.snmp.get_responses=db:zeek.snmp.get_responses;group:zeek_snmp;kind:integer;friendly:Get Responses;help:Get Responses +zeek.snmp.set_requests=db:zeek.snmp.set_requests;group:zeek_snmp;kind:integer;friendly:Set Requests;help:Set Requests +zeek.snmp.display_string=db:zeek.snmp.display_string;group:zeek_snmp;kind:termfield;friendly:Display String;help:Display String +zeek.snmp.up_since=db:zeek.snmp.up_since;group:zeek_snmp;kind:termfield;friendly:Up Since Timestamp;help:Up Since Timestamp # socks.log # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info -zeek_socks.version=db:zeek_socks.version;kind:integer;friendly:Version;help:Version -zeek_socks.server_status=db:zeek_socks.server_status;kind:termfield;friendly:Server Status;help:Server Status -zeek_socks.request_host=db:zeek_socks.request_host;kind:termfield;friendly:Client Address;help:Client Address -zeek_socks.request_name=db:zeek_socks.request_name;kind:termfield;friendly:Client Name;help:Client Name -zeek_socks.request_port=db:zeek_socks.request_port;kind:integer;friendly:Client Port;help:Client Port -zeek_socks.bound_host=db:zeek_socks.bound_host;kind:termfield;friendly:Server Address;help:Server Address -zeek_socks.bound_name=db:zeek_socks.bound_name;kind:termfield;friendly:Server Name;help:Server Name -zeek_socks.bound_port=db:zeek_socks.bound_port;kind:integer;friendly:Server Port;help:Server Port +zeek.socks.version=db:zeek.socks.version;group:zeek_socks;kind:integer;friendly:Version;help:Version +zeek.socks.server_status=db:zeek.socks.server_status;group:zeek_socks;kind:termfield;friendly:Server Status;help:Server Status +zeek.socks.request_host=db:zeek.socks.request_host;group:zeek_socks;kind:termfield;friendly:Client Address;help:Client Address +zeek.socks.request_name=db:zeek.socks.request_name;group:zeek_socks;kind:termfield;friendly:Client Name;help:Client Name +zeek.socks.request_port=db:zeek.socks.request_port;group:zeek_socks;kind:integer;friendly:Client Port;help:Client Port +zeek.socks.bound_host=db:zeek.socks.bound_host;group:zeek_socks;kind:termfield;friendly:Server Address;help:Server Address +zeek.socks.bound_name=db:zeek.socks.bound_name;group:zeek_socks;kind:termfield;friendly:Server Name;help:Server Name +zeek.socks.bound_port=db:zeek.socks.bound_port;group:zeek_socks;kind:integer;friendly:Server Port;help:Server Port # software.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info -zeek_software.software_type=db:zeek_software.software_type;kind:termfield;friendly:Software Type;help:Software Type -zeek_software.name=db:zeek_software.name;kind:termfield;friendly:Software Name;help:Software Name -zeek_software.version_major=db:zeek_software.version_major;kind:integer;friendly:Major Version;help:Major Version -zeek_software.version_minor=db:zeek_software.version_minor;kind:integer;friendly:Minor Version;help:Minor Version -zeek_software.version_minor2=db:zeek_software.version_minor2;kind:integer;friendly:Minor Subversion;help:Minor Subversion -zeek_software.version_minor3=db:zeek_software.version_minor3;kind:integer;friendly:Minor Patch;help:Minor Patch -zeek_software.version_addl=db:zeek_software.version_addl;kind:termfield;friendly:Additional Version;help:Additional Version -zeek_software.unparsed_version=db:zeek_software.unparsed_version;kind:termfield;friendly:Version;help:Version +zeek.software.software_type=db:zeek.software.software_type;group:zeek_software;kind:termfield;friendly:Software Type;help:Software Type +zeek.software.name=db:zeek.software.name;group:zeek_software;kind:termfield;friendly:Software Name;help:Software Name +zeek.software.version_major=db:zeek.software.version_major;group:zeek_software;kind:integer;friendly:Major Version;help:Major Version +zeek.software.version_minor=db:zeek.software.version_minor;group:zeek_software;kind:integer;friendly:Minor Version;help:Minor Version +zeek.software.version_minor2=db:zeek.software.version_minor2;group:zeek_software;kind:integer;friendly:Minor Subversion;help:Minor Subversion +zeek.software.version_minor3=db:zeek.software.version_minor3;group:zeek_software;kind:integer;friendly:Minor Patch;help:Minor Patch +zeek.software.version_addl=db:zeek.software.version_addl;group:zeek_software;kind:termfield;friendly:Additional Version;help:Additional Version +zeek.software.unparsed_version=db:zeek.software.unparsed_version;group:zeek_software;kind:termfield;friendly:Version;help:Version # ssh.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info -zeek_ssh.version=db:zeek_ssh.version;kind:integer;friendly:Version;help:Version -zeek_ssh.auth_success=db:zeek_ssh.auth_success;kind:termfield;friendly:Authentication Success;help:Authentication Success -zeek_ssh.auth_attempts=db:zeek_ssh.auth_attempts;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts -zeek_ssh.direction=db:zeek_ssh.direction;kind:termfield;friendly:Connection Direction;help:Connection Direction -zeek_ssh.client=db:zeek_ssh.client;kind:termfield;friendly:Client Version;help:Client Version -zeek_ssh.server=db:zeek_ssh.server;kind:termfield;friendly:Server Version;help:Server Version -zeek_ssh.cipher_alg=db:zeek_ssh.cipher_alg;kind:termfield;friendly:Cipher;help:Cipher Algorithm -zeek_ssh.mac_alg=db:zeek_ssh.mac_alg;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm -zeek_ssh.compression_alg=db:zeek_ssh.compression_alg;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm -zeek_ssh.kex_alg=db:zeek_ssh.kex_alg;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm -zeek_ssh.host_key_alg=db:zeek_ssh.host_key_alg;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm -zeek_ssh.host_key=db:zeek_ssh.host_key;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint -zeek_ssh.remote_location_country_code=db:zeek_ssh.remote_location_country_code;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code -zeek_ssh.remote_location_region=db:zeek_ssh.remote_location_region;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region -zeek_ssh.remote_location_city=db:zeek_ssh.remote_location_city;kind:termfield;friendly:SSH Remote City;help:SSH Remote City -zeek_ssh.remote_location_latitude=db:zeek_ssh.remote_location_latitude;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude -zeek_ssh.remote_location_longitude=db:zeek_ssh.remote_location_longitude;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude -zeek_ssh.hasshVersion=db:zeek_ssh.hasshVersion;kind:termfield;friendly:HASSH Version;help:HASSH Version -zeek_ssh.hassh=db:zeek_ssh.hassh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint -zeek_ssh.hasshServer=db:zeek_ssh.hasshServer;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint -zeek_ssh.hasshAlgorithms=db:zeek_ssh.hasshAlgorithms;kind:termfield;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms -zeek_ssh.hasshServerAlgorithms=db:zeek_ssh.hasshServerAlgorithms;kind:termfield;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms -zeek_ssh.cshka=db:zeek_ssh.cshka;kind:termfield;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms -zeek_ssh.sshka=db:zeek_ssh.sshka;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms +zeek.ssh.version=db:zeek.ssh.version;group:zeek_ssh;kind:integer;friendly:Version;help:Version +zeek.ssh.auth_success=db:zeek.ssh.auth_success;group:zeek_ssh;kind:termfield;friendly:Authentication Success;help:Authentication Success +zeek.ssh.auth_attempts=db:zeek.ssh.auth_attempts;group:zeek_ssh;kind:integer;friendly:Authentication Attempts;help:Authentication Attempts +zeek.ssh.direction=db:zeek.ssh.direction;group:zeek_ssh;kind:termfield;friendly:Connection Direction;help:Connection Direction +zeek.ssh.client=db:zeek.ssh.client;group:zeek_ssh;kind:termfield;friendly:Client Version;help:Client Version +zeek.ssh.server=db:zeek.ssh.server;group:zeek_ssh;kind:termfield;friendly:Server Version;help:Server Version +zeek.ssh.cipher_alg=db:zeek.ssh.cipher_alg;group:zeek_ssh;kind:termfield;friendly:Cipher;help:Cipher Algorithm +zeek.ssh.mac_alg=db:zeek.ssh.mac_alg;group:zeek_ssh;kind:termfield;friendly:Signing Algorithm;help:Signing Algorithm +zeek.ssh.compression_alg=db:zeek.ssh.compression_alg;group:zeek_ssh;kind:termfield;friendly:Compression Algorithm;help:Compression Algorithm +zeek.ssh.kex_alg=db:zeek.ssh.kex_alg;group:zeek_ssh;kind:termfield;friendly:Key Exchange Algorithm;help:Key Exchange Algorithm +zeek.ssh.host_key_alg=db:zeek.ssh.host_key_alg;group:zeek_ssh;kind:termfield;friendly:Server Host Key Algorithm;help:Server Host Key Algorithm +zeek.ssh.host_key=db:zeek.ssh.host_key;group:zeek_ssh;kind:termfield;friendly:Server Key Fingerprint;help:Server Key Fingerprint +zeek.ssh.remote_location_country_code=db:zeek.ssh.remote_location_country_code;group:zeek_ssh;kind:termfield;friendly:SSH Remote Country Code;help:SSH Remote Country Code +zeek.ssh.remote_location_region=db:zeek.ssh.remote_location_region;group:zeek_ssh;kind:termfield;friendly:SSH Remote Region;help:SSH Remote Region +zeek.ssh.remote_location_city=db:zeek.ssh.remote_location_city;group:zeek_ssh;kind:termfield;friendly:SSH Remote City;help:SSH Remote City +zeek.ssh.remote_location_latitude=db:zeek.ssh.remote_location_latitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Latitude;help:SSH Remote Latitude +zeek.ssh.remote_location_longitude=db:zeek.ssh.remote_location_longitude;group:zeek_ssh;kind:termfield;friendly:SSH Remote Longitude;help:SSH Remote Longitude +zeek.ssh.hasshVersion=db:zeek.ssh.hasshVersion;group:zeek_ssh;kind:termfield;friendly:HASSH Version;help:HASSH Version +zeek.ssh.hassh=db:zeek.ssh.hassh;group:zeek_ssh;kind:termfield;friendly:HASSH Client Fingerprint;help:HASSH Client Fingerprint +zeek.ssh.hasshServer=db:zeek.ssh.hasshServer;group:zeek_ssh;kind:termfield;friendly:HASSH Server Fingerprint;help:HASSH Server Fingerprint +zeek.ssh.hasshAlgorithms=db:zeek.ssh.hasshAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Client Algorithms;help:HASSH Client Algorithms +zeek.ssh.hasshServerAlgorithms=db:zeek.ssh.hasshServerAlgorithms;group:zeek_ssh;kind:termfield;friendly:HASSH Server Algorithms;help:HASSH Server Algorithms +zeek.ssh.cshka=db:zeek.ssh.cshka;group:zeek_ssh;kind:termfield;friendly:HASSH Client Host Key Algorithms;help:HASSH Client Host Key Algorithms +zeek.ssh.sshka=db:zeek.ssh.sshka;group:zeek_ssh;kind:termfield;friendly:HASSH Server Host Key Algorithms;help:HASSH Server Host Key Algorithms # ssl.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info -zeek_ssl.ssl_version=db:zeek_ssl.ssl_version;kind:termfield;friendly:Version;help:Version -zeek_ssl.cipher=db:zeek_ssl.cipher;kind:termfield;friendly:Cipher;help:Cipher -zeek_ssl.curve=db:zeek_ssl.curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve -zeek_ssl.server_name=db:zeek_ssl.server_name;kind:termfield;friendly:Server Name;help:Server Name -zeek_ssl.sni_matches_cert=db:zeek_ssl.sni_matches_cert;kind:termfield;friendly:SNI Matches Certificate;help:SNI Matches Certificate -zeek_ssl.ssl_history=db:zeek_ssl.ssl_history;kind:termfield;friendly:SSL Packet History;help:SSL Packet History -zeek_ssl.resumed=db:zeek_ssl.resumed;kind:termfield;friendly:Resumed;help:Resumed -zeek_ssl.last_alert=db:zeek_ssl.last_alert;kind:termfield;friendly:Last Alert;help:Last Alert -zeek_ssl.next_protocol=db:zeek_ssl.next_protocol;kind:termfield;friendly:Next Protocol;help:Next Protocol -zeek_ssl.established=db:zeek_ssl.established;kind:termfield;friendly:Established;help:Established -zeek_ssl.cert_chain_fuids=db:zeek_ssl.cert_chain_fuids;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID -zeek_ssl.cert_chain_fps=db:zeek_ssl.cert_chain_fps;kind:termfield;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints -zeek_ssl.client_cert_chain_fuids=db:zeek_ssl.client_cert_chain_fuids;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID -zeek_ssl.client_cert_chain_fps=db:zeek_ssl.client_cert_chain_fps;kind:termfield;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints -zeek_ssl.issuer_full=db:zeek_ssl.issuer_full;kind:termfield;friendly:Issuer;help:Issuer -zeek_ssl.subject.C=db:zeek_ssl.subject.C;kind:termfield;friendly:Subject Country;help:Subject Country -zeek_ssl.subject.CN=db:zeek_ssl.subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name -zeek_ssl.subject.description=db:zeek_ssl.subject.description;kind:termfield;friendly:Subject Description;help:Subject Description -zeek_ssl.subject.emailAddress=db:zeek_ssl.subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address -zeek_ssl.subject_full=db:zeek_ssl.subject_full;kind:termfield;friendly:Subject;help:Subject -zeek_ssl.subject.GN=db:zeek_ssl.subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name -zeek_ssl.subject.initials=db:zeek_ssl.subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials -zeek_ssl.subject.L=db:zeek_ssl.subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality -zeek_ssl.subject.O=db:zeek_ssl.subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization -zeek_ssl.subject.OU=db:zeek_ssl.subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit -zeek_ssl.subject.postalCode=db:zeek_ssl.subject.postalCode;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code -zeek_ssl.subject.pseudonym=db:zeek_ssl.subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym -zeek_ssl.subject.serialNumber=db:zeek_ssl.subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number -zeek_ssl.subject.SN=db:zeek_ssl.subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname -zeek_ssl.subject.ST=db:zeek_ssl.subject.ST;kind:termfield;friendly:Subject State;help:Subject State -zeek_ssl.subject.street=db:zeek_ssl.subject.street;kind:termfield;friendly:Subject Street;help:Subject Street -zeek_ssl.subject.title=db:zeek_ssl.subject.title;kind:termfield;friendly:Subject Title;help:Subject Title -zeek_ssl.issuer.CN=db:zeek_ssl.issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name -zeek_ssl.issuer.C=db:zeek_ssl.issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country -zeek_ssl.issuer.O=db:zeek_ssl.issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization -zeek_ssl.issuer.OU=db:zeek_ssl.issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit -zeek_ssl.issuer.ST=db:zeek_ssl.issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State -zeek_ssl.issuer.SN=db:zeek_ssl.issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname -zeek_ssl.issuer.L=db:zeek_ssl.issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality -zeek_ssl.issuer.DC=db:zeek_ssl.issuer.DC;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name -zeek_ssl.issuer.GN=db:zeek_ssl.issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name -zeek_ssl.issuer.pseudonym=db:zeek_ssl.issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym -zeek_ssl.issuer.serialNumber=db:zeek_ssl.issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number -zeek_ssl.issuer.title=db:zeek_ssl.issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title -zeek_ssl.issuer.initials=db:zeek_ssl.issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials -zeek_ssl.issuer.emailAddress=db:zeek_ssl.issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address -zeek_ssl.client_subject_full=db:zeek_ssl.client_subject_full;kind:termfield;friendly:Client Subject;help:Client Subject -zeek_ssl.client_subject.CN=db:zeek_ssl.client_subject.CN;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name -zeek_ssl.client_subject.C=db:zeek_ssl.client_subject.C;kind:termfield;friendly:Client Subject Country;help:Client Subject Country -zeek_ssl.client_subject.O=db:zeek_ssl.client_subject.O;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization -zeek_ssl.client_subject.OU=db:zeek_ssl.client_subject.OU;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit -zeek_ssl.client_subject.ST=db:zeek_ssl.client_subject.ST;kind:termfield;friendly:Client Subject State;help:Client Subject State -zeek_ssl.client_subject.SN=db:zeek_ssl.client_subject.SN;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname -zeek_ssl.client_subject.L=db:zeek_ssl.client_subject.L;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality -zeek_ssl.client_subject.GN=db:zeek_ssl.client_subject.GN;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name -zeek_ssl.client_subject.pseudonym=db:zeek_ssl.client_subject.pseudonym;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym -zeek_ssl.client_subject.serialNumber=db:zeek_ssl.client_subject.serialNumber;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number -zeek_ssl.client_subject.title=db:zeek_ssl.client_subject.title;kind:termfield;friendly:Client Subject Title;help:Client Subject Title -zeek_ssl.client_subject.initials=db:zeek_ssl.client_subject.initials;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials -zeek_ssl.client_subject.emailAddress=db:zeek_ssl.client_subject.emailAddress;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address -zeek_ssl.client_issuer_full=db:zeek_ssl.client_issuer_full;kind:termfield;friendly:Client Issuer;help:Client Issuer -zeek_ssl.client_issuer.CN=db:zeek_ssl.client_issuer.CN;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name -zeek_ssl.client_issuer.C=db:zeek_ssl.client_issuer.C;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country -zeek_ssl.client_issuer.O=db:zeek_ssl.client_issuer.O;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization -zeek_ssl.client_issuer.OU=db:zeek_ssl.client_issuer.OU;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit -zeek_ssl.client_issuer.ST=db:zeek_ssl.client_issuer.ST;kind:termfield;friendly:Client Issuer State;help:Client Issuer State -zeek_ssl.client_issuer.SN=db:zeek_ssl.client_issuer.SN;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname -zeek_ssl.client_issuer.L=db:zeek_ssl.client_issuer.L;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality -zeek_ssl.client_issuer.DC=db:zeek_ssl.client_issuer.DC;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name -zeek_ssl.client_issuer.GN=db:zeek_ssl.client_issuer.GN;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name -zeek_ssl.client_issuer.pseudonym=db:zeek_ssl.client_issuer.pseudonym;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym -zeek_ssl.client_issuer.serialNumber=db:zeek_ssl.client_issuer.serialNumber;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number -zeek_ssl.client_issuer.title=db:zeek_ssl.client_issuer.title;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title -zeek_ssl.client_issuer.initials=db:zeek_ssl.client_issuer.initials;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials -zeek_ssl.client_issuer.emailAddress=db:zeek_ssl.client_issuer.emailAddress;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address -zeek_ssl.validation_status=db:zeek_ssl.validation_status;kind:termfield;friendly:Validation Status;help:Validation Status -zeek_ssl.ja3=db:zeek_ssl.ja3;kind:termfield;friendly:JA3 Fingerprint;help:JA3 Fingerprint -zeek_ssl.ja3s=db:zeek_ssl.ja3s;kind:termfield;friendly:JA3S Fingerprint;help:JA3S Fingerprint -zeek_ssl.ja3_desc=db:zeek_ssl.ja3_desc;kind:termfield;friendly:JA3 Fingerprint Lookup;help:JA3 Fingerprint Lookup -zeek_ssl.ja3s_desc=db:zeek_ssl.ja3s_desc;kind:termfield;friendly:JA3S Fingerprint Lookup;help:JA3S Fingerprint Lookup +zeek.ssl.ssl_version=db:zeek.ssl.ssl_version;group:zeek_ssl;kind:termfield;friendly:Version;help:Version +zeek.ssl.cipher=db:zeek.ssl.cipher;group:zeek_ssl;kind:termfield;friendly:Cipher;help:Cipher +zeek.ssl.curve=db:zeek.ssl.curve;group:zeek_ssl;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve +zeek.ssl.server_name=db:zeek.ssl.server_name;group:zeek_ssl;kind:termfield;friendly:Server Name;help:Server Name +zeek.ssl.sni_matches_cert=db:zeek.ssl.sni_matches_cert;group:zeek_ssl;kind:termfield;friendly:SNI Matches Certificate;help:SNI Matches Certificate +zeek.ssl.ssl_history=db:zeek.ssl.ssl_history;group:zeek_ssl;kind:termfield;friendly:SSL Packet History;help:SSL Packet History +zeek.ssl.resumed=db:zeek.ssl.resumed;group:zeek_ssl;kind:termfield;friendly:Resumed;help:Resumed +zeek.ssl.last_alert=db:zeek.ssl.last_alert;group:zeek_ssl;kind:termfield;friendly:Last Alert;help:Last Alert +zeek.ssl.next_protocol=db:zeek.ssl.next_protocol;group:zeek_ssl;kind:termfield;friendly:Next Protocol;help:Next Protocol +zeek.ssl.established=db:zeek.ssl.established;group:zeek_ssl;kind:termfield;friendly:Established;help:Established +zeek.ssl.cert_chain_fuids=db:zeek.ssl.cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File ID;help:Certificate Chain File ID +zeek.ssl.cert_chain_fps=db:zeek.ssl.cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Certificate Chain File Fingerprints;help:Certificate Chain File Fingerprints +zeek.ssl.client_cert_chain_fuids=db:zeek.ssl.client_cert_chain_fuids;group:zeek_ssl;kind:termfield;friendly:Client Certificate File ID;help:Client Certificate File ID +zeek.ssl.client_cert_chain_fps=db:zeek.ssl.client_cert_chain_fps;group:zeek_ssl;kind:termfield;friendly:Client Certificate File Fingerprints;help:Client Certificate File Fingerprints +zeek.ssl.issuer_full=db:zeek.ssl.issuer_full;group:zeek_ssl;kind:termfield;friendly:Issuer;help:Issuer +zeek.ssl.subject.C=db:zeek.ssl.subject.C;group:zeek_ssl;kind:termfield;friendly:Subject Country;help:Subject Country +zeek.ssl.subject.CN=db:zeek.ssl.subject.CN;group:zeek_ssl;kind:termfield;friendly:Subject Common Name;help:Subject Common Name +zeek.ssl.subject.description=db:zeek.ssl.subject.description;group:zeek_ssl;kind:termfield;friendly:Subject Description;help:Subject Description +zeek.ssl.subject.emailAddress=db:zeek.ssl.subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Subject Email Address;help:Subject Email Address +zeek.ssl.subject_full=db:zeek.ssl.subject_full;group:zeek_ssl;kind:termfield;friendly:Subject;help:Subject +zeek.ssl.subject.GN=db:zeek.ssl.subject.GN;group:zeek_ssl;kind:termfield;friendly:Subject Given Name;help:Subject Given Name +zeek.ssl.subject.initials=db:zeek.ssl.subject.initials;group:zeek_ssl;kind:termfield;friendly:Subject Initials;help:Subject Initials +zeek.ssl.subject.L=db:zeek.ssl.subject.L;group:zeek_ssl;kind:termfield;friendly:Subject Locality;help:Subject Locality +zeek.ssl.subject.O=db:zeek.ssl.subject.O;group:zeek_ssl;kind:termfield;friendly:Subject Organization;help:Subject Organization +zeek.ssl.subject.OU=db:zeek.ssl.subject.OU;group:zeek_ssl;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit +zeek.ssl.subject.postalCode=db:zeek.ssl.subject.postalCode;group:zeek_ssl;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code +zeek.ssl.subject.pseudonym=db:zeek.ssl.subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym +zeek.ssl.subject.serialNumber=db:zeek.ssl.subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number +zeek.ssl.subject.SN=db:zeek.ssl.subject.SN;group:zeek_ssl;kind:termfield;friendly:Subject Surname;help:Subject Surname +zeek.ssl.subject.ST=db:zeek.ssl.subject.ST;group:zeek_ssl;kind:termfield;friendly:Subject State;help:Subject State +zeek.ssl.subject.street=db:zeek.ssl.subject.street;group:zeek_ssl;kind:termfield;friendly:Subject Street;help:Subject Street +zeek.ssl.subject.title=db:zeek.ssl.subject.title;group:zeek_ssl;kind:termfield;friendly:Subject Title;help:Subject Title +zeek.ssl.issuer.CN=db:zeek.ssl.issuer.CN;group:zeek_ssl;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name +zeek.ssl.issuer.C=db:zeek.ssl.issuer.C;group:zeek_ssl;kind:termfield;friendly:Issuer Country;help:Issuer Country +zeek.ssl.issuer.O=db:zeek.ssl.issuer.O;group:zeek_ssl;kind:termfield;friendly:Issuer Organization;help:Issuer Organization +zeek.ssl.issuer.OU=db:zeek.ssl.issuer.OU;group:zeek_ssl;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit +zeek.ssl.issuer.ST=db:zeek.ssl.issuer.ST;group:zeek_ssl;kind:termfield;friendly:Issuer State;help:Issuer State +zeek.ssl.issuer.SN=db:zeek.ssl.issuer.SN;group:zeek_ssl;kind:termfield;friendly:Issuer Surname;help:Issuer Surname +zeek.ssl.issuer.L=db:zeek.ssl.issuer.L;group:zeek_ssl;kind:termfield;friendly:Issuer Locality;help:Issuer Locality +zeek.ssl.issuer.DC=db:zeek.ssl.issuer.DC;group:zeek_ssl;kind:termfield;friendly:Issuer Distinguished Name;help:Issuer Distinguished Name +zeek.ssl.issuer.GN=db:zeek.ssl.issuer.GN;group:zeek_ssl;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name +zeek.ssl.issuer.pseudonym=db:zeek.ssl.issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym +zeek.ssl.issuer.serialNumber=db:zeek.ssl.issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number +zeek.ssl.issuer.title=db:zeek.ssl.issuer.title;group:zeek_ssl;kind:termfield;friendly:Issuer Title;help:Issuer Title +zeek.ssl.issuer.initials=db:zeek.ssl.issuer.initials;group:zeek_ssl;kind:termfield;friendly:Issuer Initials;help:Issuer Initials +zeek.ssl.issuer.emailAddress=db:zeek.ssl.issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address +zeek.ssl.client_subject_full=db:zeek.ssl.client_subject_full;group:zeek_ssl;kind:termfield;friendly:Client Subject;help:Client Subject +zeek.ssl.client_subject.CN=db:zeek.ssl.client_subject.CN;group:zeek_ssl;kind:termfield;friendly:Client Subject Common Name;help:Client Subject Common Name +zeek.ssl.client_subject.C=db:zeek.ssl.client_subject.C;group:zeek_ssl;kind:termfield;friendly:Client Subject Country;help:Client Subject Country +zeek.ssl.client_subject.O=db:zeek.ssl.client_subject.O;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization;help:Client Subject Organization +zeek.ssl.client_subject.OU=db:zeek.ssl.client_subject.OU;group:zeek_ssl;kind:termfield;friendly:Client Subject Organization Unit;help:Client Subject Organization Unit +zeek.ssl.client_subject.ST=db:zeek.ssl.client_subject.ST;group:zeek_ssl;kind:termfield;friendly:Client Subject State;help:Client Subject State +zeek.ssl.client_subject.SN=db:zeek.ssl.client_subject.SN;group:zeek_ssl;kind:termfield;friendly:Client Subject Surname;help:Client Subject Surname +zeek.ssl.client_subject.L=db:zeek.ssl.client_subject.L;group:zeek_ssl;kind:termfield;friendly:Client Subject Locality;help:Client Subject Locality +zeek.ssl.client_subject.GN=db:zeek.ssl.client_subject.GN;group:zeek_ssl;kind:termfield;friendly:Client Subject Given Name;help:Client Subject Given Name +zeek.ssl.client_subject.pseudonym=db:zeek.ssl.client_subject.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Subject Pseudonym;help:Client Subject Pseudonym +zeek.ssl.client_subject.serialNumber=db:zeek.ssl.client_subject.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Subject Serial Number;help:Client Subject Serial Number +zeek.ssl.client_subject.title=db:zeek.ssl.client_subject.title;group:zeek_ssl;kind:termfield;friendly:Client Subject Title;help:Client Subject Title +zeek.ssl.client_subject.initials=db:zeek.ssl.client_subject.initials;group:zeek_ssl;kind:termfield;friendly:Client Subject Initials;help:Client Subject Initials +zeek.ssl.client_subject.emailAddress=db:zeek.ssl.client_subject.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Subject Email Address;help:Client Subject Email Address +zeek.ssl.client_issuer_full=db:zeek.ssl.client_issuer_full;group:zeek_ssl;kind:termfield;friendly:Client Issuer;help:Client Issuer +zeek.ssl.client_issuer.CN=db:zeek.ssl.client_issuer.CN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Common Name;help:Client Issuer Common Name +zeek.ssl.client_issuer.C=db:zeek.ssl.client_issuer.C;group:zeek_ssl;kind:termfield;friendly:Client Issuer Country;help:Client Issuer Country +zeek.ssl.client_issuer.O=db:zeek.ssl.client_issuer.O;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization;help:Client Issuer Organization +zeek.ssl.client_issuer.OU=db:zeek.ssl.client_issuer.OU;group:zeek_ssl;kind:termfield;friendly:Client Issuer Organization Unit;help:Client Issuer Organization Unit +zeek.ssl.client_issuer.ST=db:zeek.ssl.client_issuer.ST;group:zeek_ssl;kind:termfield;friendly:Client Issuer State;help:Client Issuer State +zeek.ssl.client_issuer.SN=db:zeek.ssl.client_issuer.SN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Surname;help:Client Issuer Surname +zeek.ssl.client_issuer.L=db:zeek.ssl.client_issuer.L;group:zeek_ssl;kind:termfield;friendly:Client Issuer Locality;help:Client Issuer Locality +zeek.ssl.client_issuer.DC=db:zeek.ssl.client_issuer.DC;group:zeek_ssl;kind:termfield;friendly:Client Issuer Distinguished Name;help:Client Issuer Distinguished Name +zeek.ssl.client_issuer.GN=db:zeek.ssl.client_issuer.GN;group:zeek_ssl;kind:termfield;friendly:Client Issuer Given Name;help:Client Issuer Given Name +zeek.ssl.client_issuer.pseudonym=db:zeek.ssl.client_issuer.pseudonym;group:zeek_ssl;kind:termfield;friendly:Client Issuer Pseudonym;help:Client Issuer Pseudonym +zeek.ssl.client_issuer.serialNumber=db:zeek.ssl.client_issuer.serialNumber;group:zeek_ssl;kind:termfield;friendly:Client Issuer Serial Number;help:Client Issuer Serial Number +zeek.ssl.client_issuer.title=db:zeek.ssl.client_issuer.title;group:zeek_ssl;kind:termfield;friendly:Client Issuer Title;help:Client Issuer Title +zeek.ssl.client_issuer.initials=db:zeek.ssl.client_issuer.initials;group:zeek_ssl;kind:termfield;friendly:Client Issuer Initials;help:Client Issuer Initials +zeek.ssl.client_issuer.emailAddress=db:zeek.ssl.client_issuer.emailAddress;group:zeek_ssl;kind:termfield;friendly:Client Issuer Email Address;help:Client Issuer Email Address +zeek.ssl.validation_status=db:zeek.ssl.validation_status;group:zeek_ssl;kind:termfield;friendly:Validation Status;help:Validation Status +tls.client.ja3=db:tls.client.ja3;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint;help:JA3 Client Fingerprint +tls.server.ja3s=db:tls.server.ja3s;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint;help:JA3 Server Fingerprint +tls.client.ja3_description=db:tls.client.ja3_description;group:zeek_ssl;kind:termfield;friendly:JA3 Client Fingerprint Lookup;help:JA3 Client Fingerprint Lookup +tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:termfield;friendly:JA3 Server Fingerprint Lookup;help:JA3 Server Fingerprint Lookup # stun.log and stun_nat.log # https://github.com/zeek/spicy-analyzers/tree/main/analyzer/stun -zeek_stun.is_orig=db:zeek_stun.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator -zeek_stun.trans_id=db:zeek_stun.trans_id;kind:termfield;friendly:Transaction ID;help:Transaction ID -zeek_stun.method=db:zeek_stun.method;kind:termfield;friendly:STUN Method;help:STUN Method -zeek_stun.class=db:zeek_stun.class;kind:termfield;friendly:STUN Class;help:STUN Class -zeek_stun.attr_type=db:zeek_stun.attr_type;kind:termfield;friendly:Attribute Type;help:Attribute Type -zeek_stun.attr_val=db:zeek_stun.attr_val;kind:termfield;friendly:Attribute Value;help:Attribute Value -zeek_stun_nat.is_orig=db:zeek_stun_nat.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator -zeek_stun_nat.wan_addr=db:zeek_stun_nat.wan_addr;kind:termfield;friendly:WAN Address;help:WAN Address -zeek_stun_nat.wan_port=db:zeek_stun_nat.wan_port;kind:integer;friendly:Mapped Port;help:Mapped Port -zeek_stun_nat.lan_addr=db:zeek_stun_nat.lan_addr;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address +zeek.stun.is_orig=db:zeek.stun.is_orig;group:zeek_stun;kind:termfield;friendly:Is Originator;help:Is Originator +zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID +zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;friendly:STUN Method;help:STUN Method +zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;friendly:STUN Class;help:STUN Class +zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;friendly:Attribute Type;help:Attribute Type +zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;friendly:Attribute Value;help:Attribute Value +zeek.stun_nat.is_orig=db:zeek.stun_nat.is_orig;group:zeek_stun;kind:termfield;friendly:Is Originator;help:Is Originator +zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;friendly:WAN Address;help:WAN Address +zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;friendly:Mapped Port;help:Mapped Port +zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address # syslog.log # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info -zeek_syslog.facility=db:zeek_syslog.facility;kind:termfield;friendly:Facility;help:Facility -zeek_syslog.severity=db:zeek_syslog.severity;kind:termfield;friendly:Severity;help:Severity -zeek_syslog.message=db:zeek_syslog.message;kind:termfield;friendly:Message;help:Message +zeek.syslog.facility=db:zeek.syslog.facility;group:zeek_syslog;kind:termfield;friendly:Facility;help:Facility +zeek.syslog.severity=db:zeek.syslog.severity;group:zeek_syslog;kind:termfield;friendly:Severity;help:Severity +zeek.syslog.message=db:zeek.syslog.message;group:zeek_syslog;kind:termfield;friendly:Message;help:Message # tds.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek_tds.command=db:zeek_tds.command;kind:termfield;friendly:Command;help:Command +zeek.tds.command=db:zeek.tds.command;group:zeek_tds;kind:termfield;friendly:Command;help:Command # tds_rpc.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek_tds_rpc.procedure_name=db:zeek_tds_rpc.procedure_name;kind:termfield;friendly:Procedure;help:Procedure -zeek_tds_rpc.parameters=db:zeek_tds_rpc.parameters;kind:termfield;friendly:Parameters;help:Parameters +zeek.tds_rpc.procedure_name=db:zeek.tds_rpc.procedure_name;group:zeek_tds;kind:termfield;friendly:Procedure;help:Procedure +zeek.tds_rpc.parameters=db:zeek.tds_rpc.parameters;group:zeek_tds;kind:termfield;friendly:Parameters;help:Parameters # tds_sql_batch.log - https://github.com/amzn/zeek-plugin-tds # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek -zeek_tds_sql_batch.header_type=db:zeek_tds_sql_batch.header_type;kind:termfield;friendly:Header Type;help:Header Type -zeek_tds_sql_batch.query=db:zeek_tds_sql_batch.query;kind:termfield;friendly:Query;help:Query +zeek.tds_sql_batch.header_type=db:zeek.tds_sql_batch.header_type;group:zeek_tds;kind:termfield;friendly:Header Type;help:Header Type +zeek.tds_sql_batch.query=db:zeek.tds_sql_batch.query;group:zeek_tds;kind:termfield;friendly:Query;help:Query # tftp.log # https://github.com/zeek/spicy-tftp -zeek_tftp.block_acked=db:zeek_tftp.block_acked;kind:integer;friendly:Highest Block ACKed;help:Highest Block ACKed -zeek_tftp.block_sent=db:zeek_tftp.block_sent;kind:integer;friendly:Highest Block Sent;help:Highest Block Sent -zeek_tftp.error_code=db:zeek_tftp.error_code;kind:integer;friendly:Error Code;help:Error Code -zeek_tftp.error_msg=db:zeek_tftp.error_msg;kind:integer;friendly:Error Message;help:Error Message -zeek_tftp.fname=db:zeek_tftp.fname;kind:termfield;friendly:File Name;help:File Name -zeek_tftp.mode=db:zeek_tftp.mode;kind:termfield;friendly:Transfer Mode;help:Transfer Mode -zeek_tftp.size=db:zeek_tftp.size;kind:termfield;friendly:Transfer Size;help:Transfer Size -zeek_tftp.uid_data=db:zeek_tftp.uid_data;kind:termfield;friendly:Data Connection ID;help:Data Connection ID -zeek_tftp.wrq=db:zeek_tftp.wrq;kind:termfield;friendly:Write Request;help:Write Request +zeek.tftp.block_acked=db:zeek.tftp.block_acked;group:zeek_tftp;kind:integer;friendly:Highest Block ACKed;help:Highest Block ACKed +zeek.tftp.block_sent=db:zeek.tftp.block_sent;group:zeek_tftp;kind:integer;friendly:Highest Block Sent;help:Highest Block Sent +zeek.tftp.error_code=db:zeek.tftp.error_code;group:zeek_tftp;kind:integer;friendly:Error Code;help:Error Code +zeek.tftp.error_msg=db:zeek.tftp.error_msg;group:zeek_tftp;kind:integer;friendly:Error Message;help:Error Message +zeek.tftp.fname=db:zeek.tftp.fname;group:zeek_tftp;kind:termfield;friendly:File Name;help:File Name +zeek.tftp.mode=db:zeek.tftp.mode;group:zeek_tftp;kind:termfield;friendly:Transfer Mode;help:Transfer Mode +zeek.tftp.size=db:zeek.tftp.size;group:zeek_tftp;kind:termfield;friendly:Transfer Size;help:Transfer Size +zeek.tftp.uid_data=db:zeek.tftp.uid_data;group:zeek_tftp;kind:termfield;friendly:Data Connection ID;help:Data Connection ID +zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;friendly:Write Request;help:Write Request # tunnel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info -zeek_tunnel.tunnel_type=db:zeek_tunnel.tunnel_type;kind:termfield;friendly:Tunnel Type;help:Tunnel Type -zeek_tunnel.action=db:zeek_tunnel.action;kind:termfield;friendly:Action;help:Action +zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;friendly:Tunnel Type;help:Tunnel Type +zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;friendly:Action;help:Action # weird.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info -zeek_weird.name=db:zeek_weird.name;kind:termfield;friendly:Name;help:Name -zeek_weird.addl=db:zeek_weird.addl;kind:termfield;friendly:Additional Info;help:Additional Info -zeek_weird.notice=db:zeek_weird.notice;kind:termfield;friendly:Notice;help:Generated a notice -zeek_weird.peer=db:zeek_weird.peer;kind:termfield;friendly:Remote Peer;help:Remote Peer +zeek.weird.name=db:zeek.weird.name;group:zeek_weird;kind:termfield;friendly:Name;help:Name +zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;friendly:Additional Info;help:Additional Info +zeek.weird.notice=db:zeek.weird.notice;group:zeek_weird;kind:termfield;friendly:Notice;help:Generated a notice +zeek.weird.peer=db:zeek.weird.peer;group:zeek_weird;kind:termfield;friendly:Remote Peer;help:Remote Peer # wireguard.log # https://github.com/zeek/spicy-analyzers/tree/main/analyzer/protocol/wireguard -zeek_wireguard.established=db:zeek_wireguard.established;kind:termfield;friendly:Established;help:Established -zeek_wireguard.initiations=db:zeek_wireguard.initiations;kind:integer;friendly:Initiation Packets;help:Initiation Packets -zeek_wireguard.responses=db:zeek_wireguard.responses;kind:integer;friendly:Response Packets;help:Response Packets +zeek.wireguard.established=db:zeek.wireguard.established;group:zeek_wireguard;kind:termfield;friendly:Established;help:Established +zeek.wireguard.initiations=db:zeek.wireguard.initiations;group:zeek_wireguard;kind:integer;friendly:Initiation Packets;help:Initiation Packets +zeek.wireguard.responses=db:zeek.wireguard.responses;group:zeek_wireguard;kind:integer;friendly:Response Packets;help:Response Packets # x509.log # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info -zeek_x509.certificate_version=db:zeek_x509.certificate_version;kind:integer;friendly:Version;help:Version -zeek_x509.certificate_serial=db:zeek_x509.certificate_serial;kind:termfield;friendly:Serial Number;help:Serial Number -zeek_x509.certificate_subject_full=db:zeek_x509.certificate_subject_full;kind:termfield;friendly:Subject;help:Subject -zeek_x509.certificate_subject.CN=db:zeek_x509.certificate_subject.CN;kind:termfield;friendly:Subject Common Name;help:Subject Common Name -zeek_x509.certificate_subject.C=db:zeek_x509.certificate_subject.C;kind:termfield;friendly:Subject Country;help:Subject Country -zeek_x509.certificate_subject.description=db:zeek_x509.certificate_subject.description;kind:termfield;friendly:Subject Description;help:Subject Description -zeek_x509.certificate_subject.postalCode=db:zeek_x509.certificate_subject.postalCode;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code -zeek_x509.certificate_subject.street=db:zeek_x509.certificate_subject.street;kind:termfield;friendly:Subject Street;help:Subject Street -zeek_x509.certificate_subject.O=db:zeek_x509.certificate_subject.O;kind:termfield;friendly:Subject Organization;help:Subject Organization -zeek_x509.certificate_subject.OU=db:zeek_x509.certificate_subject.OU;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit -zeek_x509.certificate_subject.ST=db:zeek_x509.certificate_subject.ST;kind:termfield;friendly:Subject State;help:Subject State -zeek_x509.certificate_subject.SN=db:zeek_x509.certificate_subject.SN;kind:termfield;friendly:Subject Surname;help:Subject Surname -zeek_x509.certificate_subject.L=db:zeek_x509.certificate_subject.L;kind:termfield;friendly:Subject Locality;help:Subject Locality -zeek_x509.certificate_subject.DC=db:zeek_x509.certificate_subject.DC;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name -zeek_x509.certificate_subject.GN=db:zeek_x509.certificate_subject.GN;kind:termfield;friendly:Subject Given Name;help:Subject Given Name -zeek_x509.certificate_subject.pseudonym=db:zeek_x509.certificate_subject.pseudonym;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym -zeek_x509.certificate_subject.serialNumber=db:zeek_x509.certificate_subject.serialNumber;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number -zeek_x509.certificate_subject.title=db:zeek_x509.certificate_subject.title;kind:termfield;friendly:Subject Title;help:Subject Title -zeek_x509.certificate_subject.initials=db:zeek_x509.certificate_subject.initials;kind:termfield;friendly:Subject Initials;help:Subject Initials -zeek_x509.certificate_subject.emailAddress=db:zeek_x509.certificate_subject.emailAddress;kind:termfield;friendly:Subject Email Address;help:Subject Email Address -zeek_x509.certificate_issuer_full=db:zeek_x509.certificate_issuer_full;kind:termfield;friendly:Issuer;help:Issuer -zeek_x509.certificate_issuer.CN=db:zeek_x509.certificate_issuer.CN;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name -zeek_x509.certificate_issuer.DC=db:zeek_x509.certificate_issuer.DC;kind:termfield;friendly:Issuer Common Name;help:Issuer Distinguished Name -zeek_x509.certificate_issuer.C=db:zeek_x509.certificate_issuer.C;kind:termfield;friendly:Issuer Country;help:Issuer Country -zeek_x509.certificate_issuer.O=db:zeek_x509.certificate_issuer.O;kind:termfield;friendly:Issuer Organization;help:Issuer Organization -zeek_x509.certificate_issuer.OU=db:zeek_x509.certificate_issuer.OU;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit -zeek_x509.certificate_issuer.ST=db:zeek_x509.certificate_issuer.ST;kind:termfield;friendly:Issuer State;help:Issuer State -zeek_x509.certificate_issuer.SN=db:zeek_x509.certificate_issuer.SN;kind:termfield;friendly:Issuer Surname;help:Issuer Surname -zeek_x509.certificate_issuer.L=db:zeek_x509.certificate_issuer.L;kind:termfield;friendly:Issuer Locality;help:Issuer Locality -zeek_x509.certificate_issuer.GN=db:zeek_x509.certificate_issuer.GN;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name -zeek_x509.certificate_issuer.pseudonym=db:zeek_x509.certificate_issuer.pseudonym;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym -zeek_x509.certificate_issuer.serialNumber=db:zeek_x509.certificate_issuer.serialNumber;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number -zeek_x509.certificate_issuer.title=db:zeek_x509.certificate_issuer.title;kind:termfield;friendly:Issuer Title;help:Issuer Title -zeek_x509.certificate_issuer.initials=db:zeek_x509.certificate_issuer.initials;kind:termfield;friendly:Issuer Initials;help:Issuer Initials -zeek_x509.certificate_issuer.emailAddress=db:zeek_x509.certificate_issuer.emailAddress;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address -zeek_x509.certificate_not_valid_before=db:zeek_x509.certificate_not_valid_before;kind:termfield;friendly:Not Valid Before;help:Not Valid Before -zeek_x509.certificate_not_valid_after=db:zeek_x509.certificate_not_valid_after;kind:termfield;friendly:Not Valid After;help:Not Valid After -zeek_x509.certificate_key_alg=db:zeek_x509.certificate_key_alg;kind:termfield;friendly:Key Algorithm;help:Key Algorithm -zeek_x509.certificate_sig_alg=db:zeek_x509.certificate_sig_alg;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm -zeek_x509.certificate_key_type=db:zeek_x509.certificate_key_type;kind:termfield;friendly:Key Type;help:Key Type -zeek_x509.certificate_key_length=db:zeek_x509.certificate_key_length;kind:integer;friendly:Key Bitlength;help:Key Bitlength -zeek_x509.certificate_exponent=db:zeek_x509.certificate_exponent;kind:termfield;friendly:RSA Exponent;help:RSA Exponent -zeek_x509.certificate_curve=db:zeek_x509.certificate_curve;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve -zeek_x509.client_cert=db:zeek_x509.client_cert;kind:termfield;friendly:Client Certificate;help:Client Certificate -zeek_x509.fingerprint=db:zeek_x509.fingerprint;kind:termfield;friendly:Certificate Fingerprint;help:Certificate Fingerprint -zeek_x509.host_cert=db:zeek_x509.host_cert;kind:termfield;friendly:Host Certificate;help:Host Certificate -zeek_x509.san_dns=db:zeek_x509.san_dns;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS -zeek_x509.san_uri=db:zeek_x509.san_uri;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI -zeek_x509.san_email=db:zeek_x509.san_email;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email -zeek_x509.san_ip=db:zeek_x509.san_ip;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP -zeek_x509.basic_constraints_ca=db:zeek_x509.basic_constraints_ca;kind:termfield;friendly:CA Flag;help:CA Flag -zeek_x509.basic_constraints_path_len=db:zeek_x509.basic_constraints_path_len;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length +zeek.x509.certificate_version=db:zeek.x509.certificate_version;group:zeek_x509;kind:integer;friendly:Version;help:Version +zeek.x509.certificate_serial=db:zeek.x509.certificate_serial;group:zeek_x509;kind:termfield;friendly:Serial Number;help:Serial Number +zeek.x509.certificate_subject_full=db:zeek.x509.certificate_subject_full;group:zeek_x509;kind:termfield;friendly:Subject;help:Subject +zeek.x509.certificate_subject.CN=db:zeek.x509.certificate_subject.CN;group:zeek_x509;kind:termfield;friendly:Subject Common Name;help:Subject Common Name +zeek.x509.certificate_subject.C=db:zeek.x509.certificate_subject.C;group:zeek_x509;kind:termfield;friendly:Subject Country;help:Subject Country +zeek.x509.certificate_subject.description=db:zeek.x509.certificate_subject.description;group:zeek_x509;kind:termfield;friendly:Subject Description;help:Subject Description +zeek.x509.certificate_subject.postalCode=db:zeek.x509.certificate_subject.postalCode;group:zeek_x509;kind:termfield;friendly:Subject Postal Code;help:Subject Postal Code +zeek.x509.certificate_subject.street=db:zeek.x509.certificate_subject.street;group:zeek_x509;kind:termfield;friendly:Subject Street;help:Subject Street +zeek.x509.certificate_subject.O=db:zeek.x509.certificate_subject.O;group:zeek_x509;kind:termfield;friendly:Subject Organization;help:Subject Organization +zeek.x509.certificate_subject.OU=db:zeek.x509.certificate_subject.OU;group:zeek_x509;kind:termfield;friendly:Subject Organization Unit;help:Subject Organization Unit +zeek.x509.certificate_subject.ST=db:zeek.x509.certificate_subject.ST;group:zeek_x509;kind:termfield;friendly:Subject State;help:Subject State +zeek.x509.certificate_subject.SN=db:zeek.x509.certificate_subject.SN;group:zeek_x509;kind:termfield;friendly:Subject Surname;help:Subject Surname +zeek.x509.certificate_subject.L=db:zeek.x509.certificate_subject.L;group:zeek_x509;kind:termfield;friendly:Subject Locality;help:Subject Locality +zeek.x509.certificate_subject.DC=db:zeek.x509.certificate_subject.DC;group:zeek_x509;kind:termfield;friendly:Subject Distinguished Name;help:Subject Distinguished Name +zeek.x509.certificate_subject.GN=db:zeek.x509.certificate_subject.GN;group:zeek_x509;kind:termfield;friendly:Subject Given Name;help:Subject Given Name +zeek.x509.certificate_subject.pseudonym=db:zeek.x509.certificate_subject.pseudonym;group:zeek_x509;kind:termfield;friendly:Subject Pseudonym;help:Subject Pseudonym +zeek.x509.certificate_subject.serialNumber=db:zeek.x509.certificate_subject.serialNumber;group:zeek_x509;kind:termfield;friendly:Subject Serial Number;help:Subject Serial Number +zeek.x509.certificate_subject.title=db:zeek.x509.certificate_subject.title;group:zeek_x509;kind:termfield;friendly:Subject Title;help:Subject Title +zeek.x509.certificate_subject.initials=db:zeek.x509.certificate_subject.initials;group:zeek_x509;kind:termfield;friendly:Subject Initials;help:Subject Initials +zeek.x509.certificate_subject.emailAddress=db:zeek.x509.certificate_subject.emailAddress;group:zeek_x509;kind:termfield;friendly:Subject Email Address;help:Subject Email Address +zeek.x509.certificate_issuer_full=db:zeek.x509.certificate_issuer_full;group:zeek_x509;kind:termfield;friendly:Issuer;help:Issuer +zeek.x509.certificate_issuer.CN=db:zeek.x509.certificate_issuer.CN;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Common Name +zeek.x509.certificate_issuer.DC=db:zeek.x509.certificate_issuer.DC;group:zeek_x509;kind:termfield;friendly:Issuer Common Name;help:Issuer Distinguished Name +zeek.x509.certificate_issuer.C=db:zeek.x509.certificate_issuer.C;group:zeek_x509;kind:termfield;friendly:Issuer Country;help:Issuer Country +zeek.x509.certificate_issuer.O=db:zeek.x509.certificate_issuer.O;group:zeek_x509;kind:termfield;friendly:Issuer Organization;help:Issuer Organization +zeek.x509.certificate_issuer.OU=db:zeek.x509.certificate_issuer.OU;group:zeek_x509;kind:termfield;friendly:Issuer Organization Unit;help:Issuer Organization Unit +zeek.x509.certificate_issuer.ST=db:zeek.x509.certificate_issuer.ST;group:zeek_x509;kind:termfield;friendly:Issuer State;help:Issuer State +zeek.x509.certificate_issuer.SN=db:zeek.x509.certificate_issuer.SN;group:zeek_x509;kind:termfield;friendly:Issuer Surname;help:Issuer Surname +zeek.x509.certificate_issuer.L=db:zeek.x509.certificate_issuer.L;group:zeek_x509;kind:termfield;friendly:Issuer Locality;help:Issuer Locality +zeek.x509.certificate_issuer.GN=db:zeek.x509.certificate_issuer.GN;group:zeek_x509;kind:termfield;friendly:Issuer Given Name;help:Issuer Given Name +zeek.x509.certificate_issuer.pseudonym=db:zeek.x509.certificate_issuer.pseudonym;group:zeek_x509;kind:termfield;friendly:Issuer Pseudonym;help:Issuer Pseudonym +zeek.x509.certificate_issuer.serialNumber=db:zeek.x509.certificate_issuer.serialNumber;group:zeek_x509;kind:termfield;friendly:Issuer Serial Number;help:Issuer Serial Number +zeek.x509.certificate_issuer.title=db:zeek.x509.certificate_issuer.title;group:zeek_x509;kind:termfield;friendly:Issuer Title;help:Issuer Title +zeek.x509.certificate_issuer.initials=db:zeek.x509.certificate_issuer.initials;group:zeek_x509;kind:termfield;friendly:Issuer Initials;help:Issuer Initials +zeek.x509.certificate_issuer.emailAddress=db:zeek.x509.certificate_issuer.emailAddress;group:zeek_x509;kind:termfield;friendly:Issuer Email Address;help:Issuer Email Address +zeek.x509.certificate_not_valid_before=db:zeek.x509.certificate_not_valid_before;group:zeek_x509;kind:termfield;friendly:Not Valid Before;help:Not Valid Before +zeek.x509.certificate_not_valid_after=db:zeek.x509.certificate_not_valid_after;group:zeek_x509;kind:termfield;friendly:Not Valid After;help:Not Valid After +zeek.x509.certificate_key_alg=db:zeek.x509.certificate_key_alg;group:zeek_x509;kind:termfield;friendly:Key Algorithm;help:Key Algorithm +zeek.x509.certificate_sig_alg=db:zeek.x509.certificate_sig_alg;group:zeek_x509;kind:termfield;friendly:Signature Algorithm;help:Signature Algorithm +zeek.x509.certificate_key_type=db:zeek.x509.certificate_key_type;group:zeek_x509;kind:termfield;friendly:Key Type;help:Key Type +zeek.x509.certificate_key_length=db:zeek.x509.certificate_key_length;group:zeek_x509;kind:integer;friendly:Key Bitlength;help:Key Bitlength +zeek.x509.certificate_exponent=db:zeek.x509.certificate_exponent;group:zeek_x509;kind:termfield;friendly:RSA Exponent;help:RSA Exponent +zeek.x509.certificate_curve=db:zeek.x509.certificate_curve;group:zeek_x509;kind:termfield;friendly:Elliptic Curve;help:Elliptic Curve +zeek.x509.client_cert=db:zeek.x509.client_cert;group:zeek_x509;kind:termfield;friendly:Client Certificate;help:Client Certificate +zeek.x509.fingerprint=db:zeek.x509.fingerprint;group:zeek_x509;kind:termfield;friendly:Certificate Fingerprint;help:Certificate Fingerprint +zeek.x509.host_cert=db:zeek.x509.host_cert;group:zeek_x509;kind:termfield;friendly:Host Certificate;help:Host Certificate +zeek.x509.san_dns=db:zeek.x509.san_dns;group:zeek_x509;kind:termfield;friendly:SAN DNS;help:Subject Alternative Name DNS +zeek.x509.san_uri=db:zeek.x509.san_uri;group:zeek_x509;kind:termfield;friendly:SAN URI;help:Subject Alternative Name URI +zeek.x509.san_email=db:zeek.x509.san_email;group:zeek_x509;kind:termfield;friendly:SAN Email;help:Subject Alternative Name Email +zeek.x509.san_ip=db:zeek.x509.san_ip;group:zeek_x509;kind:termfield;friendly:SAN IP;help:Subject Alternative Name IP +zeek.x509.basic_constraints_ca=db:zeek.x509.basic_constraints_ca;group:zeek_x509;kind:termfield;friendly:CA Flag;help:CA Flag +zeek.x509.basic_constraints_path_len=db:zeek.x509.basic_constraints_path_len;group:zeek_x509;kind:integer;friendly:Maximum Path Length;help:Maximum Path Length [custom-views] -zeek_bacnet=require:zeek_bacnet;title:Zeek bacnet.log;fields:zeek_bacnet.bvlc_function,zeek_bacnet.pdu_type,zeek_bacnet.pdu_service,zeek_bacnet.invoke_id,zeek_bacnet.result_code -zeek_bacnet_discovery=require:zeek_bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek_bacnet_discovery.pdu_service,zeek_bacnet_discovery.object_type,zeek_bacnet_discovery.instance_number,zeek_bacnet_discovery.vendor,zeek_bacnet_discovery.range,zeek_bacnet_discovery.range_low,zeek_bacnet_discovery.range_high,zeek_bacnet_discovery.object_name -zeek_bacnet_property=require:zeek_bacnet_property;title:Zeek bacnet_property.log;fields:zeek_bacnet_property.pdu_service,zeek_bacnet_property.object_type,zeek_bacnet_property.instance_number,zeek_bacnet_property.property,zeek_bacnet_property.array_index,zeek_bacnet_property.value -zeek_bestguess=require:zeek_bestguess;title:Zeek bestguess.log;fields:zeek_bestguess.name,zeek_bestguess.category -zeek_bsap_ip_header=require:zeek_bsap_ip_header;title:Zeek bsap_ip_header.log;fields:zeek_bsap_ip_header.num_msg,zeek_bsap_ip_header.type_name -zeek_bsap_ip_rdb=require:zeek_bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:zeek_bsap_ip_rdb.app_func_code,zeek_bsap_ip_rdb.data,zeek_bsap_ip_rdb.data_len,zeek_bsap_ip_rdb.func_code,zeek_bsap_ip_rdb.header_size,zeek_bsap_ip_rdb.mes_seq,zeek_bsap_ip_rdb.node_status,zeek_bsap_ip_rdb.res_seq,zeek_bsap_ip_rdb.sequence -zeek_bsap_ip_unknown=require:zeek_bsap_ip_unknown;title:Zeek bsap_ip_unknown.log;fields:zeek_bsap_ip_unknown.data -zeek_bsap_serial_header=require:zeek_bsap_serial_header;title:Zeek bsap_serial_header.log;fields:zeek_bsap_serial_header.ctl,zeek_bsap_serial_header.dadd,zeek_bsap_serial_header.dfun,zeek_bsap_serial_header.nsb,zeek_bsap_serial_header.sadd,zeek_bsap_serial_header.seq,zeek_bsap_serial_header.ser,zeek_bsap_serial_header.sfun,zeek_bsap_serial_header.type_name -zeek_bsap_serial_rdb=require:zeek_bsap_serial_rdb;title:Zeek bsap_serial_rdb.log;fields:zeek_bsap_serial_rdb.data,zeek_bsap_serial_rdb.func_code -zeek_bsap_serial_rdb_ext=require:zeek_bsap_serial_rdb_ext;title:Zeek bsap_serial_rdb_ext.log;fields:zeek_bsap_serial_rdb_ext.data,zeek_bsap_serial_rdb_ext.dfun,zeek_bsap_serial_rdb_ext.extfun,zeek_bsap_serial_rdb_ext.nsb,zeek_bsap_serial_rdb_ext.seq,zeek_bsap_serial_rdb_ext.sfun -zeek_bsap_serial_unknown=require:zeek_bsap_serial_unknown;title:Zeek bsap_serial_unknown.log;fields:zeek_bsap_serial_unknown.data -zeek_cip=require:zeek_cip;title:Zeek cip.log;fields:zeek_cip.cip_sequence_count,zeek_cip.direction,zeek_cip.cip_service,zeek_cip.cip_status,zeek_cip.class_id,zeek_cip.class_name,zeek_cip.instance_id,zeek_cip.attribute_id,zeek_cip.data_id,zeek_cip.other_id -zeek_cip_identity=require:zeek_cip_identity;title:Zeek cip_identity.log;fields:zeek_cip_identity.encapsulation_version,zeek_cip_identity.socket_address,zeek_cip_identity.socket_address_geo.city_name,zeek_cip_identity.socket_address_geo.country_name,zeek_cip_identity.socket_address_asn,zeek_cip_identity.socket_port,zeek_cip_identity.vendor_id,zeek_cip_identity.vendor_name,zeek_cip_identity.device_type_id,zeek_cip_identity.device_type_name,zeek_cip_identity.product_code,zeek_cip_identity.revision,zeek_cip_identity.device_status,zeek_cip_identity.serial_number,zeek_cip_identity.product_name,zeek_cip_identity.device_state -zeek_cip_io=require:zeek_cip_io;title:Zeek cip_io.log;fields:zeek_cip_io.connection_id,zeek_cip_io.sequence_number,zeek_cip_io.data_length,zeek_cip_io.io_data -zeek_conn=require:zeek_conn;title:Zeek conn.log;fields:zeek_conn.duration,zeek_conn.orig_bytes,zeek_conn.resp_bytes,zeek_conn.conn_state,zeek_conn.conn_state_description,zeek_conn.local_orig,zeek_conn.local_resp,zeek_conn.missed_bytes,zeek_conn.history,zeek_conn.orig_pkts,zeek_conn.orig_ip_bytes,zeek_conn.resp_pkts,zeek_conn.resp_ip_bytes,zeek_conn.tunnel_parents,zeek_conn.vlan,zeek_conn.inner_vlan -zeek_dce_rpc=require:zeek_dce_rpc;title:Zeek dce_rpc.log;fields:zeek_dce_rpc.rtt,zeek_dce_rpc.named_pipe,zeek_dce_rpc.endpoint,zeek_dce_rpc.operation -zeek_dhcp=require:zeek_dhcp;title:Zeek dhcp.log;fields:zeek_dhcp.mac,zeek_dhcp.assigned_ip,zeek_dhcp.lease_time,zeek_dhcp.trans_id,zeek_dhcp.client_fqdn,zeek_dhcp.client_message,zeek_dhcp.domain,zeek_dhcp.duration,zeek_dhcp.host_name,zeek_dhcp.msg_types,zeek_dhcp.requested_ip,zeek_dhcp.server_message,zeek_dhcp.client_software,zeek_dhcp.server_software -zeek_dnp3=require:zeek_dnp3;title:Zeek dnp3.log;fields:zeek_dnp3.fc_request,zeek_dnp3.fc_reply,zeek_dnp3.iin,zeek_dnp3.iin_flags -zeek_dnp3_control=require:zeek_dnp3_control;title:Zeek dnp3_control.log;fields:zeek_dnp3_control.block_type,zeek_dnp3_control.function_code,zeek_dnp3_control.index_number,zeek_dnp3_control.trip_control_code,zeek_dnp3_control.operation_type,zeek_dnp3_control.execute_count,zeek_dnp3_control.on_time,zeek_dnp3_control.off_time,zeek_dnp3_control.status_code -zeek_dnp3_objects=require:zeek_dnp3_objects;title:Zeek dnp3_objects.log;fields:zeek_dnp3_objects.function_code,zeek_dnp3_objects.object_type,zeek_dnp3_objects.object_count,zeek_dnp3_objects.range_low,zeek_dnp3_objects.range_high -zeek_dns=require:zeek_dns;title:Zeek dns.log;fields:zeek_dns.trans_id,zeek_dns.rtt,zeek_dns.query,zeek_dns.qclass,zeek_dns.qclass_name,zeek_dns.qtype,zeek_dns.qtype_name,zeek_dns.rcode,zeek_dns.rcode_name,zeek_dns.AA,zeek_dns.TC,zeek_dns.RD,zeek_dns.RA,zeek_dns.Z,zeek_dns.answers,zeek_dns.TTLs,zeek_dns.rejected -zeek_dpd=require:zeek_dpd;title:Zeek dpd.log;fields:zeek_dpd.service,zeek_dpd.failure_reason -zeek_ecat_registers=require:zeek_ecat_registers;title:Zeek ecat_registers.log;fields:zeek_ecat_registers.command,zeek_ecat_registers.server_addr,zeek_ecat_registers.register_type,zeek_ecat_registers.register_addr,zeek_ecat_registers.data -zeek_ecat_log_address=require:zeek_ecat_log_address;title:Zeek ecat_log_address.log;fields:zeek_ecat_log_address.log_addr,zeek_ecat_log_address.length,zeek_ecat_log_address.command,zeek_ecat_log_address.data -zeek_ecat_dev_info=require:zeek_ecat_dev_info;title:Zeek ecat_dev_info.log;fields:zeek_ecat_dev_info.server_id,zeek_ecat_dev_info.revision,zeek_ecat_dev_info.dev_type,zeek_ecat_dev_info.build,zeek_ecat_dev_info.fmmucnt,zeek_ecat_dev_info.smcount,zeek_ecat_dev_info.ports,zeek_ecat_dev_info.dpram,zeek_ecat_dev_info.features -zeek_ecat_aoe_info=require:zeek_ecat_aoe_info;title:Zeek ecat_aoe_info.log;fields:zeek_ecat_aoe_info.resp_port,zeek_ecat_aoe_info.orig_port,zeek_ecat_aoe_info.command,zeek_ecat_aoe_info.state,zeek_ecat_aoe_info.data -zeek_ecat_coe_info=require:zeek_ecat_coe_info;title:Zeek ecat_coe_info.log;fields:zeek_ecat_coe_info.number,zeek_ecat_coe_info.type,zeek_ecat_coe_info.req_resp,zeek_ecat_coe_info.index,zeek_ecat_coe_info.subindex,zeek_ecat_coe_info.dataoffset -zeek_ecat_foe_info=require:zeek_ecat_foe_info;title:Zeek ecat_foe_info.log;fields:zeek_ecat_foe_info.opcode,zeek_ecat_foe_info.reserved,zeek_ecat_foe_info.packet_num,zeek_ecat_foe_info.error_code,zeek_ecat_foe_info.filename,zeek_ecat_foe_info.data -zeek_ecat_soe_info=require:zeek_ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek_ecat_soe_info.opcode,zeek_ecat_soe_info.incomplete,zeek_ecat_soe_info.error,zeek_ecat_soe_info.drive_num,zeek_ecat_soe_info.element,zeek_ecat_soe_info.index -zeek_ecat_arp_info=require:zeek_ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek_ecat_arp_info.arp_type,zeek_ecat_arp_info.orig_proto_addr,zeek_ecat_arp_info.orig_hw_addr,zeek_ecat_arp_info.resp_proto_addr,zeek_ecat_arp_info.resp_hw_addr -zeek_enip=require:zeek_enip;title:Zeek enip.log;fields:zeek_enip.enip_command,zeek_enip.length,zeek_enip.session_handle,zeek_enip.enip_status,zeek_enip.sender_context,zeek_enip.options -zeek_files=require:zeek_files;title:Zeek files.log;fields:zeek_files.tx_hosts,zeek_files.rx_hosts,zeek_files.conn_uids,zeek_files.source,zeek_files.depth,zeek_files.analyzers,zeek_files.mime_type,zeek_files.filename,zeek_files.duration,zeek_files.local_orig,zeek_files.is_orig,zeek_files.seen_bytes,zeek_files.total_bytes,zeek_files.missing_bytes,zeek_files.overflow_bytes,zeek_files.timedout,zeek_files.parent_fuid,zeek_files.md5,zeek_files.sha1,zeek_files.sha256,zeek_files.extracted,zeek_files.extracted_cutoff,zeek_files.extracted_size -zeek_ftp=require:zeek_ftp;title:Zeek ftp.log;fields:zeek_ftp.command,zeek_ftp.arg,zeek_ftp.mime_type,zeek_ftp.file_size,zeek_ftp.reply_code,zeek_ftp.reply_msg,zeek_ftp.data_channel_passive,zeek_ftp.data_channel_orig_h,zeek_ftp.data_channel_resp_h,zeek_ftp.data_channel_resp_p -zeek_gquic=require:zeek_gquic;title:Zeek gquic.log;fields:zeek_gquic.version,zeek_gquic.server_name,zeek_gquic.user_agent,zeek_gquic.tag_count,zeek_gquic.cyu,zeek_gquic.cyutags -zeek_http=require:zeek_http;title:Zeek http.log;fields:zeek_http.trans_depth,zeek_http.method,zeek_http.host,zeek_http.uri,zeek_http.origin,zeek_http.post_password_plain,zeek_http.post_username,zeek_http.referrer,zeek_http.version,zeek_http.user_agent,zeek_http.request_body_len,zeek_http.response_body_len,zeek_http.status_code,zeek_http.status_msg,zeek_http.info_code,zeek_http.info_msg,zeek_http.tags,zeek_http.proxied,zeek_http.orig_fuids,zeek_http.orig_filenames,zeek_http.orig_mime_types,zeek_http.resp_fuids,zeek_http.resp_filenames,zeek_http.resp_mime_types -zeek_intel=require:zeek_intel;title:Zeek intel.log;fields:zeek_intel.indicator,zeek_intel.indicator_type,zeek_intel.seen_where,zeek_intel.seen_node,zeek_intel.matched,zeek_intel.sources,zeek_intel.file_mime_type,zeek_intel.file_description -zeek_ipsec=require:zeek_ipsec;title:Zeek ipsec.log;fields:zeek_ipsec.is_orig,zeek_ipsec.initiator_spi,zeek_ipsec.responder_spi,zeek_ipsec.maj_ver,zeek_ipsec.min_ver,zeek_ipsec.exchange_type,zeek_ipsec.flag_e,zeek_ipsec.flag_c,zeek_ipsec.flag_a,zeek_ipsec.flag_i,zeek_ipsec.flag_v,zeek_ipsec.flag_r,zeek_ipsec.flags,zeek_ipsec.message_id,zeek_ipsec.vendor_ids,zeek_ipsec.notify_messages,zeek_ipsec.transforms,zeek_ipsec.ke_dh_groups,zeek_ipsec.proposals,zeek_ipsec.certificates,zeek_ipsec.transform_attributes,zeek_ipsec.length,zeek_ipsec.hash -zeek_irc=require:zeek_irc;title:Zeek irc.log;fields:zeek_irc.nick,zeek_irc.command,zeek_irc.value,zeek_irc.addl,zeek_irc.dcc_file_name,zeek_irc.dcc_file_size,zeek_irc.dcc_mime_type -zeek_iso_cotp=require:zeek_iso_cotp;title:Zeek iso_cotp.log;fields:zeek_iso_cotp.pdu_type -zeek_kerberos=require:zeek_kerberos;title:Zeek kerberos.log;fields:zeek_kerberos.cname,zeek_kerberos.sname,zeek_kerberos.success,zeek_kerberos.error_msg,zeek_kerberos.from,zeek_kerberos.till,zeek_kerberos.cipher,zeek_kerberos.forwardable,zeek_kerberos.renewable,zeek_kerberos.request_type,zeek_kerberos.client_cert_subject,zeek_kerberos.client_cert_fuid,zeek_kerberos.server_cert_subject,zeek_kerberos.server_cert_fuid -zeek_known_certs=require:zeek_known_certs;title:Zeek known_certs.log;fields:zeek_known_certs.subject,zeek_known_certs.issuer_subject,zeek_known_certs.serial -zeek_known_modbus=require:zeek_known_modbus;title:Zeek zeek_known_modbus.log;fields:zeek_known_modbus.device_type -zeek_ldap=require:zeek_ldap;title:Zeek ldap.log;fields:zeek_ldap.message_id,zeek_ldap.version,zeek_ldap.operation,zeek_ldap.result_code,zeek_ldap.result_message,zeek_ldap.object,zeek_ldap.argument -zeek_ldap_search=require:zeek_ldap_search;title:Zeek ldap_search.log;fields:zeek_ldap_search.message_id,zeek_ldap_search.scope,zeek_ldap_search.deref,zeek_ldap_search.base_object,zeek_ldap_search.result_count,zeek_ldap_search.result_code,zeek_ldap_search.result_message -zeek_login=require:zeek_login;title:Zeek login.log;fields:zeek_login.client_user,zeek_login.confused,zeek_login.success -zeek_modbus=require:zeek_modbus;title:Zeek modbus.log;fields:zeek_modbus.func,zeek_modbus.exception -zeek_modbus_detailed=require:zeek_modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek_modbus_detailed.unit_id,zeek_modbus_detailed.func,zeek_modbus_detailed.network_direction,zeek_modbus_detailed.address,zeek_modbus_detailed.quantity,zeek_modbus_detailed.values -zeek_modbus_mask_write_register=require:zeek_modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek_modbus_mask_write_register.unit_id,zeek_modbus_mask_write_register.func,zeek_modbus_mask_write_register.network_direction,zeek_modbus_mask_write_register.address,zeek_modbus_mask_write_register.and_mask,zeek_modbus_mask_write_register.or_mask -zeek_modbus_read_write_multiple_registers=require:zeek_modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek_modbus_read_write_multiple_registers.unit_id,zeek_modbus_read_write_multiple_registers.func,zeek_modbus_read_write_multiple_registers.network_direction,zeek_modbus_read_write_multiple_registers.write_start_address,zeek_modbus_read_write_multiple_registers.write_registers,zeek_modbus_read_write_multiple_registers.read_start_address,zeek_modbus_read_write_multiple_registers.read_quantity,zeek_modbus_read_write_multiple_registers.read_registers -zeek_modbus_register_change=require:zeek_modbus_register_change;title:Zeek modbus_register_change.log;fields:zeek_modbus_register_change.register,zeek_modbus_register_change.old_val,zeek_modbus_register_change.new_val,zeek_modbus_register_change.delta -zeek_mqtt_connect=require:zeek_mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek_mqtt_connect.proto_name,zeek_mqtt_connect.proto_version,zeek_mqtt_connect.client_id,zeek_mqtt_connect.connect_status,zeek_mqtt_connect.will_topic,zeek_mqtt_connect.will_payload -zeek_mqtt_publish=require:zeek_mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek_mqtt_publish.from_client,zeek_mqtt_publish.retain,zeek_mqtt_publish.qos,zeek_mqtt_publish.status,zeek_mqtt_publish.topic,zeek_mqtt_publish.payload,zeek_mqtt_publish.payload_len -zeek_mqtt_subscribe=require:zeek_mqtt_subscribe;title:Zeek mqtt_subscribe.log;fields:zeek_mqtt_subscribe.action,zeek_mqtt_subscribe.topics,zeek_mqtt_subscribe.qos_levels,zeek_mqtt_subscribe.granted_qos_level,zeek_mqtt_subscribe.ack -zeek_mysql=require:zeek_mysql;title:Zeek mysql.log;fields:zeek_mysql.cmd,zeek_mysql.arg,zeek_mysql.success,zeek_mysql.rows,zeek_mysql.response -zeek_notice=require:zeek_notice;title:Zeek notice.log;fields:zeek_notice.file_mime_type,zeek_notice.file_desc,zeek_notice.note,zeek_notice.msg,zeek_notice.sub,zeek_notice.src,zeek_notice.dst,zeek_notice.p,zeek_notice.n,zeek_notice.peer_descr,zeek_notice.actions,zeek_notice.suppress_for,zeek_notice.dropped,zeek_notice.remote_location_country_code,zeek_notice.remote_location_region,zeek_notice.remote_location_latitude,zeek_notice.remote_location_longitude,zeek_notice.category,zeek_notice.sub_category -zeek_ntlm=require:zeek_ntlm;title:Zeek ntlm.log;fields:zeek_ntlm.host,zeek_ntlm.domain,zeek_ntlm.success,zeek_ntlm.status,zeek_ntlm.server_nb_computer,zeek_ntlm.server_dns_computer,zeek_ntlm.server_tree -zeek_ntp=require:zeek_ntp;title:Zeek ntp.log;fields:zeek_ntp.version,zeek_ntp.mode,zeek_ntp.mode_str,zeek_ntp.stratum,zeek_ntp.poll,zeek_ntp.precision,zeek_ntp.root_delay,zeek_ntp.root_disp,zeek_ntp.ref_id,zeek_ntp.ref_time,zeek_ntp.org_time,zeek_ntp.rec_time,zeek_ntp.xmt_time,zeek_ntp.num_exts -zeek_ocsp=require:zeek_ocsp;title:Zeek ocsp.log;fields:zeek_ocsp.hashAlgorithm,zeek_ocsp.issuerNameHash,zeek_ocsp.issuerKeyHash,zeek_ocsp.serialNumber,zeek_ocsp.certStatus,zeek_ocsp.revoketime,zeek_ocsp.revokereason,zeek_ocsp.thisUpdate,zeek_ocsp.nextUpdate -zeek_pe=require:zeek_pe;title:Zeek pe.log;fields:zeek_pe.machine,zeek_pe.compile_ts,zeek_pe.os,zeek_pe.subsystem,zeek_pe.is_exe,zeek_pe.is_64bit,zeek_pe.uses_aslr,zeek_pe.uses_dep,zeek_pe.uses_code_integrity,zeek_pe.uses_seh,zeek_pe.has_import_table,zeek_pe.has_export_table,zeek_pe.has_cert_table,zeek_pe.has_debug_data,zeek_pe.section_names -zeek_profinet=require:zeek_profinet;title:Zeek profinet.log;fields:zeek_profinet.operation_type,zeek_profinet.block_version,zeek_profinet.slot_number,zeek_profinet.subslot_number,zeek_profinet.index -zeek_profinet_dce_rpc=require:zeek_profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek_profinet_dce_rpc.version,zeek_profinet_dce_rpc.packet_type,zeek_profinet_dce_rpc.object_uuid,zeek_profinet_dce_rpc.interface_uuid,zeek_profinet_dce_rpc.activity_uuid,zeek_profinet_dce_rpc.server_boot_time,zeek_profinet_dce_rpc.operation -zeek_radius=require:zeek_radius;title:Zeek radius.log;fields:zeek_radius.mac,zeek_radius.framed_addr,zeek_radius.tunnel_client,zeek_radius.connect_info,zeek_radius.reply_msg,zeek_radius.result,zeek_radius.ttl -zeek_rdp=require:zeek_rdp;title:Zeek rdp.log;fields:zeek_rdp.cookie,zeek_rdp.result,zeek_rdp.security_protocol,zeek_rdp.client_channels,zeek_rdp.keyboard_layout,zeek_rdp.client_build,zeek_rdp.client_name,zeek_rdp.client_dig_product_id,zeek_rdp.desktop_width,zeek_rdp.desktop_height,zeek_rdp.requested_color_depth,zeek_rdp.cert_type,zeek_rdp.cert_count,zeek_rdp.cert_permanent,zeek_rdp.encryption_level,zeek_rdp.encryption_method -zeek_rfb=require:zeek_rfb;title:Zeek rfb.log;fields:zeek_rfb.client_major_version,zeek_rfb.client_minor_version,zeek_rfb.server_major_version,zeek_rfb.server_minor_version,zeek_rfb.authentication_method,zeek_rfb.auth,zeek_rfb.share_flag,zeek_rfb.desktop_name,zeek_rfb.width,zeek_rfb.height -zeek_s7comm=require:zeek_s7comm;title:Zeek s7comm.log;fields:zeek_s7comm.rosctr,zeek_s7comm.parameter,zeek_s7comm.parameters.class,zeek_s7comm.parameters.code,zeek_s7comm.parameters.group,zeek_s7comm.parameters.mode,zeek_s7comm.parameters.sub,zeek_s7comm.parameters.type,zeek_s7comm.item_count,zeek_s7comm.data_info -zeek_signatures=require:zeek_signatures;title:Zeek signatures.log;fields:zeek_signatures.note,zeek_signatures.signature_id,zeek_signatures.engine,zeek_signatures.event_message,zeek_signatures.sub_message,zeek_signatures.signature_count,zeek_signatures.host_count -zeek_sip=require:zeek_sip;title:Zeek sip.log;fields:zeek_sip.trans_depth,zeek_sip.method,zeek_sip.uri,zeek_sip.date,zeek_sip.request_from,zeek_sip.request_to,zeek_sip.response_from,zeek_sip.response_to,zeek_sip.reply_to,zeek_sip.call_id,zeek_sip.seq,zeek_sip.subject,zeek_sip.request_path,zeek_sip.response_path,zeek_sip.user_agent,zeek_sip.status_code,zeek_sip.status_msg,zeek_sip.warning,zeek_sip.request_body_len,zeek_sip.response_body_len,zeek_sip.content_type,zeek_sip.version -zeek_smb_cmd=require:zeek_smb_cmd;title:Zeek smb_cmd.log;fields:zeek_smb_cmd.command,zeek_smb_cmd.sub_command,zeek_smb_cmd.argument,zeek_smb_cmd.status,zeek_smb_cmd.rtt,zeek_smb_cmd.version,zeek_smb_cmd.user,zeek_smb_cmd.tree,zeek_smb_cmd.tree_service -zeek_smb_files=require:zeek_smb_files;title:Zeek smb_files.log;fields:zeek_smb_files.action,zeek_smb_files.path,zeek_smb_files.name,zeek_smb_files.size,zeek_smb_files.prev_name,zeek_smb_files.times_modified,zeek_smb_files.times_accessed,zeek_smb_files.times_created,zeek_smb_files.times_changed,zeek_smb_files.data_offset_req,zeek_smb_files.data_len_req,zeek_smb_files.data_len_rsp -zeek_smb_mapping=require:zeek_smb_mapping;title:Zeek smb_mapping.log;fields:zeek_smb_mapping.path,zeek_smb_mapping.resource_type,zeek_smb_mapping.native_file_system,zeek_smb_mapping.share_type -zeek_smtp=require:zeek_smtp;title:Zeek smtp.log;fields:zeek_smtp.trans_depth,zeek_smtp.helo,zeek_smtp.mailfrom,zeek_smtp.rcptto,zeek_smtp.date,zeek_smtp.from,zeek_smtp.to,zeek_smtp.cc,zeek_smtp.reply_to,zeek_smtp.msg_id,zeek_smtp.in_reply_to,zeek_smtp.subject,zeek_smtp.x_originating_ip,zeek_smtp.first_received,zeek_smtp.second_received,zeek_smtp.last_reply,zeek_smtp.last_reply_code,zeek_smtp.last_reply_msg,zeek_smtp.path,zeek_smtp.user_agent,zeek_smtp.tls,zeek_smtp.is_webmail -zeek_snmp=require:zeek_snmp;title:Zeek snmp.log;fields:zeek_snmp.duration,zeek_snmp.version,zeek_snmp.community,zeek_snmp.get_requests,zeek_snmp.get_bulk_requests,zeek_snmp.get_responses,zeek_snmp.set_requests,zeek_snmp.display_string,zeek_snmp.up_since -zeek_socks=require:zeek_socks;title:Zeek socks.log;fields:zeek_socks.version,zeek_socks.server_status,zeek_socks.request_host,zeek_socks.request_name,zeek_socks.request_port,zeek_socks.bound_host,zeek_socks.bound_name,zeek_socks.bound_port -zeek_software=require:zeek_software;title:Zeek software.log;fields:zeek_software.software_type,zeek_software.name,zeek_software.version_major,zeek_software.version_minor,zeek_software.version_minor2,zeek_software.version_minor3,zeek_software.version_addl,zeek_software.unparsed_version -zeek_ssh=require:zeek_ssh;title:Zeek ssh.log;fields:zeek_ssh.version,zeek_ssh.auth_success,zeek_ssh.auth_attempts,zeek_ssh.direction,zeek_ssh.client,zeek_ssh.server,zeek_ssh.cipher_alg,zeek_ssh.mac_alg,zeek_ssh.compression_alg,zeek_ssh.kex_alg,zeek_ssh.host_key_alg,zeek_ssh.host_key,zeek_ssh.remote_location_country_code,zeek_ssh.remote_location_region,zeek_ssh.remote_location_city,zeek_ssh.remote_location_latitude,zeek_ssh.remote_location_longitude,zeek_ssh.hassh,zeek_ssh.hasshServer,zeek_ssh.hasshAlgorithms,zeek_ssh.hasshServerAlgorithms,zeek_ssh.cshka,zeek_ssh.sshka -zeek_ssl=require:zeek_ssl;title:Zeek ssl.log;fields:zeek_ssl.ssl_version,zeek_ssl.ssl_history,zeek_ssl.sni_matches_cert,zeek_ssl.cipher,zeek_ssl.curve,zeek_ssl.server_name,zeek_ssl.resumed,zeek_ssl.last_alert,zeek_ssl.next_protocol,zeek_ssl.established,zeek_ssl.ja3,zeek_ssl.ja3_desc,zeek_ssl.ja3s,zeek_ssl.ja3s_desc,zeek_ssl.cert_chain_fuids,zeek_ssl.cert_chain_fps,zeek_ssl.client_cert_chain_fuids,zeek_ssl.client_cert_chain_fps,zeek_ssl.subject.CN,zeek_ssl.subject.C,zeek_ssl.subject.O,zeek_ssl.subject.OU,zeek_ssl.subject.ST,zeek_ssl.subject.SN,zeek_ssl.subject.L,zeek_ssl.subject.GN,zeek_ssl.subject.pseudonym,zeek_ssl.subject.serialNumber,zeek_ssl.subject.title,zeek_ssl.subject.initials,zeek_ssl.subject.emailAddress,zeek_ssl.subject.description,zeek_ssl.subject.postalCode,zeek_ssl.subject.street,zeek_ssl.client_subject.CN,zeek_ssl.client_subject.C,zeek_ssl.client_subject.O,zeek_ssl.client_subject.OU,zeek_ssl.client_subject.ST,zeek_ssl.client_subject.SN,zeek_ssl.client_subject.L,zeek_ssl.client_subject.GN,zeek_ssl.client_subject.pseudonym,zeek_ssl.client_subject.serialNumber,zeek_ssl.client_subject.title,zeek_ssl.client_subject.initials,zeek_ssl.client_subject.emailAddress,zeek_ssl.issuer.CN,zeek_ssl.issuer.C,zeek_ssl.issuer.O,zeek_ssl.issuer.OU,zeek_ssl.issuer.ST,zeek_ssl.issuer.SN,zeek_ssl.issuer.L,zeek_ssl.issuer.DC,zeek_ssl.issuer.GN,zeek_ssl.issuer.pseudonym,zeek_ssl.issuer.serialNumber,zeek_ssl.issuer.title,zeek_ssl.issuer.initials,zeek_ssl.issuer.emailAddress,zeek_ssl.client_issuer.CN,zeek_ssl.client_issuer.C,zeek_ssl.client_issuer.O,zeek_ssl.client_issuer.OU,zeek_ssl.client_issuer.ST,zeek_ssl.client_issuer.SN,zeek_ssl.client_issuer.L,zeek_ssl.client_issuer.DC,zeek_ssl.client_issuer.GN,zeek_ssl.client_issuer.pseudonym,zeek_ssl.client_issuer.serialNumber,zeek_ssl.client_issuer.title,zeek_ssl.client_issuer.initials,zeek_ssl.client_issuer.emailAddress,zeek_ssl.validation_status -zeek_stun=require:zeek_stun;title:Zeek stun.log;fields:zeek_stun.is_orig,zeek_stun.trans_id,zeek_stun.method,zeek_stun.class,zeek_stun.attr_type,zeek_stun.attr_val -zeek_stun_nat=require:zeek_stun_nat;title:Zeek stun_nat.log;fields:zeek_stun_nat.is_orig,zeek_stun_nat.wan_addr,zeek_stun_nat.wan_port,zeek_stun_nat.lan_addr -zeek_syslog=require:zeek_syslog;title:Zeek syslog.log;fields:zeek_syslog.facility,zeek_syslog.severity,zeek_syslog.message -zeek_tds=require:zeek_tds;title:Zeek tds.log;fields:zeek_tds.command -zeek_tds_rpc=require:zeek_tds_rpc;title:Zeek tds_rpc.log;fields:zeek_tds_rpc.procedure_name,zeek_tds_rpc.parameters -zeek_tds_sql_batch=require:zeek_tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek_tds_sql_batch.header_type,zeek_tds_sql_batch.query -zeek_tftp=require:zeek_tftp;title:Zeek tftp.log;fields:zeek_tftp.block_acked,zeek_tftp.block_sent,zeek_tftp.error_code,zeek_tftp.error_msg,zeek_tftp.fname,zeek_tftp.mode,zeek_tftp.size,zeek_tftp.uid_data,zeek_tftp.wrq -zeek_tunnel=require:zeek_tunnel;title:Zeek tunnel.log;fields:zeek_tunnel.tunnel_type,zeek_tunnel.action -zeek_weird=require:zeek_weird;title:Zeek weird.log;fields:zeek_weird.name,zeek_weird.addl,zeek_weird.notice,zeek_weird.peer -zeek_wireguard=require:zeek_wireguard;title:Zeek wireguard.log;fields:zeek_wireguard.established,zeek_wireguard.initiations,zeek_wireguard.responses -zeek_x509=require:zeek_x509;title:Zeek x509.log;fields:zeek_x509.certificate_version,zeek_x509.certificate_serial,zeek_x509.certificate_subject.CN,zeek_x509.certificate_subject.C,zeek_x509.certificate_subject.O,zeek_x509.certificate_subject.OU,zeek_x509.certificate_subject.ST,zeek_x509.certificate_subject.SN,zeek_x509.certificate_subject.L,zeek_x509.certificate_subject.DC,zeek_x509.certificate_subject.GN,zeek_x509.certificate_subject.pseudonym,zeek_x509.certificate_subject.serialNumber,zeek_x509.certificate_subject.title,zeek_x509.certificate_subject.initials,zeek_x509.certificate_subject.emailAddress,zeek_x509.certificate_subject.description,zeek_x509.certificate_subject.postalCode,zeek_x509.certificate_subject.street,zeek_x509.certificate_issuer.CN,zeek_x509.certificate_issuer.DC,zeek_x509.certificate_issuer.C,zeek_x509.certificate_issuer.O,zeek_x509.certificate_issuer.OU,zeek_x509.certificate_issuer.ST,zeek_x509.certificate_issuer.SN,zeek_x509.certificate_issuer.L,zeek_x509.certificate_issuer.GN,zeek_x509.certificate_issuer.pseudonym,zeek_x509.certificate_issuer.serialNumber,zeek_x509.certificate_issuer.title,zeek_x509.certificate_issuer.initials,zeek_x509.certificate_issuer.emailAddress,zeek_x509.certificate_not_valid_before,zeek_x509.certificate_not_valid_after,zeek_x509.certificate_key_alg,zeek_x509.certificate_sig_alg,zeek_x509.certificate_key_type,zeek_x509.certificate_key_length,zeek_x509.certificate_exponent,zeek_x509.certificate_curve,zeek_x509.client_cert,zeek_x509.fingerprint,zeek_x509.host_cert,zeek_x509.san_dns,zeek_x509.san_uri,zeek_x509.san_email,zeek_x509.san_ip,zeek_x509.basic_constraints_ca,zeek_x509.basic_constraints_path_len +zeek_bacnet=require:zeek.bacnet;title:Zeek bacnet.log;fields:zeek.bacnet.bvlc_function,zeek.bacnet.pdu_type,zeek.bacnet.pdu_service,zeek.bacnet.invoke_id,zeek.bacnet.result_code +zeek_bacnet_discovery=require:zeek.bacnet_discovery;title:Zeek bacnet_discovery.log;fields:zeek.bacnet_discovery.pdu_service,zeek.bacnet_discovery.object_type,zeek.bacnet_discovery.instance_number,zeek.bacnet_discovery.vendor,zeek.bacnet_discovery.range,zeek.bacnet_discovery.range_low,zeek.bacnet_discovery.range_high,zeek.bacnet_discovery.object_name +zeek_bacnet_property=require:zeek.bacnet_property;title:Zeek bacnet_property.log;fields:zeek.bacnet_property.pdu_service,zeek.bacnet_property.object_type,zeek.bacnet_property.instance_number,zeek.bacnet_property.property,zeek.bacnet_property.array_index,zeek.bacnet_property.value +zeek_bestguess=require:zeek.bestguess;title:Zeek bestguess.log;fields:zeek.bestguess.name,zeek.bestguess.category +zeek_bsap_ip_header=require:zeek.bsap_ip_header;title:Zeek bsap_ip_header.log;fields:zeek.bsap_ip_header.num_msg,zeek.bsap_ip_header.type_name +zeek_bsap_ip_rdb=require:zeek.bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:zeek.bsap_ip_rdb.app_func_code,zeek.bsap_ip_rdb.data,zeek.bsap_ip_rdb.data_len,zeek.bsap_ip_rdb.func_code,zeek.bsap_ip_rdb.header_size,zeek.bsap_ip_rdb.mes_seq,zeek.bsap_ip_rdb.node_status,zeek.bsap_ip_rdb.res_seq,zeek.bsap_ip_rdb.sequence +zeek_bsap_ip_unknown=require:zeek.bsap_ip_unknown;title:Zeek bsap_ip_unknown.log;fields:zeek.bsap_ip_unknown.data +zeek_bsap_serial_header=require:zeek.bsap_serial_header;title:Zeek bsap_serial_header.log;fields:zeek.bsap_serial_header.ctl,zeek.bsap_serial_header.dadd,zeek.bsap_serial_header.dfun,zeek.bsap_serial_header.nsb,zeek.bsap_serial_header.sadd,zeek.bsap_serial_header.seq,zeek.bsap_serial_header.ser,zeek.bsap_serial_header.sfun,zeek.bsap_serial_header.type_name +zeek_bsap_serial_rdb=require:zeek.bsap_serial_rdb;title:Zeek bsap_serial_rdb.log;fields:zeek.bsap_serial_rdb.data,zeek.bsap_serial_rdb.func_code +zeek_bsap_serial_rdb_ext=require:zeek.bsap_serial_rdb_ext;title:Zeek bsap_serial_rdb_ext.log;fields:zeek.bsap_serial_rdb_ext.data,zeek.bsap_serial_rdb_ext.dfun,zeek.bsap_serial_rdb_ext.extfun,zeek.bsap_serial_rdb_ext.nsb,zeek.bsap_serial_rdb_ext.seq,zeek.bsap_serial_rdb_ext.sfun +zeek_bsap_serial_unknown=require:zeek.bsap_serial_unknown;title:Zeek bsap_serial_unknown.log;fields:zeek.bsap_serial_unknown.data +zeek_cip=require:zeek.cip;title:Zeek cip.log;fields:zeek.cip.cip_sequence_count,zeek.cip.direction,zeek.cip.cip_service,zeek.cip.cip_status,zeek.cip.class_id,zeek.cip.class_name,zeek.cip.instance_id,zeek.cip.attribute_id,zeek.cip.data_id,zeek.cip.other_id +zeek_cip_identity=require:zeek.cip_identity;title:Zeek cip_identity.log;fields:zeek.cip_identity.encapsulation_version,zeek.cip_identity.socket_address,zeek.cip_identity.socket_address_geo.city_name,zeek.cip_identity.socket_address_geo.country_name,zeek.cip_identity.socket_address_asn,zeek.cip_identity.socket_port,zeek.cip_identity.vendor_id,zeek.cip_identity.vendor_name,zeek.cip_identity.device_type_id,zeek.cip_identity.device_type_name,zeek.cip_identity.product_code,zeek.cip_identity.revision,zeek.cip_identity.device_status,zeek.cip_identity.serial_number,zeek.cip_identity.product_name,zeek.cip_identity.device_state +zeek_cip_io=require:zeek.cip_io;title:Zeek cip_io.log;fields:zeek.cip_io.connection_id,zeek.cip_io.sequence_number,zeek.cip_io.data_length,zeek.cip_io.io_data +zeek_conn=require:zeek.conn;title:Zeek conn.log;fields:zeek.conn.duration,zeek.conn.orig_bytes,zeek.conn.resp_bytes,zeek.conn.conn_state,zeek.conn.conn_state_description,zeek.conn.local_orig,zeek.conn.local_resp,zeek.conn.missed_bytes,zeek.conn.history,zeek.conn.orig_pkts,zeek.conn.orig_ip_bytes,zeek.conn.resp_pkts,zeek.conn.resp_ip_bytes,zeek.conn.tunnel_parents,zeek.conn.vlan,zeek.conn.inner_vlan +zeek_dce_rpc=require:zeek.dce_rpc;title:Zeek dce_rpc.log;fields:zeek.dce_rpc.rtt,zeek.dce_rpc.named_pipe,zeek.dce_rpc.endpoint,zeek.dce_rpc.operation +zeek_dhcp=require:zeek.dhcp;title:Zeek dhcp.log;fields:zeek.dhcp.mac,zeek.dhcp.assigned_ip,zeek.dhcp.lease_time,zeek.dhcp.trans_id,zeek.dhcp.client_fqdn,zeek.dhcp.client_message,zeek.dhcp.domain,zeek.dhcp.duration,zeek.dhcp.host_name,zeek.dhcp.msg_types,zeek.dhcp.requested_ip,zeek.dhcp.server_message,zeek.dhcp.client_software,zeek.dhcp.server_software +zeek_dnp3=require:zeek.dnp3;title:Zeek dnp3.log;fields:zeek.dnp3.fc_request,zeek.dnp3.fc_reply,zeek.dnp3.iin,zeek.dnp3.iin_flags +zeek_dnp3_control=require:zeek.dnp3_control;title:Zeek dnp3_control.log;fields:zeek.dnp3_control.block_type,zeek.dnp3_control.function_code,zeek.dnp3_control.index_number,zeek.dnp3_control.trip_control_code,zeek.dnp3_control.operation_type,zeek.dnp3_control.execute_count,zeek.dnp3_control.on_time,zeek.dnp3_control.off_time,zeek.dnp3_control.status_code +zeek_dnp3_objects=require:zeek.dnp3_objects;title:Zeek dnp3_objects.log;fields:zeek.dnp3_objects.function_code,zeek.dnp3_objects.object_type,zeek.dnp3_objects.object_count,zeek.dnp3_objects.range_low,zeek.dnp3_objects.range_high +zeek_dns=require:zeek.dns;title:Zeek dns.log;fields:zeek.dns.trans_id,zeek.dns.rtt,zeek.dns.query,zeek.dns.qclass,zeek.dns.qclass_name,zeek.dns.qtype,zeek.dns.qtype_name,zeek.dns.rcode,zeek.dns.rcode_name,zeek.dns.AA,zeek.dns.TC,zeek.dns.RD,zeek.dns.RA,zeek.dns.Z,zeek.dns.answers,zeek.dns.TTLs,zeek.dns.rejected +zeek_dpd=require:zeek.dpd;title:Zeek dpd.log;fields:zeek.dpd.service,zeek.dpd.failure_reason +zeek_ecat_registers=require:zeek.ecat_registers;title:Zeek ecat_registers.log;fields:zeek.ecat_registers.command,zeek.ecat_registers.server_addr,zeek.ecat_registers.register_type,zeek.ecat_registers.register_addr,zeek.ecat_registers.data +zeek_ecat_log_address=require:zeek.ecat_log_address;title:Zeek ecat_log_address.log;fields:zeek.ecat_log_address.log_addr,zeek.ecat_log_address.length,zeek.ecat_log_address.command,zeek.ecat_log_address.data +zeek_ecat_dev_info=require:zeek.ecat_dev_info;title:Zeek ecat_dev_info.log;fields:zeek.ecat_dev_info.server_id,zeek.ecat_dev_info.revision,zeek.ecat_dev_info.dev_type,zeek.ecat_dev_info.build,zeek.ecat_dev_info.fmmucnt,zeek.ecat_dev_info.smcount,zeek.ecat_dev_info.ports,zeek.ecat_dev_info.dpram,zeek.ecat_dev_info.features +zeek_ecat_aoe_info=require:zeek.ecat_aoe_info;title:Zeek ecat_aoe_info.log;fields:zeek.ecat_aoe_info.resp_port,zeek.ecat_aoe_info.orig_port,zeek.ecat_aoe_info.command,zeek.ecat_aoe_info.state,zeek.ecat_aoe_info.data +zeek_ecat_coe_info=require:zeek.ecat_coe_info;title:Zeek ecat_coe_info.log;fields:zeek.ecat_coe_info.number,zeek.ecat_coe_info.type,zeek.ecat_coe_info.req_resp,zeek.ecat_coe_info.index,zeek.ecat_coe_info.subindex,zeek.ecat_coe_info.dataoffset +zeek_ecat_foe_info=require:zeek.ecat_foe_info;title:Zeek ecat_foe_info.log;fields:zeek.ecat_foe_info.opcode,zeek.ecat_foe_info.reserved,zeek.ecat_foe_info.packet_num,zeek.ecat_foe_info.error_code,zeek.ecat_foe_info.filename,zeek.ecat_foe_info.data +zeek_ecat_soe_info=require:zeek.ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek.ecat_soe_info.opcode,zeek.ecat_soe_info.incomplete,zeek.ecat_soe_info.error,zeek.ecat_soe_info.drive_num,zeek.ecat_soe_info.element,zeek.ecat_soe_info.index +zeek_ecat_arp_info=require:zeek.ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek.ecat_arp_info.arp_type,zeek.ecat_arp_info.orig_proto_addr,zeek.ecat_arp_info.orig_hw_addr,zeek.ecat_arp_info.resp_proto_addr,zeek.ecat_arp_info.resp_hw_addr +zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options +zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.duration,zeek.files.local_orig,zeek.files.is_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size +zeek_ftp=require:zeek.ftp;title:Zeek ftp.log;fields:zeek.ftp.command,zeek.ftp.arg,zeek.ftp.mime_type,zeek.ftp.file_size,zeek.ftp.reply_code,zeek.ftp.reply_msg,zeek.ftp.data_channel_passive,zeek.ftp.data_channel_orig_h,zeek.ftp.data_channel_resp_h,zeek.ftp.data_channel_resp_p +zeek_gquic=require:zeek.gquic;title:Zeek gquic.log;fields:zeek.gquic.version,zeek.gquic.server_name,zeek.gquic.user_agent,zeek.gquic.tag_count,zeek.gquic.cyu,zeek.gquic.cyutags +zeek_http=require:zeek.http;title:Zeek http.log;fields:zeek.http.trans_depth,zeek.http.method,zeek.http.host,zeek.http.uri,zeek.http.origin,zeek.http.post_password_plain,zeek.http.post_username,zeek.http.referrer,zeek.http.version,zeek.http.user_agent,zeek.http.request_body_len,zeek.http.response_body_len,zeek.http.status_code,zeek.http.status_msg,zeek.http.info_code,zeek.http.info_msg,zeek.http.tags,zeek.http.proxied,zeek.http.orig_fuids,zeek.http.orig_filenames,zeek.http.orig_mime_types,zeek.http.resp_fuids,zeek.http.resp_filenames,zeek.http.resp_mime_types +zeek_intel=require:zeek.intel;title:Zeek intel.log;fields:zeek.intel.indicator,zeek.intel.indicator_type,zeek.intel.seen_where,zeek.intel.seen_node,zeek.intel.matched,zeek.intel.sources,zeek.intel.file_mime_type,zeek.intel.file_description +zeek_ipsec=require:zeek.ipsec;title:Zeek ipsec.log;fields:zeek.ipsec.is_orig,zeek.ipsec.initiator_spi,zeek.ipsec.responder_spi,zeek.ipsec.maj_ver,zeek.ipsec.min_ver,zeek.ipsec.exchange_type,zeek.ipsec.flag_e,zeek.ipsec.flag_c,zeek.ipsec.flag_a,zeek.ipsec.flag_i,zeek.ipsec.flag_v,zeek.ipsec.flag_r,zeek.ipsec.flags,zeek.ipsec.message_id,zeek.ipsec.vendor_ids,zeek.ipsec.notify_messages,zeek.ipsec.transforms,zeek.ipsec.ke_dh_groups,zeek.ipsec.proposals,zeek.ipsec.certificates,zeek.ipsec.transform_attributes,zeek.ipsec.length,zeek.ipsec.hash +zeek_irc=require:zeek.irc;title:Zeek irc.log;fields:zeek.irc.nick,zeek.irc.command,zeek.irc.value,zeek.irc.addl,zeek.irc.dcc_file_name,zeek.irc.dcc_file_size,zeek.irc.dcc_mime_type +zeek_iso_cotp=require:zeek.iso_cotp;title:Zeek iso_cotp.log;fields:zeek.iso_cotp.pdu_type +zeek_kerberos=require:zeek.kerberos;title:Zeek kerberos.log;fields:zeek.kerberos.cname,zeek.kerberos.sname,zeek.kerberos.success,zeek.kerberos.error_msg,zeek.kerberos.from,zeek.kerberos.till,zeek.kerberos.cipher,zeek.kerberos.forwardable,zeek.kerberos.renewable,zeek.kerberos.request_type,zeek.kerberos.client_cert_subject,zeek.kerberos.client_cert_fuid,zeek.kerberos.server_cert_subject,zeek.kerberos.server_cert_fuid +zeek_known_certs=require:zeek.known_certs;title:Zeek known_certs.log;fields:zeek.known_certs.subject,zeek.known_certs.issuer_subject,zeek.known_certs.serial +zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;fields:zeek.known_modbus.device_type +zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument +zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message +zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success +zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.func,zeek.modbus.exception +zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus_detailed.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values +zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_mask_write_register.unit_id,zeek.modbus_mask_write_register.func,zeek.modbus_mask_write_register.network_direction,zeek.modbus_mask_write_register.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask +zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_read_write_multiple_registers.unit_id,zeek.modbus_read_write_multiple_registers.func,zeek.modbus_read_write_multiple_registers.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers +zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload +zeek_mqtt_publish=require:zeek.mqtt_publish;title:Zeek mqtt_publish.log;fields:zeek.mqtt_publish.from_client,zeek.mqtt_publish.retain,zeek.mqtt_publish.qos,zeek.mqtt_publish.status,zeek.mqtt_publish.topic,zeek.mqtt_publish.payload,zeek.mqtt_publish.payload_len +zeek_mqtt_subscribe=require:zeek.mqtt_subscribe;title:Zeek mqtt_subscribe.log;fields:zeek.mqtt_subscribe.action,zeek.mqtt_subscribe.topics,zeek.mqtt_subscribe.qos_levels,zeek.mqtt_subscribe.granted_qos_level,zeek.mqtt_subscribe.ack +zeek_mysql=require:zeek.mysql;title:Zeek mysql.log;fields:zeek.mysql.cmd,zeek.mysql.arg,zeek.mysql.success,zeek.mysql.rows,zeek.mysql.response +zeek_notice=require:zeek.notice;title:Zeek notice.log;fields:zeek.notice.file_mime_type,zeek.notice.file_desc,zeek.notice.note,zeek.notice.msg,zeek.notice.sub,zeek.notice.src,zeek.notice.dst,zeek.notice.p,zeek.notice.n,zeek.notice.peer_descr,zeek.notice.actions,zeek.notice.suppress_for,zeek.notice.dropped,zeek.notice.remote_location_country_code,zeek.notice.remote_location_region,zeek.notice.remote_location_latitude,zeek.notice.remote_location_longitude,zeek.notice.category,zeek.notice.sub_category +zeek_ntlm=require:zeek.ntlm;title:Zeek ntlm.log;fields:zeek.ntlm.host,zeek.ntlm.domain,zeek.ntlm.success,zeek.ntlm.status,zeek.ntlm.server_nb_computer,zeek.ntlm.server_dns_computer,zeek.ntlm.server_tree +zeek_ntp=require:zeek.ntp;title:Zeek ntp.log;fields:zeek.ntp.version,zeek.ntp.mode,zeek.ntp.mode_str,zeek.ntp.stratum,zeek.ntp.poll,zeek.ntp.precision,zeek.ntp.root_delay,zeek.ntp.root_disp,zeek.ntp.ref_id,zeek.ntp.ref_time,zeek.ntp.org_time,zeek.ntp.rec_time,zeek.ntp.xmt_time,zeek.ntp.num_exts +zeek_ocsp=require:zeek.ocsp;title:Zeek ocsp.log;fields:zeek.ocsp.hashAlgorithm,zeek.ocsp.issuerNameHash,zeek.ocsp.issuerKeyHash,zeek.ocsp.serialNumber,zeek.ocsp.certStatus,zeek.ocsp.revoketime,zeek.ocsp.revokereason,zeek.ocsp.thisUpdate,zeek.ocsp.nextUpdate +zeek_pe=require:zeek.pe;title:Zeek pe.log;fields:zeek.pe.machine,zeek.pe.compile_ts,zeek.pe.os,zeek.pe.subsystem,zeek.pe.is_exe,zeek.pe.is_64bit,zeek.pe.uses_aslr,zeek.pe.uses_dep,zeek.pe.uses_code_integrity,zeek.pe.uses_seh,zeek.pe.has_import_table,zeek.pe.has_export_table,zeek.pe.has_cert_table,zeek.pe.has_debug_data,zeek.pe.section_names +zeek_profinet=require:zeek.profinet;title:Zeek profinet.log;fields:zeek.profinet.operation_type,zeek.profinet.block_version,zeek.profinet.slot_number,zeek.profinet.subslot_number,zeek.profinet.index +zeek_profinet_dce_rpc=require:zeek.profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek.profinet_dce_rpc.version,zeek.profinet_dce_rpc.packet_type,zeek.profinet_dce_rpc.object_uuid,zeek.profinet_dce_rpc.interface_uuid,zeek.profinet_dce_rpc.activity_uuid,zeek.profinet_dce_rpc.server_boot_time,zeek.profinet_dce_rpc.operation +zeek_radius=require:zeek.radius;title:Zeek radius.log;fields:zeek.radius.mac,zeek.radius.framed_addr,zeek.radius.tunnel_client,zeek.radius.connect_info,zeek.radius.reply_msg,zeek.radius.result,zeek.radius.ttl +zeek_rdp=require:zeek.rdp;title:Zeek rdp.log;fields:zeek.rdp.cookie,zeek.rdp.result,zeek.rdp.security_protocol,zeek.rdp.client_channels,zeek.rdp.keyboard_layout,zeek.rdp.client_build,zeek.rdp.client_name,zeek.rdp.client_dig_product_id,zeek.rdp.desktop_width,zeek.rdp.desktop_height,zeek.rdp.requested_color_depth,zeek.rdp.cert_type,zeek.rdp.cert_count,zeek.rdp.cert_permanent,zeek.rdp.encryption_level,zeek.rdp.encryption_method +zeek_rfb=require:zeek.rfb;title:Zeek rfb.log;fields:zeek.rfb.client_major_version,zeek.rfb.client_minor_version,zeek.rfb.server_major_version,zeek.rfb.server_minor_version,zeek.rfb.authentication_method,zeek.rfb.auth,zeek.rfb.share_flag,zeek.rfb.desktop_name,zeek.rfb.width,zeek.rfb.height +zeek_s7comm=require:zeek.s7comm;title:Zeek s7comm.log;fields:zeek.s7comm.rosctr,zeek.s7comm.parameter,zeek.s7comm.parameters.class,zeek.s7comm.parameters.code,zeek.s7comm.parameters.group,zeek.s7comm.parameters.mode,zeek.s7comm.parameters.sub,zeek.s7comm.parameters.type,zeek.s7comm.item_count,zeek.s7comm.data_info +zeek_signatures=require:zeek.signatures;title:Zeek signatures.log;fields:zeek.signatures.note,zeek.signatures.signature_id,zeek.signatures.engine,zeek.signatures.event_message,zeek.signatures.sub_message,zeek.signatures.signature_count,zeek.signatures.host_count +zeek_sip=require:zeek.sip;title:Zeek sip.log;fields:zeek.sip.trans_depth,zeek.sip.method,zeek.sip.uri,zeek.sip.date,zeek.sip.request_from,zeek.sip.request_to,zeek.sip.response_from,zeek.sip.response_to,zeek.sip.reply_to,zeek.sip.call_id,zeek.sip.seq,zeek.sip.subject,zeek.sip.request_path,zeek.sip.response_path,zeek.sip.user_agent,zeek.sip.status_code,zeek.sip.status_msg,zeek.sip.warning,zeek.sip.request_body_len,zeek.sip.response_body_len,zeek.sip.content_type,zeek.sip.version +zeek_smb_cmd=require:zeek.smb_cmd;title:Zeek smb_cmd.log;fields:zeek.smb_cmd.command,zeek.smb_cmd.sub_command,zeek.smb_cmd.argument,zeek.smb_cmd.status,zeek.smb_cmd.rtt,zeek.smb_cmd.version,zeek.smb_cmd.user,zeek.smb_cmd.tree,zeek.smb_cmd.tree_service +zeek_smb_files=require:zeek.smb_files;title:Zeek smb_files.log;fields:zeek.smb_files.action,zeek.smb_files.path,zeek.smb_files.name,zeek.smb_files.size,zeek.smb_files.prev_name,zeek.smb_files.times_modified,zeek.smb_files.times_accessed,zeek.smb_files.times_created,zeek.smb_files.times_changed,zeek.smb_files.data_offset_req,zeek.smb_files.data_len_req,zeek.smb_files.data_len_rsp +zeek_smb_mapping=require:zeek.smb_mapping;title:Zeek smb_mapping.log;fields:zeek.smb_mapping.path,zeek.smb_mapping.resource_type,zeek.smb_mapping.native_file_system,zeek.smb_mapping.share_type +zeek_smtp=require:zeek.smtp;title:Zeek smtp.log;fields:zeek.smtp.trans_depth,zeek.smtp.helo,zeek.smtp.mailfrom,zeek.smtp.rcptto,zeek.smtp.date,zeek.smtp.from,zeek.smtp.to,zeek.smtp.cc,zeek.smtp.reply_to,zeek.smtp.msg_id,zeek.smtp.in_reply_to,zeek.smtp.subject,zeek.smtp.x_originating_ip,zeek.smtp.first_received,zeek.smtp.second_received,zeek.smtp.last_reply,zeek.smtp.last_reply_code,zeek.smtp.last_reply_msg,zeek.smtp.path,zeek.smtp.user_agent,zeek.smtp.tls,zeek.smtp.is_webmail +zeek_snmp=require:zeek.snmp;title:Zeek snmp.log;fields:zeek.snmp.duration,zeek.snmp.version,zeek.snmp.community,zeek.snmp.get_requests,zeek.snmp.get_bulk_requests,zeek.snmp.get_responses,zeek.snmp.set_requests,zeek.snmp.display_string,zeek.snmp.up_since +zeek_socks=require:zeek.socks;title:Zeek socks.log;fields:zeek.socks.version,zeek.socks.server_status,zeek.socks.request_host,zeek.socks.request_name,zeek.socks.request_port,zeek.socks.bound_host,zeek.socks.bound_name,zeek.socks.bound_port +zeek_software=require:zeek.software;title:Zeek software.log;fields:zeek.software.software_type,zeek.software.name,zeek.software.version_major,zeek.software.version_minor,zeek.software.version_minor2,zeek.software.version_minor3,zeek.software.version_addl,zeek.software.unparsed_version +zeek_ssh=require:zeek.ssh;title:Zeek ssh.log;fields:zeek.ssh.version,zeek.ssh.auth_success,zeek.ssh.auth_attempts,zeek.ssh.direction,zeek.ssh.client,zeek.ssh.server,zeek.ssh.cipher_alg,zeek.ssh.mac_alg,zeek.ssh.compression_alg,zeek.ssh.kex_alg,zeek.ssh.host_key_alg,zeek.ssh.host_key,zeek.ssh.remote_location_country_code,zeek.ssh.remote_location_region,zeek.ssh.remote_location_city,zeek.ssh.remote_location_latitude,zeek.ssh.remote_location_longitude,zeek.ssh.hassh,zeek.ssh.hasshServer,zeek.ssh.hasshAlgorithms,zeek.ssh.hasshServerAlgorithms,zeek.ssh.cshka,zeek.ssh.sshka +zeek_ssl=require:zeek.ssl;title:Zeek ssl.log;fields:zeek.ssl.ssl_version,zeek.ssl.ssl_history,zeek.ssl.sni_matches_cert,zeek.ssl.cipher,zeek.ssl.curve,zeek.ssl.server_name,zeek.ssl.resumed,zeek.ssl.last_alert,zeek.ssl.next_protocol,zeek.ssl.established,tls.client.ja3,tls.client.ja3_description,tls.server.ja3s,tls.server.ja3s_description,zeek.ssl.cert_chain_fuids,zeek.ssl.cert_chain_fps,zeek.ssl.client_cert_chain_fuids,zeek.ssl.client_cert_chain_fps,zeek.ssl.subject.CN,zeek.ssl.subject.C,zeek.ssl.subject.O,zeek.ssl.subject.OU,zeek.ssl.subject.ST,zeek.ssl.subject.SN,zeek.ssl.subject.L,zeek.ssl.subject.GN,zeek.ssl.subject.pseudonym,zeek.ssl.subject.serialNumber,zeek.ssl.subject.title,zeek.ssl.subject.initials,zeek.ssl.subject.emailAddress,zeek.ssl.subject.description,zeek.ssl.subject.postalCode,zeek.ssl.subject.street,zeek.ssl.client_subject.CN,zeek.ssl.client_subject.C,zeek.ssl.client_subject.O,zeek.ssl.client_subject.OU,zeek.ssl.client_subject.ST,zeek.ssl.client_subject.SN,zeek.ssl.client_subject.L,zeek.ssl.client_subject.GN,zeek.ssl.client_subject.pseudonym,zeek.ssl.client_subject.serialNumber,zeek.ssl.client_subject.title,zeek.ssl.client_subject.initials,zeek.ssl.client_subject.emailAddress,zeek.ssl.issuer.CN,zeek.ssl.issuer.C,zeek.ssl.issuer.O,zeek.ssl.issuer.OU,zeek.ssl.issuer.ST,zeek.ssl.issuer.SN,zeek.ssl.issuer.L,zeek.ssl.issuer.DC,zeek.ssl.issuer.GN,zeek.ssl.issuer.pseudonym,zeek.ssl.issuer.serialNumber,zeek.ssl.issuer.title,zeek.ssl.issuer.initials,zeek.ssl.issuer.emailAddress,zeek.ssl.client_issuer.CN,zeek.ssl.client_issuer.C,zeek.ssl.client_issuer.O,zeek.ssl.client_issuer.OU,zeek.ssl.client_issuer.ST,zeek.ssl.client_issuer.SN,zeek.ssl.client_issuer.L,zeek.ssl.client_issuer.DC,zeek.ssl.client_issuer.GN,zeek.ssl.client_issuer.pseudonym,zeek.ssl.client_issuer.serialNumber,zeek.ssl.client_issuer.title,zeek.ssl.client_issuer.initials,zeek.ssl.client_issuer.emailAddress,zeek.ssl.validation_status +zeek_stun=require:zeek.stun;title:Zeek stun.log;fields:zeek.stun.is_orig,zeek.stun.trans_id,zeek.stun.method,zeek.stun.class,zeek.stun.attr_type,zeek.stun.attr_val +zeek_stun_nat=require:zeek.stun_nat;title:Zeek stun_nat.log;fields:zeek.stun_nat.is_orig,zeek.stun_nat.wan_addr,zeek.stun_nat.wan_port,zeek.stun_nat.lan_addr +zeek_syslog=require:zeek.syslog;title:Zeek syslog.log;fields:zeek.syslog.facility,zeek.syslog.severity,zeek.syslog.message +zeek_tds=require:zeek.tds;title:Zeek tds.log;fields:zeek.tds.command +zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.procedure_name,zeek.tds_rpc.parameters +zeek_tds_sql_batch=require:zeek.tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek.tds_sql_batch.header_type,zeek.tds_sql_batch.query +zeek_tftp=require:zeek.tftp;title:Zeek tftp.log;fields:zeek.tftp.block_acked,zeek.tftp.block_sent,zeek.tftp.error_code,zeek.tftp.error_msg,zeek.tftp.fname,zeek.tftp.mode,zeek.tftp.size,zeek.tftp.uid_data,zeek.tftp.wrq +zeek_tunnel=require:zeek.tunnel;title:Zeek tunnel.log;fields:zeek.tunnel.tunnel_type,zeek.tunnel.action +zeek_weird=require:zeek.weird;title:Zeek weird.log;fields:zeek.weird.name,zeek.weird.addl,zeek.weird.notice,zeek.weird.peer +zeek_wireguard=require:zeek.wireguard;title:Zeek wireguard.log;fields:zeek.wireguard.established,zeek.wireguard.initiations,zeek.wireguard.responses +zeek_x509=require:zeek.x509;title:Zeek x509.log;fields:zeek.x509.certificate_version,zeek.x509.certificate_serial,zeek.x509.certificate_subject.CN,zeek.x509.certificate_subject.C,zeek.x509.certificate_subject.O,zeek.x509.certificate_subject.OU,zeek.x509.certificate_subject.ST,zeek.x509.certificate_subject.SN,zeek.x509.certificate_subject.L,zeek.x509.certificate_subject.DC,zeek.x509.certificate_subject.GN,zeek.x509.certificate_subject.pseudonym,zeek.x509.certificate_subject.serialNumber,zeek.x509.certificate_subject.title,zeek.x509.certificate_subject.initials,zeek.x509.certificate_subject.emailAddress,zeek.x509.certificate_subject.description,zeek.x509.certificate_subject.postalCode,zeek.x509.certificate_subject.street,zeek.x509.certificate_issuer.CN,zeek.x509.certificate_issuer.DC,zeek.x509.certificate_issuer.C,zeek.x509.certificate_issuer.O,zeek.x509.certificate_issuer.OU,zeek.x509.certificate_issuer.ST,zeek.x509.certificate_issuer.SN,zeek.x509.certificate_issuer.L,zeek.x509.certificate_issuer.GN,zeek.x509.certificate_issuer.pseudonym,zeek.x509.certificate_issuer.serialNumber,zeek.x509.certificate_issuer.title,zeek.x509.certificate_issuer.initials,zeek.x509.certificate_issuer.emailAddress,zeek.x509.certificate_not_valid_before,zeek.x509.certificate_not_valid_after,zeek.x509.certificate_key_alg,zeek.x509.certificate_sig_alg,zeek.x509.certificate_key_type,zeek.x509.certificate_key_length,zeek.x509.certificate_exponent,zeek.x509.certificate_curve,zeek.x509.client_cert,zeek.x509.fingerprint,zeek.x509.host_cert,zeek.x509.san_dns,zeek.x509.san_uri,zeek.x509.san_email,zeek.x509.san_ip,zeek.x509.basic_constraints_ca,zeek.x509.basic_constraints_path_len diff --git a/arkime/etc/user_settings.json b/arkime/etc/user_settings.json index 1a2d78c94..d7014b3de 100644 --- a/arkime/etc/user_settings.json +++ b/arkime/etc/user_settings.json @@ -28,17 +28,17 @@ "Public IP Addresses": { "expression": "(country.dst == EXISTS!) || (country.src == EXISTS!) || (ip.dst == EXISTS! && ip.dst != 0.0.0.0/8 && ip.dst != 10.0.0.0/8 && ip.dst != 100.64.0.0/10 && ip.dst != 127.0.0.0/8 && ip.dst != 169.254.0.0/16 && ip.dst != 172.16.0.0/12 && ip.dst != 192.0.0.0/24 && ip.dst != 192.0.2.0/24 && ip.dst != 192.88.99.0/24 && ip.dst != 192.168.0.0/16 && ip.dst != 198.18.0.0/15 && ip.dst != 198.51.100.0/24 && ip.dst != 203.0.113.0/24 && ip.dst != 224.0.0.0/4 && ip.dst != 232.0.0.0/8 && ip.dst != 233.0.0.0/8 && ip.dst != 234.0.0.0/8 && ip.dst != 239.0.0.0/8 && ip.dst != 240.0.0.0/4 && ip.dst != 255.255.255.255 && ip.dst != :: && ip.dst != ::1 && ip.dst != ff00::/8 && ip.dst != fe80::/10 && ip.dst != fc00::/7 && ip.dst != fd00::/8) || (ip.src == EXISTS! && ip.src != 0.0.0.0/8 && ip.src != 10.0.0.0/8 && ip.src != 100.64.0.0/10 && ip.src != 127.0.0.0/8 && ip.src != 169.254.0.0/16 && ip.src != 172.16.0.0/12 && ip.src != 192.0.0.0/24 && ip.src != 192.0.2.0/24 && ip.src != 192.88.99.0/24 && ip.src != 192.168.0.0/16 && ip.src != 198.18.0.0/15 && ip.src != 198.51.100.0/24 && ip.src != 203.0.113.0/24 && ip.src != 224.0.0.0/4 && ip.src != 232.0.0.0/8 && ip.src != 233.0.0.0/8 && ip.src != 234.0.0.0/8 && ip.src != 239.0.0.0/8 && ip.src != 240.0.0.0/4 && ip.src != 255.255.255.255 && ip.src != :: && ip.src != ::1 && ip.src != ff00::/8 && ip.src != fe80::/10 && ip.src != fc00::/7 && ip.src != fd00::/8)" }, - "PCAP Files": { - "expression": "zeek.logType != EXISTS!" + "Arkime Sessions": { + "expression": "file == EXISTS!" }, "Zeek Logs": { - "expression": "zeek.logType == EXISTS!" + "expression": "event.provider == zeek" }, "Zeek conn.log": { - "expression": "zeek.logType == conn" + "expression": "event.provider == zeek && event.dataset == conn" }, "Zeek Exclude conn.log": { - "expression": "zeek.logType == EXISTS! && zeek.logType != conn" + "expression": "event.provider == zeek && event.dataset != conn" } }, "tableStates": { @@ -51,7 +51,7 @@ ], "visibleHeaders": [ "protocol", - "zeek.logType", + "event.dataset", "firstPacket", "lastPacket", "src", diff --git a/arkime/etc/wise.ini b/arkime/etc/wise.ini index 5a1144161..eba96db74 100644 --- a/arkime/etc/wise.ini +++ b/arkime/etc/wise.ini @@ -7,5 +7,5 @@ port=8081 excludeDomains=*.bl.barracudabrts.com;*.zen.spamhaus.org;*.in-addr.arpa;*.avts.mcafee.com;*.avqs.mcafee.com;*.bl.barracuda.com;*.lbl8.mailshell.net;*.dnsbl.sorbs.net;*.s.sophosxl.net;*.metric.gstatic.com;*.ip6.arpa -[zeek] +[malcolm] key=enabled \ No newline at end of file diff --git a/arkime/patch/db_init_client_server_fields.patch b/arkime/patch/db_init_client_server_fields.patch deleted file mode 100644 index 62e5be75c..000000000 --- a/arkime/patch/db_init_client_server_fields.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/viewer/db.js b/viewer/db.js -index 71470bb1..3c00c65a 100644 ---- a/viewer/db.js -+++ b/viewer/db.js -@@ -343,6 +343,8 @@ function fixSessionFields (fields, unflatten) { - if (unflatten) { - fields.source = { as: {}, geo: {} }; - fields.destination = { as: {}, geo: {} }; -+ fields.client = {}; -+ fields.server = {}; - } - for (const f in fields) { - const path = f.split('.'); diff --git a/arkime/patch/fields_db_max_3000.patch b/arkime/patch/fields_db_max_3000.patch index e8c4e3137..a68e76f9c 100644 --- a/arkime/patch/fields_db_max_3000.patch +++ b/arkime/patch/fields_db_max_3000.patch @@ -1,8 +1,8 @@ diff --git a/capture/db.c b/capture/db.c -index 2b050c22..9186aced 100644 +index 5bfe0f48..5ea65753 100644 --- a/capture/db.c +++ b/capture/db.c -@@ -2312,7 +2312,7 @@ LOCAL void moloch_db_load_fields() +@@ -2309,7 +2309,7 @@ LOCAL void moloch_db_load_fields() char key[100]; int key_len; @@ -12,7 +12,7 @@ index 2b050c22..9186aced 100644 if (!data) { diff --git a/capture/moloch.h b/capture/moloch.h -index 06a79110..1f4aa3fb 100644 +index f3419c15..0005d58a 100644 --- a/capture/moloch.h +++ b/capture/moloch.h @@ -352,7 +352,7 @@ enum MolochRotate { @@ -25,7 +25,7 @@ index 06a79110..1f4aa3fb 100644 #define MOLOCH_FIELDS_CNT_MAX (MOLOCH_FIELDS_DB_MAX*2) #define MOLOCH_FIELD_EXSPECIAL_START (MOLOCH_FIELDS_CNT_MAX) diff --git a/capture/plugins/wise.c b/capture/plugins/wise.c -index f311d743..eb4ba1e0 100644 +index 2f98ebe1..0e7b4002 100644 --- a/capture/plugins/wise.c +++ b/capture/plugins/wise.c @@ -111,7 +111,7 @@ typedef struct wiseitem_head { @@ -37,16 +37,3 @@ index f311d743..eb4ba1e0 100644 typedef struct wiserequest { BSB bsb; WiseItem_t *items[WISE_MAX_REQUEST_ITEMS]; -diff --git a/viewer/db.js b/viewer/db.js -index 71470bb1..e3b79664 100644 ---- a/viewer/db.js -+++ b/viewer/db.js -@@ -1902,7 +1902,7 @@ exports.sid2Index = function (id, options) { - }; - - exports.loadFields = async () => { -- return exports.search('fields', 'field', { size: 1000 }); -+ return exports.search('fields', 'field', { size: 3000 }); - }; - - exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => { diff --git a/arkime/patch/spi_sort_zeek.patch b/arkime/patch/spi_sort_zeek.patch index d9c0b4dec..73afa84bc 100644 --- a/arkime/patch/spi_sort_zeek.patch +++ b/arkime/patch/spi_sort_zeek.patch @@ -3,11 +3,11 @@ index 66e08ecf..f7156b80 100644 --- a/viewer/vueapp/src/components/spiview/Spiview.vue +++ b/viewer/vueapp/src/components/spiview/Spiview.vue @@ -915,6 +915,8 @@ export default { - + // sorted list of categories for the view this.categoryList = Object.keys(this.categoryObjects).sort(); -+ this.categoryList.splice(this.categoryList.indexOf('zeek'), 1); -+ this.categoryList.unshift('zeek'); ++ this.categoryList.splice(this.categoryList.indexOf('malcolm'), 1); ++ this.categoryList.unshift('malcolm'); this.categoryList.splice(this.categoryList.indexOf('general'), 1); this.categoryList.unshift('general'); - + diff --git a/arkime/patch/viewer_custom_view_requires_fix.patch b/arkime/patch/viewer_custom_view_requires_fix.patch new file mode 100644 index 000000000..c599554e0 --- /dev/null +++ b/arkime/patch/viewer_custom_view_requires_fix.patch @@ -0,0 +1,103 @@ +diff --git a/viewer/viewer.js b/viewer/viewer.js +index 5b19521b..f79019d3 100755 +--- a/viewer/viewer.js ++++ b/viewer/viewer.js +@@ -303,18 +303,30 @@ function parseCustomView (key, input) { + } + const fields = match[1]; + +- let output = ` if (session.${req})\n div.sessionDetailMeta.bold ${title}\n dl.sessionDetailMeta\n`; ++ const parts = req.split('.'); ++ let output = ' if ('; ++ for (let i = 0; i < parts.length; i++) { ++ if (i > 0) { ++ output += ' && '; ++ } ++ output += 'session'; ++ for (let j = 0; j <= i; j++) { ++ output += `.${parts[j]}`; ++ } ++ } ++ output += ')\n'; ++ output += ` div.sessionDetailMeta.bold ${title}\n dl.sessionDetailMeta\n`; + + for (const field of fields.split(',')) { + const info = fieldsMap[field]; + if (!info) { + continue; + } +- const parts = ViewerUtils.splitRemain(info.dbField, '.', 1); +- if (parts.length === 1) { +- output += ` +arrayList(session, '${parts[0]}', '${info.friendlyName}', '${field}')\n`; ++ const pos = info.dbField.lastIndexOf('.'); ++ if (pos === -1) { ++ output += ` +arrayList(session, '${info.dbField}', '${info.friendlyName}', '${field}')\n`; + } else { +- output += ` +arrayList(session.${parts[0]}, '${parts[1]}', '${info.friendlyName}', '${field}')\n`; ++ output += ` +arrayList(session.${info.dbField.slice(0, pos)}, '${info.dbField.slice(pos + 1)}', '${info.friendlyName}', '${field}')\n`; + } + } + +diff --git a/wiseService/wiseService.js b/wiseService/wiseService.js +index f37d509c..ad1831d5 100644 +--- a/wiseService/wiseService.js ++++ b/wiseService/wiseService.js +@@ -271,17 +271,6 @@ function newFieldsTS () { + } + } + // ---------------------------------------------------------------------------- +-// https://coderwall.com/p/pq0usg/javascript-string-split-that-ll-return-the-remainder +-function splitRemain (str, separator, limit) { +- str = str.split(separator); +- if (str.length <= limit) { return str; } +- +- const ret = str.splice(0, limit); +- ret.push(str.join(separator)); +- +- return ret; +-} +-// ---------------------------------------------------------------------------- + /** + * When sources are created they get an api object to interact with the wise service. + */ +@@ -437,7 +426,20 @@ class WISESourceAPI { + viewName = match[1]; + } + +- let output = `if (session.${req})\n div.sessionDetailMeta.bold ${title}\n dl.sessionDetailMeta\n`; ++ const parts = req.split('.'); ++ let output = ' if ('; ++ for (let i = 0; i < parts.length; i++) { ++ if (i > 0) { ++ output += ' && '; ++ } ++ output += 'session'; ++ for (let j = 0; j <= i; j++) { ++ output += `.${parts[j]}`; ++ } ++ } ++ output += ')\n'; ++ output += ` div.sessionDetailMeta.bold ${title}\n dl.sessionDetailMeta\n`; ++ + for (const field of fields.split(',')) { + const info = WISESource.field2Info[field]; + if (!info) { +@@ -447,13 +449,14 @@ class WISESourceAPI { + console.log(`ERROR - missing db information for ${field}`); + return; + } +- const parts = splitRemain(info.db, '.', 1); +- if (parts.length === 1) { +- output += ` +arrayList(session, '${parts[0]}', '${info.friendly}', '${field}')\n`; ++ const pos = info.db.lastIndexOf('.'); ++ if (pos === -1) { ++ output += ` +arrayList(session, '${info.db}', '${info.friendlyName}', '${field}')\n`; + } else { +- output += ` +arrayList(session.${parts[0]}, '${parts[1]}', '${info.friendly}', '${field}')\n`; ++ output += ` +arrayList(session.${info.db.slice(0, pos)}, '${info.db.slice(pos + 1)}', '${info.friendlyName}', '${field}')\n`; + } + } ++ + internals.views[viewName] = output; + } else { + internals.views[viewName] = view; diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 66df0ffa2..3feae8b89 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -3,897 +3,1009 @@ const WISESource = require('./wiseSource.js'); ////////////////////////////////////////////////////////////////////////////////// -// Arkime WISE Data Source definition for Zeek logs. +// Arkime WISE Data Source definition for Malcolm data sources. // // Part of Malcolm (https://github.com/cisagov/malcolm) // -// Data may be populated with Malcolm's Zeek Logstash filters: -// (particularly https://raw.githubusercontent.com/cisagov/Malcolm/main/logstash/pipeline-main/11_zeek_logs.conf) +// Data may be populated with Malcolm's Logstash filters: +// (https://github.com/cisagov/Malcolm/tree/main/logstash/pipelines) // // Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. // see https://raw.githubusercontent.com/cisagov/Malcolm/main/License.txt ////////////////////////////////////////////////////////////////////////////////// -class ZeekSource extends WISESource { +class MalcolmSource extends WISESource { // ---------------------------------------------------------------------------- constructor (api, section) { super(api, section, { dontCache: true }); - this.api.addSource('zeek', this, []); + this.api.addSource('malcolm', this, []); // there are several files where the definitions of fields live: make sure to keep them in sync - // - source.zeeklogs.js (this file) + // - source.malcolm.js (this file) // - Arkime's config.ini - // - Kibana's zeek_template.json + // - Kibana's malcolm_template.json // todo: look at expressions for things that have parents (tunnelling, parent files, etc.) // todo: look at IP types and use ipPrint? // add right-clicks var allFields = [ - "network.community_id", + "malcolmDocId", + "client.bytes", + "client.domain", + "destination.as.full", + "destination.bytes", + "destination.domain", + "destination.geo.city_name", + "destination.geo.country_iso_code", + "destination.geo.country_name", + "destination.geo.ip", + "destination.hostname", + "destination.ip", + "destination.ip_reverse_dns", + "destination.mac", + "destination.oui", + "destination.packets", + "destination.port", + "destination.segment", + "dns.answers", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.type", + "dns.resolved_ip", + "dns.response_code", + "dns.type", + "ecs.version", + "event.action", + "event.category", + "event.dataset", + "event.duration", + "event.end", + "event.freq_score_v1", + "event.freq_score_v2", + "event.id", + "event.ingested", + "event.kind", + "event.outcome", + "event.provider", + "event.result", "event.risk_score", "event.risk_score_norm", "event.severity", "event.severity_tags", + "event.start", + "file.accessed", + "file.created", + "file.ctime", + "file.directory", + "file.extension", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.mime_type", + "file.mtime", + "file.name", + "file.path", + "file.size", + "file.type", "host.name", + "http.request.body.bytes", + "http.request.method", + "http.request.mime_type", + "http.request.referrer", + "http.response.body.bytes", + "http.response.mime_type", + "http.response.status_code", + "http.version", "ip.protocol", "mac.dst", "mac.src", + "network.application", + "network.bytes", + "network.community_id", + "network.direction", + "network.iana_number", + "network.inner.vlan.id", + "network.name", + "network.packets", + "network.protocol", + "network.protocol_version", + "network.transport", + "network.type", + "network.vlan.id", "node", "oui.dst", "oui.src", "protocols", + "related.hash", + "related.ip", + "related.password", + "related.user", "rootId", + "rule.author", + "rule.category", + "rule.description", + "rule.license", + "rule.name", + "rule.reference", + "rule.ruleset", + "server.bytes", + "server.domain", + "source.as.full", + "source.bytes", + "source.geo.city_name", + "source.geo.country_iso_code", + "source.geo.country_name", + "source.geo.ip", + "source.hostname", + "source.ip", + "source.ip_reverse_dns", + "source.mac", + "source.nat.ip", + "source.nat.port", + "source.oui", + "source.packets", + "source.port", + "source.segment", "tags", - "zeek.action", - "zeek.community_id", - "zeek.destination_geo.city_name", - "zeek.destination_geo.country_name", - "zeek.destination_ip_reverse_dns", - "zeek.filename", - "zeek.filetype", - "zeek.freq_score_v1", - "zeek.freq_score_v2", + "threat.framework", + "threat.tactic.id", + "threat.tactic.name", + "threat.tactic.reference", + "threat.technique.id", + "threat.technique.name", + "threat.technique.reference", + "tls.cipher", + "tls.client.issuer", + "tls.client.ja3", + "tls.client.ja3_description", + "tls.client.server_name", + "tls.client.subject", + "tls.curve", + "tls.established", + "tls.next_protocol", + "tls.resumed", + "tls.server.issuer", + "tls.server.ja3s", + "tls.server.ja3s_description", + "tls.server.subject", + "tls.version", + "tls.version_protocol", + "url.domain", + "url.extension", + "url.fragment", + "url.full", + "url.original", + "url.password", + "url.path", + "url.port", + "url.query", + "url.scheme", + "url.user", + "user_agent.original", + "vulnerability.category", + "vulnerability.description", + "vulnerability.reference", + "vulnerability.scanner.vendor", + "zeek.bacnet.bvlc_function", + "zeek.bacnet.invoke_id", + "zeek.bacnet.pdu_service", + "zeek.bacnet.pdu_type", + "zeek.bacnet.result_code", + "zeek.bacnet_discovery.instance_number", + "zeek.bacnet_discovery.object_name", + "zeek.bacnet_discovery.object_type", + "zeek.bacnet_discovery.pdu_service", + "zeek.bacnet_discovery.range", + "zeek.bacnet_discovery.range_high", + "zeek.bacnet_discovery.range_low", + "zeek.bacnet_discovery.vendor", + "zeek.bacnet_property.array_index", + "zeek.bacnet_property.instance_number", + "zeek.bacnet_property.object_type", + "zeek.bacnet_property.pdu_service", + "zeek.bacnet_property.property", + "zeek.bacnet_property.value", + "zeek.bestguess.category", + "zeek.bestguess.name", + "zeek.bsap_ip_header.num_msg", + "zeek.bsap_ip_header.type_name", + "zeek.bsap_ip_rdb.app_func_code", + "zeek.bsap_ip_rdb.data", + "zeek.bsap_ip_rdb.data_len", + "zeek.bsap_ip_rdb.func_code", + "zeek.bsap_ip_rdb.header_size", + "zeek.bsap_ip_rdb.mes_seq", + "zeek.bsap_ip_rdb.node_status", + "zeek.bsap_ip_rdb.res_seq", + "zeek.bsap_ip_rdb.sequence", + "zeek.bsap_ip_unknown.data", + "zeek.bsap_serial_header.ctl", + "zeek.bsap_serial_header.dadd", + "zeek.bsap_serial_header.dfun", + "zeek.bsap_serial_header.nsb", + "zeek.bsap_serial_header.sadd", + "zeek.bsap_serial_header.seq", + "zeek.bsap_serial_header.ser", + "zeek.bsap_serial_header.sfun", + "zeek.bsap_serial_header.type_name", + "zeek.bsap_serial_rdb.data", + "zeek.bsap_serial_rdb.func_code", + "zeek.bsap_serial_rdb_ext.data", + "zeek.bsap_serial_rdb_ext.dfun", + "zeek.bsap_serial_rdb_ext.extfun", + "zeek.bsap_serial_rdb_ext.nsb", + "zeek.bsap_serial_rdb_ext.seq", + "zeek.bsap_serial_rdb_ext.sfun", + "zeek.bsap_serial_unknown.data", + "zeek.cip.attribute_id", + "zeek.cip.cip_sequence_count", + "zeek.cip.cip_service", + "zeek.cip.cip_status", + "zeek.cip.class_id", + "zeek.cip.class_name", + "zeek.cip.data_id", + "zeek.cip.direction", + "zeek.cip.instance_id", + "zeek.cip.other_id", + "zeek.cip_identity.device_state", + "zeek.cip_identity.device_status", + "zeek.cip_identity.device_type_id", + "zeek.cip_identity.device_type_name", + "zeek.cip_identity.encapsulation_version", + "zeek.cip_identity.product_code", + "zeek.cip_identity.product_name", + "zeek.cip_identity.revision", + "zeek.cip_identity.serial_number", + "zeek.cip_identity.socket_address", + "zeek.cip_identity.socket_address_asn", + "zeek.cip_identity.socket_address_geo.city_name", + "zeek.cip_identity.socket_address_geo.country_name", + "zeek.cip_identity.socket_port", + "zeek.cip_identity.vendor_id", + "zeek.cip_identity.vendor_name", + "zeek.cip_io.connection_id", + "zeek.cip_io.data_length", + "zeek.cip_io.io_data", + "zeek.cip_io.sequence_number", + "zeek.conn.conn_state", + "zeek.conn.conn_state_description", + "zeek.conn.duration", + "zeek.conn.history", + "zeek.conn.inner_vlan", + "zeek.conn.local_orig", + "zeek.conn.local_resp", + "zeek.conn.missed_bytes", + "zeek.conn.orig_bytes", + "zeek.conn.orig_ip_bytes", + "zeek.conn.orig_pkts", + "zeek.conn.resp_bytes", + "zeek.conn.resp_ip_bytes", + "zeek.conn.resp_pkts", + "zeek.conn.tunnel_parents", + "zeek.conn.vlan", + "zeek.dce_rpc.endpoint", + "zeek.dce_rpc.named_pipe", + "zeek.dce_rpc.operation", + "zeek.dce_rpc.rtt", + "zeek.dhcp.assigned_ip", + "zeek.dhcp.client_fqdn", + "zeek.dhcp.client_message", + "zeek.dhcp.client_software", + "zeek.dhcp.domain", + "zeek.dhcp.duration", + "zeek.dhcp.host_name", + "zeek.dhcp.lease_time", + "zeek.dhcp.mac", + "zeek.dhcp.msg_types", + "zeek.dhcp.requested_ip", + "zeek.dhcp.server_message", + "zeek.dhcp.server_software", + "zeek.dhcp.trans_id", + "zeek.dnp3.fc_reply", + "zeek.dnp3.fc_request", + "zeek.dnp3.iin", + "zeek.dnp3.iin_flags", + "zeek.dnp3_control.block_type", + "zeek.dnp3_control.execute_count", + "zeek.dnp3_control.function_code", + "zeek.dnp3_control.index_number", + "zeek.dnp3_control.off_time", + "zeek.dnp3_control.on_time", + "zeek.dnp3_control.operation_type", + "zeek.dnp3_control.status_code", + "zeek.dnp3_control.trip_control_code", + "zeek.dnp3_objects.function_code", + "zeek.dnp3_objects.object_count", + "zeek.dnp3_objects.object_type", + "zeek.dnp3_objects.range_high", + "zeek.dnp3_objects.range_low", + "zeek.dns.AA", + "zeek.dns.answers", + "zeek.dns.qclass", + "zeek.dns.qclass_name", + "zeek.dns.qtype", + "zeek.dns.qtype_name", + "zeek.dns.query", + "zeek.dns.RA", + "zeek.dns.rcode", + "zeek.dns.rcode_name", + "zeek.dns.RD", + "zeek.dns.rejected", + "zeek.dns.rtt", + "zeek.dns.TC", + "zeek.dns.trans_id", + "zeek.dns.TTLs", + "zeek.dns.Z", + "zeek.dpd.failure_reason", + "zeek.dpd.service", + "zeek.ecat_aoe_info.command", + "zeek.ecat_aoe_info.data", + "zeek.ecat_aoe_info.orig_port", + "zeek.ecat_aoe_info.resp_port", + "zeek.ecat_aoe_info.state", + "zeek.ecat_arp_info.arp_type", + "zeek.ecat_arp_info.orig_hw_addr", + "zeek.ecat_arp_info.orig_proto_addr", + "zeek.ecat_arp_info.resp_hw_addr", + "zeek.ecat_arp_info.resp_proto_addr", + "zeek.ecat_coe_info.dataoffset", + "zeek.ecat_coe_info.index", + "zeek.ecat_coe_info.number", + "zeek.ecat_coe_info.req_resp", + "zeek.ecat_coe_info.subindex", + "zeek.ecat_coe_info.type", + "zeek.ecat_dev_info.build", + "zeek.ecat_dev_info.dev_type", + "zeek.ecat_dev_info.dpram", + "zeek.ecat_dev_info.features", + "zeek.ecat_dev_info.fmmucnt", + "zeek.ecat_dev_info.ports", + "zeek.ecat_dev_info.revision", + "zeek.ecat_dev_info.server_id", + "zeek.ecat_dev_info.smcount", + "zeek.ecat_foe_info.data", + "zeek.ecat_foe_info.error_code", + "zeek.ecat_foe_info.filename", + "zeek.ecat_foe_info.opcode", + "zeek.ecat_foe_info.packet_num", + "zeek.ecat_foe_info.reserved", + "zeek.ecat_log_address.command", + "zeek.ecat_log_address.data", + "zeek.ecat_log_address.length", + "zeek.ecat_log_address.log_addr", + "zeek.ecat_registers.command", + "zeek.ecat_registers.data", + "zeek.ecat_registers.register_addr", + "zeek.ecat_registers.register_type", + "zeek.ecat_registers.server_addr", + "zeek.ecat_soe_info.drive_num", + "zeek.ecat_soe_info.element", + "zeek.ecat_soe_info.error", + "zeek.ecat_soe_info.incomplete", + "zeek.ecat_soe_info.index", + "zeek.ecat_soe_info.opcode", + "zeek.enip.enip_command", + "zeek.enip.enip_status", + "zeek.enip.length", + "zeek.enip.options", + "zeek.enip.sender_context", + "zeek.enip.session_handle", + "zeek.files.analyzers", + "zeek.files.conn_uids", + "zeek.files.depth", + "zeek.files.duration", + "zeek.files.extracted", + "zeek.files.extracted_cutoff", + "zeek.files.extracted_size", + "zeek.files.filename", + "zeek.files.is_orig", + "zeek.files.local_orig", + "zeek.files.md5", + "zeek.files.mime_type", + "zeek.files.missing_bytes", + "zeek.files.overflow_bytes", + "zeek.files.parent_fuid", + "zeek.files.rx_hosts", + "zeek.files.seen_bytes", + "zeek.files.sha1", + "zeek.files.sha256", + "zeek.files.source", + "zeek.files.timedout", + "zeek.files.total_bytes", + "zeek.files.tx_hosts", + "zeek.ftp.arg", + "zeek.ftp.command", + "zeek.ftp.data_channel_orig_h", + "zeek.ftp.data_channel_passive", + "zeek.ftp.data_channel_resp_h", + "zeek.ftp.data_channel_resp_p", + "zeek.ftp.file_size", + "zeek.ftp.mime_type", + "zeek.ftp.reply_code", + "zeek.ftp.reply_msg", "zeek.fuid", - "zeek.logType", - "zeek.orig_h", - "zeek.orig_hostname", - "zeek.orig_l2_addr", - "zeek.orig_l2_oui", - "zeek.orig_p", - "zeek.orig_segment", - "zeek.password", - "zeek.proto", - "zeek.resp_h", - "zeek.resp_hostname", - "zeek.resp_l2_addr", - "zeek.resp_l2_oui", - "zeek.resp_p", - "zeek.resp_segment", - "zeek.result", - "zeek.service", - "zeek.service_version", - "zeek.source_geo.city_name", - "zeek.source_geo.country_name", - "zeek.source_ip_reverse_dns", + "zeek.gquic.cyu", + "zeek.gquic.cyutags", + "zeek.gquic.server_name", + "zeek.gquic.tag_count", + "zeek.gquic.user_agent", + "zeek.gquic.version", + "zeek.http.host", + "zeek.http.info_code", + "zeek.http.info_msg", + "zeek.http.method", + "zeek.http.orig_filenames", + "zeek.http.orig_fuids", + "zeek.http.orig_mime_types", + "zeek.http.origin", + "zeek.http.post_password_plain", + "zeek.http.post_username", + "zeek.http.proxied", + "zeek.http.referrer", + "zeek.http.request_body_len", + "zeek.http.resp_filenames", + "zeek.http.resp_fuids", + "zeek.http.resp_mime_types", + "zeek.http.response_body_len", + "zeek.http.status_code", + "zeek.http.status_msg", + "zeek.http.tags", + "zeek.http.trans_depth", + "zeek.http.uri", + "zeek.http.user_agent", + "zeek.http.version", + "zeek.intel.file_description", + "zeek.intel.file_mime_type", + "zeek.intel.indicator", + "zeek.intel.indicator_type", + "zeek.intel.matched", + "zeek.intel.seen_node", + "zeek.intel.seen_where", + "zeek.intel.sources", + "zeek.ipsec.certificates", + "zeek.ipsec.exchange_type", + "zeek.ipsec.flag_a", + "zeek.ipsec.flag_c", + "zeek.ipsec.flag_e", + "zeek.ipsec.flag_i", + "zeek.ipsec.flag_r", + "zeek.ipsec.flag_v", + "zeek.ipsec.flags", + "zeek.ipsec.hash", + "zeek.ipsec.initiator_spi", + "zeek.ipsec.is_orig", + "zeek.ipsec.ke_dh_groups", + "zeek.ipsec.length", + "zeek.ipsec.maj_ver", + "zeek.ipsec.message_id", + "zeek.ipsec.min_ver", + "zeek.ipsec.notify_messages", + "zeek.ipsec.proposals", + "zeek.ipsec.responder_spi", + "zeek.ipsec.transform_attributes", + "zeek.ipsec.transforms", + "zeek.ipsec.vendor_ids", + "zeek.irc.addl", + "zeek.irc.command", + "zeek.irc.dcc_file_name", + "zeek.irc.dcc_file_size", + "zeek.irc.dcc_mime_type", + "zeek.irc.nick", + "zeek.irc.value", + "zeek.iso_cotp.pdu_type", + "zeek.kerberos.cipher", + "zeek.kerberos.client_cert_fuid", + "zeek.kerberos.client_cert_subject", + "zeek.kerberos.cname", + "zeek.kerberos.error_msg", + "zeek.kerberos.forwardable", + "zeek.kerberos.from", + "zeek.kerberos.renewable", + "zeek.kerberos.request_type", + "zeek.kerberos.server_cert_fuid", + "zeek.kerberos.server_cert_subject", + "zeek.kerberos.sname", + "zeek.kerberos.success", + "zeek.kerberos.till", + "zeek.known_certs.issuer_subject", + "zeek.known_certs.serial", + "zeek.known_certs.subject", + "zeek.known_modbus.device_type", + "zeek.ldap.argument", + "zeek.ldap.message_id", + "zeek.ldap.object", + "zeek.ldap.operation", + "zeek.ldap.result_code", + "zeek.ldap.result_message", + "zeek.ldap.version", + "zeek.ldap_search.attributes", + "zeek.ldap_search.base_object", + "zeek.ldap_search.deref", + "zeek.ldap_search.filter", + "zeek.ldap_search.message_id", + "zeek.ldap_search.result_code", + "zeek.ldap_search.result_count", + "zeek.ldap_search.result_message", + "zeek.ldap_search.scope", + "zeek.login.client_user", + "zeek.login.confused", + "zeek.login.success", + "zeek.modbus.exception", + "zeek.modbus.func", + "zeek.modbus_detailed.address", + "zeek.modbus_detailed.func", + "zeek.modbus_detailed.network_direction", + "zeek.modbus_detailed.quantity", + "zeek.modbus_detailed.unit_id", + "zeek.modbus_detailed.values", + "zeek.modbus_mask_write_register.address", + "zeek.modbus_mask_write_register.and_mask", + "zeek.modbus_mask_write_register.func", + "zeek.modbus_mask_write_register.network_direction", + "zeek.modbus_mask_write_register.or_mask", + "zeek.modbus_mask_write_register.unit_id", + "zeek.modbus_read_write_multiple_registers.func", + "zeek.modbus_read_write_multiple_registers.network_direction", + "zeek.modbus_read_write_multiple_registers.read_quantity", + "zeek.modbus_read_write_multiple_registers.read_registers", + "zeek.modbus_read_write_multiple_registers.read_start_address", + "zeek.modbus_read_write_multiple_registers.unit_id", + "zeek.modbus_read_write_multiple_registers.write_registers", + "zeek.modbus_read_write_multiple_registers.write_start_address", + "zeek.mqtt_connect.client_id", + "zeek.mqtt_connect.connect_status", + "zeek.mqtt_connect.proto_name", + "zeek.mqtt_connect.proto_version", + "zeek.mqtt_connect.will_payload", + "zeek.mqtt_connect.will_topic", + "zeek.mqtt_publish.from_client", + "zeek.mqtt_publish.payload", + "zeek.mqtt_publish.payload_dict.messageType", + "zeek.mqtt_publish.payload_len", + "zeek.mqtt_publish.qos", + "zeek.mqtt_publish.retain", + "zeek.mqtt_publish.status", + "zeek.mqtt_publish.topic", + "zeek.mqtt_subscribe.ack", + "zeek.mqtt_subscribe.action", + "zeek.mqtt_subscribe.granted_qos_level", + "zeek.mqtt_subscribe.qos_levels", + "zeek.mqtt_subscribe.topics", + "zeek.mysql.arg", + "zeek.mysql.cmd", + "zeek.mysql.response", + "zeek.mysql.rows", + "zeek.mysql.success", + "zeek.notice.actions", + "zeek.notice.category", + "zeek.notice.dropped", + "zeek.notice.dst", + "zeek.notice.file_desc", + "zeek.notice.file_mime_type", + "zeek.notice.msg", + "zeek.notice.n", + "zeek.notice.note", + "zeek.notice.p", + "zeek.notice.peer_descr", + "zeek.notice.remote_location_city", + "zeek.notice.remote_location_country_code", + "zeek.notice.remote_location_latitude", + "zeek.notice.remote_location_longitude", + "zeek.notice.remote_location_region", + "zeek.notice.src", + "zeek.notice.sub", + "zeek.notice.sub_category", + "zeek.notice.suppress_for", + "zeek.ntlm.domain", + "zeek.ntlm.host", + "zeek.ntlm.server_dns_computer", + "zeek.ntlm.server_nb_computer", + "zeek.ntlm.server_tree", + "zeek.ntlm.status", + "zeek.ntlm.success", + "zeek.ntp.mode", + "zeek.ntp.mode_str", + "zeek.ntp.num_exts", + "zeek.ntp.org_time", + "zeek.ntp.poll", + "zeek.ntp.precision", + "zeek.ntp.rec_time", + "zeek.ntp.ref_id", + "zeek.ntp.ref_time", + "zeek.ntp.root_delay", + "zeek.ntp.root_disp", + "zeek.ntp.stratum", + "zeek.ntp.version", + "zeek.ntp.xmt_time", + "zeek.ocsp.certStatus", + "zeek.ocsp.hashAlgorithm", + "zeek.ocsp.issuerKeyHash", + "zeek.ocsp.issuerNameHash", + "zeek.ocsp.nextUpdate", + "zeek.ocsp.revokereason", + "zeek.ocsp.revoketime", + "zeek.ocsp.serialNumber", + "zeek.ocsp.thisUpdate", + "zeek.pe.compile_ts", + "zeek.pe.has_cert_table", + "zeek.pe.has_debug_data", + "zeek.pe.has_export_table", + "zeek.pe.has_import_table", + "zeek.pe.is_64bit", + "zeek.pe.is_exe", + "zeek.pe.machine", + "zeek.pe.os", + "zeek.pe.section_names", + "zeek.pe.subsystem", + "zeek.pe.uses_aslr", + "zeek.pe.uses_code_integrity", + "zeek.pe.uses_dep", + "zeek.pe.uses_seh", + "zeek.profinet.block_version", + "zeek.profinet.index", + "zeek.profinet.operation_type", + "zeek.profinet.slot_number", + "zeek.profinet.subslot_number", + "zeek.profinet_dce_rpc.activity_uuid", + "zeek.profinet_dce_rpc.interface_uuid", + "zeek.profinet_dce_rpc.object_uuid", + "zeek.profinet_dce_rpc.operation", + "zeek.profinet_dce_rpc.packet_type", + "zeek.profinet_dce_rpc.server_boot_time", + "zeek.profinet_dce_rpc.version", + "zeek.radius.connect_info", + "zeek.radius.framed_addr", + "zeek.radius.mac", + "zeek.radius.reply_msg", + "zeek.radius.result", + "zeek.radius.ttl", + "zeek.radius.tunnel_client", + "zeek.rdp.cert_count", + "zeek.rdp.cert_permanent", + "zeek.rdp.cert_type", + "zeek.rdp.client_build", + "zeek.rdp.client_channels", + "zeek.rdp.client_dig_product_id", + "zeek.rdp.client_name", + "zeek.rdp.cookie", + "zeek.rdp.desktop_height", + "zeek.rdp.desktop_width", + "zeek.rdp.encryption_level", + "zeek.rdp.encryption_method", + "zeek.rdp.keyboard_layout", + "zeek.rdp.requested_color_depth", + "zeek.rdp.result", + "zeek.rdp.security_protocol", + "zeek.rfb.auth", + "zeek.rfb.authentication_method", + "zeek.rfb.client_major_version", + "zeek.rfb.client_minor_version", + "zeek.rfb.desktop_name", + "zeek.rfb.height", + "zeek.rfb.server_major_version", + "zeek.rfb.server_minor_version", + "zeek.rfb.share_flag", + "zeek.rfb.width", + "zeek.s7comm.data_info", + "zeek.s7comm.item_count", + "zeek.s7comm.parameter", + "zeek.s7comm.parameters.class", + "zeek.s7comm.parameters.code", + "zeek.s7comm.parameters.group", + "zeek.s7comm.parameters.mode", + "zeek.s7comm.parameters.sub", + "zeek.s7comm.parameters.type", + "zeek.s7comm.rosctr", + "zeek.signatures.engine", + "zeek.signatures.event_message", + "zeek.signatures.hits", + "zeek.signatures.host_count", + "zeek.signatures.note", + "zeek.signatures.signature_count", + "zeek.signatures.signature_id", + "zeek.signatures.sub_message", + "zeek.sip.call_id", + "zeek.sip.content_type", + "zeek.sip.date", + "zeek.sip.method", + "zeek.sip.reply_to", + "zeek.sip.request_body_len", + "zeek.sip.request_from", + "zeek.sip.request_path", + "zeek.sip.request_to", + "zeek.sip.response_body_len", + "zeek.sip.response_from", + "zeek.sip.response_path", + "zeek.sip.response_to", + "zeek.sip.seq", + "zeek.sip.status_code", + "zeek.sip.status_msg", + "zeek.sip.subject", + "zeek.sip.trans_depth", + "zeek.sip.uri", + "zeek.sip.user_agent", + "zeek.sip.version", + "zeek.sip.warning", + "zeek.smb_cmd.argument", + "zeek.smb_cmd.command", + "zeek.smb_cmd.rtt", + "zeek.smb_cmd.status", + "zeek.smb_cmd.sub_command", + "zeek.smb_cmd.tree", + "zeek.smb_cmd.tree_service", + "zeek.smb_cmd.user", + "zeek.smb_cmd.version", + "zeek.smb_files.action", + "zeek.smb_files.data_len_req", + "zeek.smb_files.data_len_rsp", + "zeek.smb_files.data_offset_req", + "zeek.smb_files.name", + "zeek.smb_files.path", + "zeek.smb_files.prev_name", + "zeek.smb_files.size", + "zeek.smb_files.times_accessed", + "zeek.smb_files.times_changed", + "zeek.smb_files.times_created", + "zeek.smb_files.times_modified", + "zeek.smb_mapping.native_file_system", + "zeek.smb_mapping.path", + "zeek.smb_mapping.resource_type", + "zeek.smb_mapping.share_type", + "zeek.smtp.cc", + "zeek.smtp.date", + "zeek.smtp.first_received", + "zeek.smtp.from", + "zeek.smtp.helo", + "zeek.smtp.in_reply_to", + "zeek.smtp.is_webmail", + "zeek.smtp.last_reply", + "zeek.smtp.last_reply_code", + "zeek.smtp.last_reply_msg", + "zeek.smtp.mailfrom", + "zeek.smtp.msg_id", + "zeek.smtp.path", + "zeek.smtp.rcptto", + "zeek.smtp.reply_to", + "zeek.smtp.second_received", + "zeek.smtp.subject", + "zeek.smtp.tls", + "zeek.smtp.to", + "zeek.smtp.trans_depth", + "zeek.smtp.user_agent", + "zeek.smtp.x_originating_ip", + "zeek.snmp.community", + "zeek.snmp.display_string", + "zeek.snmp.duration", + "zeek.snmp.get_bulk_requests", + "zeek.snmp.get_requests", + "zeek.snmp.get_responses", + "zeek.snmp.set_requests", + "zeek.snmp.up_since", + "zeek.snmp.version", + "zeek.socks.bound_host", + "zeek.socks.bound_name", + "zeek.socks.bound_port", + "zeek.socks.request_host", + "zeek.socks.request_name", + "zeek.socks.request_port", + "zeek.socks.server_status", + "zeek.socks.version", + "zeek.software.name", + "zeek.software.software_type", + "zeek.software.unparsed_version", + "zeek.software.version_addl", + "zeek.software.version_major", + "zeek.software.version_minor", + "zeek.software.version_minor2", + "zeek.software.version_minor3", + "zeek.ssh.auth_attempts", + "zeek.ssh.auth_success", + "zeek.ssh.cipher_alg", + "zeek.ssh.client", + "zeek.ssh.compression_alg", + "zeek.ssh.cshka", + "zeek.ssh.direction", + "zeek.ssh.hassh", + "zeek.ssh.hasshAlgorithms", + "zeek.ssh.hasshServer", + "zeek.ssh.hasshServerAlgorithms", + "zeek.ssh.hasshVersion", + "zeek.ssh.host_key", + "zeek.ssh.host_key_alg", + "zeek.ssh.kex_alg", + "zeek.ssh.mac_alg", + "zeek.ssh.remote_location_city", + "zeek.ssh.remote_location_country_code", + "zeek.ssh.remote_location_latitude", + "zeek.ssh.remote_location_longitude", + "zeek.ssh.remote_location_region", + "zeek.ssh.server", + "zeek.ssh.sshka", + "zeek.ssh.version", + "zeek.ssl.cert_chain_fps", + "zeek.ssl.cert_chain_fuids", + "zeek.ssl.cipher", + "zeek.ssl.client_cert_chain_fps", + "zeek.ssl.client_cert_chain_fuids", + "zeek.ssl.client_issuer.C", + "zeek.ssl.client_issuer.CN", + "zeek.ssl.client_issuer.DC", + "zeek.ssl.client_issuer.emailAddress", + "zeek.ssl.client_issuer.GN", + "zeek.ssl.client_issuer.initials", + "zeek.ssl.client_issuer.L", + "zeek.ssl.client_issuer.O", + "zeek.ssl.client_issuer.OU", + "zeek.ssl.client_issuer.pseudonym", + "zeek.ssl.client_issuer.serialNumber", + "zeek.ssl.client_issuer.SN", + "zeek.ssl.client_issuer.ST", + "zeek.ssl.client_issuer.title", + "zeek.ssl.client_issuer_full", + "zeek.ssl.client_subject.C", + "zeek.ssl.client_subject.CN", + "zeek.ssl.client_subject.emailAddress", + "zeek.ssl.client_subject.GN", + "zeek.ssl.client_subject.initials", + "zeek.ssl.client_subject.L", + "zeek.ssl.client_subject.O", + "zeek.ssl.client_subject.OU", + "zeek.ssl.client_subject.pseudonym", + "zeek.ssl.client_subject.serialNumber", + "zeek.ssl.client_subject.SN", + "zeek.ssl.client_subject.ST", + "zeek.ssl.client_subject.title", + "zeek.ssl.client_subject_full", + "zeek.ssl.curve", + "zeek.ssl.established", + "zeek.ssl.issuer.C", + "zeek.ssl.issuer.CN", + "zeek.ssl.issuer.DC", + "zeek.ssl.issuer.emailAddress", + "zeek.ssl.issuer.GN", + "zeek.ssl.issuer.initials", + "zeek.ssl.issuer.L", + "zeek.ssl.issuer.O", + "zeek.ssl.issuer.OU", + "zeek.ssl.issuer.pseudonym", + "zeek.ssl.issuer.serialNumber", + "zeek.ssl.issuer.SN", + "zeek.ssl.issuer.ST", + "zeek.ssl.issuer.title", + "zeek.ssl.issuer_full", + "zeek.ssl.ja3", + "zeek.ssl.ja3s", + "zeek.ssl.last_alert", + "zeek.ssl.next_protocol", + "zeek.ssl.resumed", + "zeek.ssl.server_name", + "zeek.ssl.sni_matches_cert", + "zeek.ssl.ssl_history", + "zeek.ssl.ssl_version", + "zeek.ssl.subject.C", + "zeek.ssl.subject.CN", + "zeek.ssl.subject.description", + "zeek.ssl.subject.emailAddress", + "zeek.ssl.subject.GN", + "zeek.ssl.subject.initials", + "zeek.ssl.subject.L", + "zeek.ssl.subject.O", + "zeek.ssl.subject.OU", + "zeek.ssl.subject.postalCode", + "zeek.ssl.subject.pseudonym", + "zeek.ssl.subject.serialNumber", + "zeek.ssl.subject.SN", + "zeek.ssl.subject.ST", + "zeek.ssl.subject.street", + "zeek.ssl.subject.title", + "zeek.ssl.subject_full", + "zeek.ssl.validation_status", + "zeek.stun.attr_type", + "zeek.stun.attr_val", + "zeek.stun.class", + "zeek.stun.is_orig", + "zeek.stun.method", + "zeek.stun.trans_id", + "zeek.stun_nat.is_orig", + "zeek.stun_nat.lan_addr", + "zeek.stun_nat.wan_addr", + "zeek.stun_nat.wan_port", + "zeek.syslog.facility", + "zeek.syslog.message", + "zeek.syslog.severity", + "zeek.tds.command", + "zeek.tds_rpc.parameters", + "zeek.tds_rpc.procedure_name", + "zeek.tds_sql_batch.header_type", + "zeek.tds_sql_batch.query", + "zeek.tftp.block_acked", + "zeek.tftp.block_sent", + "zeek.tftp.error_code", + "zeek.tftp.error_msg", + "zeek.tftp.fname", + "zeek.tftp.mode", + "zeek.tftp.size", + "zeek.tftp.uid_data", + "zeek.tftp.wrq", "zeek.ts", + "zeek.tunnel.action", + "zeek.tunnel.tunnel_type", "zeek.uid", - "zeek.user", - "zeek.user_agent", - "zeek_bacnet.bvlc_function", - "zeek_bacnet.invoke_id", - "zeek_bacnet.pdu_service", - "zeek_bacnet.pdu_type", - "zeek_bacnet.result_code", - "zeek_bacnet_discovery.instance_number", - "zeek_bacnet_discovery.object_name", - "zeek_bacnet_discovery.object_type", - "zeek_bacnet_discovery.pdu_service", - "zeek_bacnet_discovery.range", - "zeek_bacnet_discovery.range_high", - "zeek_bacnet_discovery.range_low", - "zeek_bacnet_discovery.vendor", - "zeek_bacnet_property.array_index", - "zeek_bacnet_property.instance_number", - "zeek_bacnet_property.object_type", - "zeek_bacnet_property.pdu_service", - "zeek_bacnet_property.property", - "zeek_bacnet_property.value", - "zeek_bestguess.category", - "zeek_bestguess.name", - "zeek_bsap_ip_header.num_msg", - "zeek_bsap_ip_header.type_name", - "zeek_bsap_ip_rdb.app_func_code", - "zeek_bsap_ip_rdb.data", - "zeek_bsap_ip_rdb.data_len", - "zeek_bsap_ip_rdb.func_code", - "zeek_bsap_ip_rdb.header_size", - "zeek_bsap_ip_rdb.mes_seq", - "zeek_bsap_ip_rdb.node_status", - "zeek_bsap_ip_rdb.res_seq", - "zeek_bsap_ip_rdb.sequence", - "zeek_bsap_ip_unknown.data", - "zeek_bsap_serial_header.ctl", - "zeek_bsap_serial_header.dadd", - "zeek_bsap_serial_header.dfun", - "zeek_bsap_serial_header.nsb", - "zeek_bsap_serial_header.sadd", - "zeek_bsap_serial_header.seq", - "zeek_bsap_serial_header.ser", - "zeek_bsap_serial_header.sfun", - "zeek_bsap_serial_header.type_name", - "zeek_bsap_serial_rdb.data", - "zeek_bsap_serial_rdb.func_code", - "zeek_bsap_serial_rdb_ext.data", - "zeek_bsap_serial_rdb_ext.dfun", - "zeek_bsap_serial_rdb_ext.extfun", - "zeek_bsap_serial_rdb_ext.nsb", - "zeek_bsap_serial_rdb_ext.seq", - "zeek_bsap_serial_rdb_ext.sfun", - "zeek_bsap_serial_unknown.data", - "zeek_cip.attribute_id", - "zeek_cip.cip_sequence_count", - "zeek_cip.cip_service", - "zeek_cip.cip_status", - "zeek_cip.class_id", - "zeek_cip.class_name", - "zeek_cip.data_id", - "zeek_cip.direction", - "zeek_cip.instance_id", - "zeek_cip.other_id", - "zeek_cip_identity.device_state", - "zeek_cip_identity.device_status", - "zeek_cip_identity.device_type_id", - "zeek_cip_identity.device_type_name", - "zeek_cip_identity.encapsulation_version", - "zeek_cip_identity.product_code", - "zeek_cip_identity.product_name", - "zeek_cip_identity.revision", - "zeek_cip_identity.serial_number", - "zeek_cip_identity.socket_address", - "zeek_cip_identity.socket_address_asn", - "zeek_cip_identity.socket_address_geo.city_name", - "zeek_cip_identity.socket_address_geo.country_name", - "zeek_cip_identity.socket_port", - "zeek_cip_identity.vendor_id", - "zeek_cip_identity.vendor_name", - "zeek_cip_io.connection_id", - "zeek_cip_io.data_length", - "zeek_cip_io.io_data", - "zeek_cip_io.sequence_number", - "zeek_conn.conn_state", - "zeek_conn.conn_state_description", - "zeek_conn.duration", - "zeek_conn.history", - "zeek_conn.inner_vlan", - "zeek_conn.local_orig", - "zeek_conn.local_resp", - "zeek_conn.missed_bytes", - "zeek_conn.orig_bytes", - "zeek_conn.orig_ip_bytes", - "zeek_conn.orig_pkts", - "zeek_conn.resp_bytes", - "zeek_conn.resp_ip_bytes", - "zeek_conn.resp_pkts", - "zeek_conn.tunnel_parents", - "zeek_conn.vlan", - "zeek_dce_rpc.endpoint", - "zeek_dce_rpc.named_pipe", - "zeek_dce_rpc.operation", - "zeek_dce_rpc.rtt", - "zeek_dhcp.assigned_ip", - "zeek_dhcp.client_fqdn", - "zeek_dhcp.client_message", - "zeek_dhcp.client_software", - "zeek_dhcp.domain", - "zeek_dhcp.duration", - "zeek_dhcp.host_name", - "zeek_dhcp.lease_time", - "zeek_dhcp.mac", - "zeek_dhcp.msg_types", - "zeek_dhcp.requested_ip", - "zeek_dhcp.server_message", - "zeek_dhcp.server_software", - "zeek_dhcp.trans_id", - "zeek_dnp3.fc_reply", - "zeek_dnp3.fc_request", - "zeek_dnp3.iin", - "zeek_dnp3.iin_flags", - "zeek_dnp3_control.block_type", - "zeek_dnp3_control.execute_count", - "zeek_dnp3_control.function_code", - "zeek_dnp3_control.index_number", - "zeek_dnp3_control.off_time", - "zeek_dnp3_control.on_time", - "zeek_dnp3_control.operation_type", - "zeek_dnp3_control.status_code", - "zeek_dnp3_control.trip_control_code", - "zeek_dnp3_objects.function_code", - "zeek_dnp3_objects.object_count", - "zeek_dnp3_objects.object_type", - "zeek_dnp3_objects.range_high", - "zeek_dnp3_objects.range_low", - "zeek_dns.AA", - "zeek_dns.answers", - "zeek_dns.qclass", - "zeek_dns.qclass_name", - "zeek_dns.qtype", - "zeek_dns.qtype_name", - "zeek_dns.query", - "zeek_dns.RA", - "zeek_dns.rcode", - "zeek_dns.rcode_name", - "zeek_dns.RD", - "zeek_dns.rejected", - "zeek_dns.rtt", - "zeek_dns.TC", - "zeek_dns.trans_id", - "zeek_dns.TTLs", - "zeek_dns.Z", - "zeek_dpd.failure_reason", - "zeek_dpd.service", - "zeek_ecat_aoe_info.command", - "zeek_ecat_aoe_info.data", - "zeek_ecat_aoe_info.orig_port", - "zeek_ecat_aoe_info.resp_port", - "zeek_ecat_aoe_info.state", - "zeek_ecat_arp_info.arp_type", - "zeek_ecat_arp_info.orig_hw_addr", - "zeek_ecat_arp_info.orig_proto_addr", - "zeek_ecat_arp_info.resp_hw_addr", - "zeek_ecat_arp_info.resp_proto_addr", - "zeek_ecat_coe_info.dataoffset", - "zeek_ecat_coe_info.index", - "zeek_ecat_coe_info.number", - "zeek_ecat_coe_info.req_resp", - "zeek_ecat_coe_info.subindex", - "zeek_ecat_coe_info.type", - "zeek_ecat_dev_info.build", - "zeek_ecat_dev_info.dev_type", - "zeek_ecat_dev_info.dpram", - "zeek_ecat_dev_info.features", - "zeek_ecat_dev_info.fmmucnt", - "zeek_ecat_dev_info.ports", - "zeek_ecat_dev_info.revision", - "zeek_ecat_dev_info.server_id", - "zeek_ecat_dev_info.smcount", - "zeek_ecat_foe_info.data", - "zeek_ecat_foe_info.error_code", - "zeek_ecat_foe_info.filename", - "zeek_ecat_foe_info.opcode", - "zeek_ecat_foe_info.packet_num", - "zeek_ecat_foe_info.reserved", - "zeek_ecat_log_address.command", - "zeek_ecat_log_address.data", - "zeek_ecat_log_address.length", - "zeek_ecat_log_address.log_addr", - "zeek_ecat_registers.command", - "zeek_ecat_registers.data", - "zeek_ecat_registers.register_addr", - "zeek_ecat_registers.register_type", - "zeek_ecat_registers.server_addr", - "zeek_ecat_soe_info.drive_num", - "zeek_ecat_soe_info.element", - "zeek_ecat_soe_info.error", - "zeek_ecat_soe_info.incomplete", - "zeek_ecat_soe_info.index", - "zeek_ecat_soe_info.opcode", - "zeek_enip.enip_command", - "zeek_enip.enip_status", - "zeek_enip.length", - "zeek_enip.options", - "zeek_enip.sender_context", - "zeek_enip.session_handle", - "zeek_files.analyzers", - "zeek_files.conn_uids", - "zeek_files.depth", - "zeek_files.duration", - "zeek_files.extracted", - "zeek_files.extracted_cutoff", - "zeek_files.extracted_size", - "zeek_files.filename", - "zeek_files.is_orig", - "zeek_files.local_orig", - "zeek_files.md5", - "zeek_files.mime_type", - "zeek_files.missing_bytes", - "zeek_files.overflow_bytes", - "zeek_files.parent_fuid", - "zeek_files.rx_hosts", - "zeek_files.seen_bytes", - "zeek_files.sha1", - "zeek_files.sha256", - "zeek_files.source", - "zeek_files.timedout", - "zeek_files.total_bytes", - "zeek_files.tx_hosts", - "zeek_ftp.arg", - "zeek_ftp.command", - "zeek_ftp.data_channel_orig_h", - "zeek_ftp.data_channel_passive", - "zeek_ftp.data_channel_resp_h", - "zeek_ftp.data_channel_resp_p", - "zeek_ftp.file_size", - "zeek_ftp.mime_type", - "zeek_ftp.reply_code", - "zeek_ftp.reply_msg", - "zeek_gquic.cyu", - "zeek_gquic.cyutags", - "zeek_gquic.server_name", - "zeek_gquic.tag_count", - "zeek_gquic.user_agent", - "zeek_gquic.version", - "zeek_http.host", - "zeek_http.info_code", - "zeek_http.info_msg", - "zeek_http.method", - "zeek_http.orig_filenames", - "zeek_http.orig_fuids", - "zeek_http.orig_mime_types", - "zeek_http.origin", - "zeek_http.post_password_plain", - "zeek_http.post_username", - "zeek_http.proxied", - "zeek_http.referrer", - "zeek_http.request_body_len", - "zeek_http.resp_filenames", - "zeek_http.resp_fuids", - "zeek_http.resp_mime_types", - "zeek_http.response_body_len", - "zeek_http.status_code", - "zeek_http.status_msg", - "zeek_http.tags", - "zeek_http.trans_depth", - "zeek_http.uri", - "zeek_http.user_agent", - "zeek_http.version", - "zeek_intel.file_description", - "zeek_intel.file_mime_type", - "zeek_intel.indicator", - "zeek_intel.indicator_type", - "zeek_intel.matched", - "zeek_intel.seen_node", - "zeek_intel.seen_where", - "zeek_intel.sources", - "zeek_ipsec.certificates", - "zeek_ipsec.exchange_type", - "zeek_ipsec.flag_a", - "zeek_ipsec.flag_c", - "zeek_ipsec.flag_e", - "zeek_ipsec.flag_i", - "zeek_ipsec.flag_r", - "zeek_ipsec.flag_v", - "zeek_ipsec.flags", - "zeek_ipsec.hash", - "zeek_ipsec.initiator_spi", - "zeek_ipsec.is_orig", - "zeek_ipsec.ke_dh_groups", - "zeek_ipsec.length", - "zeek_ipsec.maj_ver", - "zeek_ipsec.message_id", - "zeek_ipsec.min_ver", - "zeek_ipsec.notify_messages", - "zeek_ipsec.proposals", - "zeek_ipsec.responder_spi", - "zeek_ipsec.transform_attributes", - "zeek_ipsec.transforms", - "zeek_ipsec.vendor_ids", - "zeek_irc.addl", - "zeek_irc.command", - "zeek_irc.dcc_file_name", - "zeek_irc.dcc_file_size", - "zeek_irc.dcc_mime_type", - "zeek_irc.nick", - "zeek_irc.value", - "zeek_iso_cotp.pdu_type", - "zeek_kerberos.cipher", - "zeek_kerberos.client_cert_fuid", - "zeek_kerberos.client_cert_subject", - "zeek_kerberos.cname", - "zeek_kerberos.error_msg", - "zeek_kerberos.forwardable", - "zeek_kerberos.from", - "zeek_kerberos.renewable", - "zeek_kerberos.request_type", - "zeek_kerberos.server_cert_fuid", - "zeek_kerberos.server_cert_subject", - "zeek_kerberos.sname", - "zeek_kerberos.success", - "zeek_kerberos.till", - "zeek_known_certs.issuer_subject", - "zeek_known_certs.serial", - "zeek_known_certs.subject", - "zeek_known_modbus.device_type", - "zeek_ldap.argument", - "zeek_ldap.message_id", - "zeek_ldap.object", - "zeek_ldap.operation", - "zeek_ldap.result_code", - "zeek_ldap.result_message", - "zeek_ldap.version", - "zeek_ldap_search.base_object", - "zeek_ldap_search.deref", - "zeek_ldap_search.message_id", - "zeek_ldap_search.result_code", - "zeek_ldap_search.result_count", - "zeek_ldap_search.result_message", - "zeek_ldap_search.scope", - "zeek_login.client_user", - "zeek_login.confused", - "zeek_login.success", - "zeek_modbus.exception", - "zeek_modbus.func", - "zeek_modbus_detailed.address", - "zeek_modbus_detailed.func", - "zeek_modbus_detailed.network_direction", - "zeek_modbus_detailed.quantity", - "zeek_modbus_detailed.unit_id", - "zeek_modbus_detailed.values", - "zeek_modbus_mask_write_register.address", - "zeek_modbus_mask_write_register.and_mask", - "zeek_modbus_mask_write_register.func", - "zeek_modbus_mask_write_register.network_direction", - "zeek_modbus_mask_write_register.or_mask", - "zeek_modbus_mask_write_register.unit_id", - "zeek_modbus_read_write_multiple_registers.func", - "zeek_modbus_read_write_multiple_registers.network_direction", - "zeek_modbus_read_write_multiple_registers.read_quantity", - "zeek_modbus_read_write_multiple_registers.read_registers", - "zeek_modbus_read_write_multiple_registers.read_start_address", - "zeek_modbus_read_write_multiple_registers.unit_id", - "zeek_modbus_read_write_multiple_registers.write_registers", - "zeek_modbus_read_write_multiple_registers.write_start_address", - "zeek_modbus_register_change.delta", - "zeek_modbus_register_change.new_val", - "zeek_modbus_register_change.old_val", - "zeek_modbus_register_change.register", - "zeek_mqtt_connect.client_id", - "zeek_mqtt_connect.connect_status", - "zeek_mqtt_connect.proto_name", - "zeek_mqtt_connect.proto_version", - "zeek_mqtt_connect.will_payload", - "zeek_mqtt_connect.will_topic", - "zeek_mqtt_publish.from_client", - "zeek_mqtt_publish.payload", - "zeek_mqtt_publish.payload_len", - "zeek_mqtt_publish.qos", - "zeek_mqtt_publish.retain", - "zeek_mqtt_publish.status", - "zeek_mqtt_publish.topic", - "zeek_mqtt_subscribe.ack", - "zeek_mqtt_subscribe.action", - "zeek_mqtt_subscribe.granted_qos_level", - "zeek_mqtt_subscribe.qos_levels", - "zeek_mqtt_subscribe.topics", - "zeek_mysql.arg", - "zeek_mysql.cmd", - "zeek_mysql.response", - "zeek_mysql.rows", - "zeek_mysql.success", - "zeek_notice.actions", - "zeek_notice.category", - "zeek_notice.dropped", - "zeek_notice.dst", - "zeek_notice.file_desc", - "zeek_notice.file_mime_type", - "zeek_notice.msg", - "zeek_notice.n", - "zeek_notice.note", - "zeek_notice.p", - "zeek_notice.peer_descr", - "zeek_notice.remote_location_city", - "zeek_notice.remote_location_country_code", - "zeek_notice.remote_location_latitude", - "zeek_notice.remote_location_longitude", - "zeek_notice.remote_location_region", - "zeek_notice.src", - "zeek_notice.sub", - "zeek_notice.sub_category", - "zeek_notice.suppress_for", - "zeek_ntlm.domain", - "zeek_ntlm.host", - "zeek_ntlm.server_dns_computer", - "zeek_ntlm.server_nb_computer", - "zeek_ntlm.server_tree", - "zeek_ntlm.status", - "zeek_ntlm.success", - "zeek_ntp.mode", - "zeek_ntp.mode_str", - "zeek_ntp.num_exts", - "zeek_ntp.org_time", - "zeek_ntp.poll", - "zeek_ntp.precision", - "zeek_ntp.rec_time", - "zeek_ntp.ref_id", - "zeek_ntp.ref_time", - "zeek_ntp.root_delay", - "zeek_ntp.root_disp", - "zeek_ntp.stratum", - "zeek_ntp.version", - "zeek_ntp.xmt_time", - "zeek_ocsp.certStatus", - "zeek_ocsp.hashAlgorithm", - "zeek_ocsp.issuerKeyHash", - "zeek_ocsp.issuerNameHash", - "zeek_ocsp.nextUpdate", - "zeek_ocsp.revokereason", - "zeek_ocsp.revoketime", - "zeek_ocsp.serialNumber", - "zeek_ocsp.thisUpdate", - "zeek_pe.compile_ts", - "zeek_pe.has_cert_table", - "zeek_pe.has_debug_data", - "zeek_pe.has_export_table", - "zeek_pe.has_import_table", - "zeek_pe.is_64bit", - "zeek_pe.is_exe", - "zeek_pe.machine", - "zeek_pe.os", - "zeek_pe.section_names", - "zeek_pe.subsystem", - "zeek_pe.uses_aslr", - "zeek_pe.uses_code_integrity", - "zeek_pe.uses_dep", - "zeek_pe.uses_seh", - "zeek_profinet.block_version", - "zeek_profinet.index", - "zeek_profinet.operation_type", - "zeek_profinet.slot_number", - "zeek_profinet.subslot_number", - "zeek_profinet_dce_rpc.activity_uuid", - "zeek_profinet_dce_rpc.interface_uuid", - "zeek_profinet_dce_rpc.object_uuid", - "zeek_profinet_dce_rpc.operation", - "zeek_profinet_dce_rpc.packet_type", - "zeek_profinet_dce_rpc.server_boot_time", - "zeek_profinet_dce_rpc.version", - "zeek_radius.connect_info", - "zeek_radius.framed_addr", - "zeek_radius.mac", - "zeek_radius.reply_msg", - "zeek_radius.result", - "zeek_radius.ttl", - "zeek_radius.tunnel_client", - "zeek_rdp.cert_count", - "zeek_rdp.cert_permanent", - "zeek_rdp.cert_type", - "zeek_rdp.client_build", - "zeek_rdp.client_channels", - "zeek_rdp.client_dig_product_id", - "zeek_rdp.client_name", - "zeek_rdp.cookie", - "zeek_rdp.desktop_height", - "zeek_rdp.desktop_width", - "zeek_rdp.encryption_level", - "zeek_rdp.encryption_method", - "zeek_rdp.keyboard_layout", - "zeek_rdp.requested_color_depth", - "zeek_rdp.result", - "zeek_rdp.security_protocol", - "zeek_rfb.auth", - "zeek_rfb.authentication_method", - "zeek_rfb.client_major_version", - "zeek_rfb.client_minor_version", - "zeek_rfb.desktop_name", - "zeek_rfb.height", - "zeek_rfb.server_major_version", - "zeek_rfb.server_minor_version", - "zeek_rfb.share_flag", - "zeek_rfb.width", - "zeek_s7comm.data_info", - "zeek_s7comm.item_count", - "zeek_s7comm.parameter", - "zeek_s7comm.parameters.class", - "zeek_s7comm.parameters.code", - "zeek_s7comm.parameters.group", - "zeek_s7comm.parameters.mode", - "zeek_s7comm.parameters.sub", - "zeek_s7comm.parameters.type", - "zeek_s7comm.rosctr", - "zeek_signatures.engine", - "zeek_signatures.event_message", - "zeek_signatures.hits", - "zeek_signatures.host_count", - "zeek_signatures.note", - "zeek_signatures.signature_count", - "zeek_signatures.signature_id", - "zeek_signatures.sub_message", - "zeek_sip.call_id", - "zeek_sip.content_type", - "zeek_sip.date", - "zeek_sip.method", - "zeek_sip.reply_to", - "zeek_sip.request_body_len", - "zeek_sip.request_from", - "zeek_sip.request_path", - "zeek_sip.request_to", - "zeek_sip.response_body_len", - "zeek_sip.response_from", - "zeek_sip.response_path", - "zeek_sip.response_to", - "zeek_sip.seq", - "zeek_sip.status_code", - "zeek_sip.status_msg", - "zeek_sip.subject", - "zeek_sip.trans_depth", - "zeek_sip.uri", - "zeek_sip.user_agent", - "zeek_sip.version", - "zeek_sip.warning", - "zeek_smb_cmd.argument", - "zeek_smb_cmd.command", - "zeek_smb_cmd.rtt", - "zeek_smb_cmd.status", - "zeek_smb_cmd.sub_command", - "zeek_smb_cmd.tree", - "zeek_smb_cmd.tree_service", - "zeek_smb_cmd.user", - "zeek_smb_cmd.version", - "zeek_smb_files.action", - "zeek_smb_files.data_len_req", - "zeek_smb_files.data_len_rsp", - "zeek_smb_files.data_offset_req", - "zeek_smb_files.name", - "zeek_smb_files.path", - "zeek_smb_files.prev_name", - "zeek_smb_files.size", - "zeek_smb_files.times_accessed", - "zeek_smb_files.times_changed", - "zeek_smb_files.times_created", - "zeek_smb_files.times_modified", - "zeek_smb_mapping.native_file_system", - "zeek_smb_mapping.path", - "zeek_smb_mapping.resource_type", - "zeek_smb_mapping.share_type", - "zeek_smtp.cc", - "zeek_smtp.date", - "zeek_smtp.first_received", - "zeek_smtp.from", - "zeek_smtp.helo", - "zeek_smtp.in_reply_to", - "zeek_smtp.is_webmail", - "zeek_smtp.last_reply", - "zeek_smtp.last_reply_code", - "zeek_smtp.last_reply_msg", - "zeek_smtp.mailfrom", - "zeek_smtp.msg_id", - "zeek_smtp.path", - "zeek_smtp.rcptto", - "zeek_smtp.reply_to", - "zeek_smtp.second_received", - "zeek_smtp.subject", - "zeek_smtp.tls", - "zeek_smtp.to", - "zeek_smtp.trans_depth", - "zeek_smtp.user_agent", - "zeek_smtp.x_originating_ip", - "zeek_snmp.community", - "zeek_snmp.display_string", - "zeek_snmp.duration", - "zeek_snmp.get_bulk_requests", - "zeek_snmp.get_requests", - "zeek_snmp.get_responses", - "zeek_snmp.set_requests", - "zeek_snmp.up_since", - "zeek_snmp.version", - "zeek_socks.bound_host", - "zeek_socks.bound_name", - "zeek_socks.bound_port", - "zeek_socks.request_host", - "zeek_socks.request_name", - "zeek_socks.request_port", - "zeek_socks.server_status", - "zeek_socks.version", - "zeek_software.name", - "zeek_software.software_type", - "zeek_software.unparsed_version", - "zeek_software.version_addl", - "zeek_software.version_major", - "zeek_software.version_minor", - "zeek_software.version_minor2", - "zeek_software.version_minor3", - "zeek_ssh.auth_attempts", - "zeek_ssh.auth_success", - "zeek_ssh.cipher_alg", - "zeek_ssh.client", - "zeek_ssh.compression_alg", - "zeek_ssh.cshka", - "zeek_ssh.direction", - "zeek_ssh.hassh", - "zeek_ssh.hasshAlgorithms", - "zeek_ssh.hasshServer", - "zeek_ssh.hasshServerAlgorithms", - "zeek_ssh.hasshVersion", - "zeek_ssh.host_key", - "zeek_ssh.host_key_alg", - "zeek_ssh.kex_alg", - "zeek_ssh.mac_alg", - "zeek_ssh.remote_location_city", - "zeek_ssh.remote_location_country_code", - "zeek_ssh.remote_location_latitude", - "zeek_ssh.remote_location_longitude", - "zeek_ssh.remote_location_region", - "zeek_ssh.server", - "zeek_ssh.sshka", - "zeek_ssh.version", - "zeek_ssl.cert_chain_fps", - "zeek_ssl.cert_chain_fuids", - "zeek_ssl.cipher", - "zeek_ssl.client_cert_chain_fps", - "zeek_ssl.client_cert_chain_fuids", - "zeek_ssl.client_issuer.C", - "zeek_ssl.client_issuer.CN", - "zeek_ssl.client_issuer.DC", - "zeek_ssl.client_issuer.emailAddress", - "zeek_ssl.client_issuer.GN", - "zeek_ssl.client_issuer.initials", - "zeek_ssl.client_issuer.L", - "zeek_ssl.client_issuer.O", - "zeek_ssl.client_issuer.OU", - "zeek_ssl.client_issuer.pseudonym", - "zeek_ssl.client_issuer.serialNumber", - "zeek_ssl.client_issuer.SN", - "zeek_ssl.client_issuer.ST", - "zeek_ssl.client_issuer.title", - "zeek_ssl.client_issuer_full", - "zeek_ssl.client_subject.C", - "zeek_ssl.client_subject.CN", - "zeek_ssl.client_subject.emailAddress", - "zeek_ssl.client_subject.GN", - "zeek_ssl.client_subject.initials", - "zeek_ssl.client_subject.L", - "zeek_ssl.client_subject.O", - "zeek_ssl.client_subject.OU", - "zeek_ssl.client_subject.pseudonym", - "zeek_ssl.client_subject.serialNumber", - "zeek_ssl.client_subject.SN", - "zeek_ssl.client_subject.ST", - "zeek_ssl.client_subject.title", - "zeek_ssl.client_subject_full", - "zeek_ssl.curve", - "zeek_ssl.established", - "zeek_ssl.issuer.C", - "zeek_ssl.issuer.CN", - "zeek_ssl.issuer.DC", - "zeek_ssl.issuer.emailAddress", - "zeek_ssl.issuer.GN", - "zeek_ssl.issuer.initials", - "zeek_ssl.issuer.L", - "zeek_ssl.issuer.O", - "zeek_ssl.issuer.OU", - "zeek_ssl.issuer.pseudonym", - "zeek_ssl.issuer.serialNumber", - "zeek_ssl.issuer.SN", - "zeek_ssl.issuer.ST", - "zeek_ssl.issuer.title", - "zeek_ssl.issuer_full", - "zeek_ssl.ja3", - "zeek_ssl.ja3_desc", - "zeek_ssl.ja3s", - "zeek_ssl.ja3s_desc", - "zeek_ssl.last_alert", - "zeek_ssl.next_protocol", - "zeek_ssl.resumed", - "zeek_ssl.server_name", - "zeek_ssl.sni_matches_cert", - "zeek_ssl.ssl_history", - "zeek_ssl.ssl_version", - "zeek_ssl.subject.C", - "zeek_ssl.subject.CN", - "zeek_ssl.subject.description", - "zeek_ssl.subject.emailAddress", - "zeek_ssl.subject.GN", - "zeek_ssl.subject.initials", - "zeek_ssl.subject.L", - "zeek_ssl.subject.O", - "zeek_ssl.subject.OU", - "zeek_ssl.subject.postalCode", - "zeek_ssl.subject.pseudonym", - "zeek_ssl.subject.serialNumber", - "zeek_ssl.subject.SN", - "zeek_ssl.subject.ST", - "zeek_ssl.subject.street", - "zeek_ssl.subject.title", - "zeek_ssl.subject_full", - "zeek_ssl.validation_status", - "zeek_stun.attr_type", - "zeek_stun.attr_val", - "zeek_stun.class", - "zeek_stun.is_orig", - "zeek_stun.method", - "zeek_stun.trans_id", - "zeek_stun_nat.is_orig", - "zeek_stun_nat.lan_addr", - "zeek_stun_nat.wan_addr", - "zeek_stun_nat.wan_port", - "zeek_syslog.facility", - "zeek_syslog.message", - "zeek_syslog.severity", - "zeek_tds.command", - "zeek_tds_rpc.parameters", - "zeek_tds_rpc.procedure_name", - "zeek_tds_sql_batch.header_type", - "zeek_tds_sql_batch.query", - "zeek_tftp.block_acked", - "zeek_tftp.block_sent", - "zeek_tftp.error_code", - "zeek_tftp.error_msg", - "zeek_tftp.fname", - "zeek_tftp.mode", - "zeek_tftp.size", - "zeek_tftp.uid_data", - "zeek_tftp.wrq", - "zeek_tunnel.action", - "zeek_tunnel.tunnel_type", - "zeek_weird.addl", - "zeek_weird.name", - "zeek_weird.notice", - "zeek_weird.peer", - "zeek_wireguard.established", - "zeek_wireguard.initiations", - "zeek_wireguard.responses", - "zeek_x509.basic_constraints_ca", - "zeek_x509.basic_constraints_path_len", - "zeek_x509.certificate_curve", - "zeek_x509.certificate_exponent", - "zeek_x509.certificate_issuer.C", - "zeek_x509.certificate_issuer.CN", - "zeek_x509.certificate_issuer.DC", - "zeek_x509.certificate_issuer.emailAddress", - "zeek_x509.certificate_issuer.GN", - "zeek_x509.certificate_issuer.initials", - "zeek_x509.certificate_issuer.L", - "zeek_x509.certificate_issuer.O", - "zeek_x509.certificate_issuer.OU", - "zeek_x509.certificate_issuer.pseudonym", - "zeek_x509.certificate_issuer.serialNumber", - "zeek_x509.certificate_issuer.SN", - "zeek_x509.certificate_issuer.ST", - "zeek_x509.certificate_issuer.title", - "zeek_x509.certificate_issuer_full", - "zeek_x509.certificate_key_alg", - "zeek_x509.certificate_key_length", - "zeek_x509.certificate_key_type", - "zeek_x509.certificate_not_valid_after", - "zeek_x509.certificate_not_valid_before", - "zeek_x509.certificate_serial", - "zeek_x509.certificate_sig_alg", - "zeek_x509.certificate_subject.C", - "zeek_x509.certificate_subject.CN", - "zeek_x509.certificate_subject.DC", - "zeek_x509.certificate_subject.description", - "zeek_x509.certificate_subject.emailAddress", - "zeek_x509.certificate_subject.GN", - "zeek_x509.certificate_subject.initials", - "zeek_x509.certificate_subject.L", - "zeek_x509.certificate_subject.O", - "zeek_x509.certificate_subject.OU", - "zeek_x509.certificate_subject.postalCode", - "zeek_x509.certificate_subject.pseudonym", - "zeek_x509.certificate_subject.serialNumber", - "zeek_x509.certificate_subject.SN", - "zeek_x509.certificate_subject.ST", - "zeek_x509.certificate_subject.street", - "zeek_x509.certificate_subject.title", - "zeek_x509.certificate_subject_full", - "zeek_x509.certificate_version", - "zeek_x509.client_cert", - "zeek_x509.fingerprint", - "zeek_x509.host_cert", - "zeek_x509.san_dns", - "zeek_x509.san_email", - "zeek_x509.san_ip", - "zeek_x509.san_uri" + "zeek.weird.addl", + "zeek.weird.name", + "zeek.weird.notice", + "zeek.weird.peer", + "zeek.wireguard.established", + "zeek.wireguard.initiations", + "zeek.wireguard.receiver_index", + "zeek.wireguard.responses", + "zeek.wireguard.sender_index", + "zeek.x509.basic_constraints_ca", + "zeek.x509.basic_constraints_path_len", + "zeek.x509.certificate_curve", + "zeek.x509.certificate_exponent", + "zeek.x509.certificate_issuer.C", + "zeek.x509.certificate_issuer.CN", + "zeek.x509.certificate_issuer.DC", + "zeek.x509.certificate_issuer.emailAddress", + "zeek.x509.certificate_issuer.GN", + "zeek.x509.certificate_issuer.initials", + "zeek.x509.certificate_issuer.L", + "zeek.x509.certificate_issuer.O", + "zeek.x509.certificate_issuer.OU", + "zeek.x509.certificate_issuer.pseudonym", + "zeek.x509.certificate_issuer.serialNumber", + "zeek.x509.certificate_issuer.SN", + "zeek.x509.certificate_issuer.ST", + "zeek.x509.certificate_issuer.title", + "zeek.x509.certificate_issuer_full", + "zeek.x509.certificate_key_alg", + "zeek.x509.certificate_key_length", + "zeek.x509.certificate_key_type", + "zeek.x509.certificate_not_valid_after", + "zeek.x509.certificate_not_valid_before", + "zeek.x509.certificate_serial", + "zeek.x509.certificate_sig_alg", + "zeek.x509.certificate_subject.C", + "zeek.x509.certificate_subject.CN", + "zeek.x509.certificate_subject.DC", + "zeek.x509.certificate_subject.description", + "zeek.x509.certificate_subject.emailAddress", + "zeek.x509.certificate_subject.GN", + "zeek.x509.certificate_subject.initials", + "zeek.x509.certificate_subject.L", + "zeek.x509.certificate_subject.O", + "zeek.x509.certificate_subject.OU", + "zeek.x509.certificate_subject.postalCode", + "zeek.x509.certificate_subject.pseudonym", + "zeek.x509.certificate_subject.serialNumber", + "zeek.x509.certificate_subject.SN", + "zeek.x509.certificate_subject.ST", + "zeek.x509.certificate_subject.street", + "zeek.x509.certificate_subject.title", + "zeek.x509.certificate_subject_full", + "zeek.x509.certificate_version", + "zeek.x509.client_cert", + "zeek.x509.fingerprint", + "zeek.x509.host_cert", + "zeek.x509.san_dns", + "zeek.x509.san_email", + "zeek.x509.san_ip", + "zeek.x509.san_uri" ]; var allFieldsStr = allFields.join(','); // add URL link for assigned transport protocol numbers - var protoFieldsStr = allFields.filter(value => /^(network\.transport|zeek.proto|ip\.protocol)$/i.test(value)).join(','); + var protoFieldsStr = allFields.filter(value => /^(network\.transport|ip\.protocol)$/i.test(value)).join(','); this.api.addValueAction("malcolm_websearch_proto", {name:"Protocol Registry", url:'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml', fields:protoFieldsStr}); // add right-click for searching IANA for services - var serviceFieldsStr = allFields.filter(value => /^(zeek\.service|protocols?|network\.protocol)$/i.test(value)).join(','); + var serviceFieldsStr = allFields.filter(value => /^(protocols?|network\.protocol)$/i.test(value)).join(','); this.api.addValueAction("malcolm_websearch_service", {name:"Service Registry", url:'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=%TEXT%', fields:serviceFieldsStr}); // add right-click for searching VirusTotal for other IP addresses @@ -919,11 +1031,11 @@ class ZeekSource extends WISESource { this.api.addValueAction("malcolm_websearch_asn", {name:"ARIN ASN", url:'https://search.arin.net/rdap/?query=%TEXT%&searchFilter=asn', fields:asnFieldsStr}); // add right-click for searching mime/media/content types - var mimeFieldsStr = allFields.filter(value => /(^zeek\.filetype$|mime[_\.-]?type)/i.test(value)).join(','); + var mimeFieldsStr = allFields.filter(value => /mime[_\.-]?type/i.test(value)).join(','); this.api.addValueAction("malcolm_websearch_mime", {name:"Media Type Registry", url:'https://www.iana.org/assignments/media-types/%TEXT%', fields:mimeFieldsStr}); // add right-click for extracted/quarantined files from zeek - var carvedFieldsStr = allFields.filter(value => /^zeek_files\.extracted$/i.test(value)).join(','); + var carvedFieldsStr = allFields.filter(value => /^zeek\.files\.extracted$/i.test(value)).join(','); this.api.addValueAction("malcolm_carved_file_quarantined", {name:"Download (if quarantined)", url:"/dl-extracted-files/quarantine/%TEXT%", fields:carvedFieldsStr}); this.api.addValueAction("malcolm_carved_file_preserved", {name:"Download (if preserved)", url:"/dl-extracted-files/preserved/%TEXT%", fields:carvedFieldsStr}); @@ -937,85 +1049,78 @@ class ZeekSource extends WISESource { this.api.addValueAction("malcolm_kibana_cat_host", {name:filterLabel, url:filterUrl, category:"host"}); this.api.addValueAction("malcolm_kibana_cat_md5", {name:filterLabel, url:filterUrl, category:"md5"}); this.api.addValueAction("malcolm_kibana_cat_user", {name:filterLabel, url:filterUrl, category:"user"}); - this.api.addValueAction("malcolm_kibana_fields_zeek", {name:filterLabel, url:filterUrl, fields:allFieldsStr}); + this.api.addValueAction("malcolm_kibana_fields", {name:filterLabel, url:filterUrl, fields:allFieldsStr}); // add right-click for viewing original JSON document this.api.addValueAction("malcolm_session_json_source", {name:"View JSON Document", url:"sessions.json?expression=id=%TEXT%&fields=*&%DATE%", fields:"id"}); - this.api.addView("zeek_common", - "if (session.zeek)\n" + + this.api.addView("malcolm_common", + "if (session.malcolmDocId)\n" + // id information - " div.sessionDetailMeta.bold Zeek Common Fields\n" + + " div.sessionDetailMeta.bold Malcolm Common Fields\n" + " dl.sessionDetailMeta(suffix=\"IDs\")\n" + - " +arrayList(session.zeek, 'uid', 'Zeek Connection ID', 'zeek.uid')\n" + - " +arrayList(session.zeek, 'community_id', 'Zeek Connection Community ID', 'zeek.community_id')\n" + - " +arrayList(session.zeek, 'logType', 'Zeek Log Type', 'zeek.logType')\n" + - " +arrayList(session.host, 'name', 'Zeek Node', 'host.name')\n" + + " +arrayList(session.event, 'id', 'Log ID', 'event.id')\n" + + " +arrayList(session.network, 'community_id', 'Connection Community ID', 'network.community_id')\n" + + " +arrayList(session.event, 'dataset', 'Log Type', 'event.dataset')\n" + + " +arrayList(session.event, 'provider', 'Malcolm Data Source', 'event.provider')\n" + + " +arrayList(session.host, 'name', 'Malcolm Node', 'host.name')\n" + // basic connection information - " if (session.zeek.orig_h || session.zeek.orig_p || session.zeek.orig_l2_addr || session.zeek.resp_h || " + - " session.zeek.resp_p || session.zeek.resp_l2_addr || session.zeek.proto || session.zeek.service || " + - " session.zeek.service_version || session.zeek.user_agent || session.zeek.user || session.zeek.password || " + - " session.zeek.action || session.zeek.result || session.zeek.freq_score_v1 || session.zeek.freq_score_v2 )\n" + - " dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" + - " +arrayList(session.zeek, 'orig_h', 'Originating Host', 'zeek.orig_h')\n" + - " +arrayList(session.zeek, 'orig_l2_addr', 'Originating MAC', 'zeek.orig_l2_addr')\n" + - " +arrayList(session.zeek, 'orig_l2_oui', 'Originating OUI', 'zeek.orig_l2_oui')\n" + - " +arrayList(session.zeek, 'orig_hostname', 'Originating Host Name', 'zeek.orig_hostname')\n" + - " +arrayList(session.zeek, 'source_ip_reverse_dns', 'Originating Host rDNS', 'zeek.source_ip_reverse_dns')\n" + - " +arrayList(session.zeek, 'orig_segment', 'Originating Network Segment', 'zeek.orig_segment')\n" + - " +arrayList(session.zeek.source_geo, 'country_name', 'Originating GeoIP Country', 'zeek.source_geo.country_name')\n" + - " +arrayList(session.zeek.source_geo, 'city_name', 'Originating GeoIP City', 'zeek.source_geo.city_name')\n" + - " +arrayList(session.zeek, 'resp_h', 'Responding Host', 'zeek.resp_h')\n" + - " +arrayList(session.zeek, 'resp_l2_addr', 'Responding MAC', 'zeek.resp_l2_addr')\n" + - " +arrayList(session.zeek, 'resp_l2_oui', 'Responding OUI', 'zeek.resp_l2_oui')\n" + - " +arrayList(session.zeek, 'resp_hostname', 'Responding Host Name', 'zeek.resp_hostname')\n" + - " +arrayList(session.zeek, 'destination_ip_reverse_dns', 'Responding Host rDNS', 'zeek.destination_ip_reverse_dns')\n" + - " +arrayList(session.zeek, 'resp_segment', 'Responding Network Segment', 'zeek.resp_segment')\n" + - " +arrayList(session.zeek.destination_geo, 'country_name', 'Responding GeoIP Country', 'zeek.destination_geo.country_name')\n" + - " +arrayList(session.zeek.destination_geo, 'city_name', 'Responding GeoIP City', 'zeek.destination_geo.city_name')\n" + - " +arrayList(session.zeek, 'orig_p', 'Originating Port', 'zeek.orig_p')\n" + - " +arrayList(session.zeek, 'resp_p', 'Responding Port', 'zeek.resp_p')\n" + - " +arrayList(session.zeek, 'proto', 'Protocol', 'zeek.proto')\n" + - " +arrayList(session.zeek, 'service', 'Service', 'zeek.service')\n" + - " +arrayList(session.zeek, 'service_version', 'Service Version', 'zeek.service_version')\n" + - " +arrayList(session.zeek, 'action', 'Action', 'zeek.action')\n" + - " +arrayList(session.zeek, 'result', 'Result', 'zeek.result')\n" + - " +arrayList(session.zeek, 'user', 'User', 'zeek.user')\n" + - " +arrayList(session.zeek, 'password', 'Password', 'zeek.password')\n" + - " +arrayList(session.zeek, 'user_agent', 'User Agent', 'zeek.user_agent')\n" + - " +arrayList(session.zeek, 'freq_score_v1', 'Freq Score v1', 'zeek.freq_score_v1')\n" + - " +arrayList(session.zeek, 'freq_score_v2', 'Freq Score v2', 'zeek.freq_score_v2')\n" + - " +arrayList(session.event, 'severity', 'Severity', 'event.severity')\n" + - " +arrayList(session.event, 'risk_score', 'Risk Score', 'event.risk_score')\n" + - " +arrayList(session.event, 'severity_tags', 'Severity Tags', 'event.severity_tags')\n" + - - // file information - " if (session.zeek.fuid || session.zeek.filename || session.zeek.filetype)\n" + - " dl.sessionDetailMeta(suffix=\"File IDs\")\n" + - " +arrayList(session.zeek, 'fuid', 'File ID', 'zeek.fuid')\n" + - " +arrayList(session.zeek, 'filename', 'File Name', 'zeek.filename')\n" + - " +arrayList(session.zeek, 'filetype', 'File Magic', 'zeek.filetype')\n" + + " dl.sessionDetailMeta(suffix=\"Basic Connection Info\")\n" + + " +arrayList(session.source, 'ip', 'Originating Host', 'source.ip')\n" + + " +arrayList(session.source, 'mac', 'Originating MAC', 'source.mac')\n" + + " +arrayList(session.source, 'oui', 'Originating OUI', 'source.oui')\n" + + " +arrayList(session.source, 'hostname', 'Originating Host Name', 'source.hostname')\n" + + " +arrayList(session.source, 'ip_reverse_dns', 'Originating Host rDNS', 'source.ip_reverse_dns')\n" + + " +arrayList(session.source, 'segment', 'Originating Network Segment', 'source.segment')\n" + + " +arrayList(session.source.geo, 'country_name', 'Originating GeoIP Country', 'source.geo.country_name')\n" + + " +arrayList(session.source.geo, 'city_name', 'Originating GeoIP City', 'source.geo.city_name')\n" + + " +arrayList(session.destination, 'ip', 'Responding Host', 'destination.ip')\n" + + " +arrayList(session.destination, 'mac', 'Responding MAC', 'destination.mac')\n" + + " +arrayList(session.destination, 'oui', 'Responding OUI', 'destination.oui')\n" + + " +arrayList(session.destination, 'hostname', 'Responding Host Name', 'destination.hostname')\n" + + " +arrayList(session.destination, 'ip_reverse_dns', 'Responding Host rDNS', 'destination.ip_reverse_dns')\n" + + " +arrayList(session.destination, 'segment', 'Responding Network Segment', 'destination.segment')\n" + + " +arrayList(session.destination.geo, 'country_name', 'Responding GeoIP Country', 'destination.geo.country_name')\n" + + " +arrayList(session.destination.geo, 'city_name', 'Responding GeoIP City', 'destination.geo.city_name')\n" + + " +arrayList(session.source, 'port', 'Originating Port', 'source.port')\n" + + " +arrayList(session.destination, 'port', 'Responding Port', 'destination.port')\n" + + " +arrayList(session.related, 'ip', 'Related IP', 'related.ip')\n" + + " +arrayList(session.network, 'transport', 'Protocol', 'network.transport')\n" + + " +arrayList(session.network, 'protocol', 'Service', 'network.protocol')\n" + + " +arrayList(session.network, 'protocol_version', 'Service Version', 'network.protocol_version')\n" + + " +arrayList(session.event, 'action', 'Action', 'event.action')\n" + + " +arrayList(session.event, 'result', 'Result', 'event.result')\n" + + " +arrayList(session.related, 'user', 'User', 'related.user')\n" + + " +arrayList(session.related, 'password', 'Password', 'related.password')\n" + + " +arrayList(session.user_agent, 'original', 'User Agent', 'user_agent.original')\n" + + " +arrayList(session.event, 'freq_score_v1', 'Freq Score v1', 'event.freq_score_v1')\n" + + " +arrayList(session.event, 'freq_score_v2', 'Freq Score v2', 'event.freq_score_v2')\n" + + " +arrayList(session.event, 'severity', 'Severity', 'event.severity')\n" + + " +arrayList(session.event, 'risk_score', 'Risk Score', 'event.risk_score')\n" + + " +arrayList(session.event, 'severity_tags', 'Severity Tags', 'event.severity_tags')\n" + + " +arrayList(session.file, 'path', 'File Path', 'file.path')\n" + + " +arrayList(session.file, 'mime_type', 'File Magic', 'file.mime_type')\n" + + " +arrayList(session.related, 'hash', 'Related Hash', 'related.hash')\n" + // #################################################################### " br\n"); - } } // ---------------------------------------------------------------------------- exports.initSource = function (api) { - api.addSourceConfigDef('zeek', { + api.addSourceConfigDef('malcolm', { singleton: true, - name: 'zeek', - description: 'Zeek log fields for Arkime as part of Malcolm', - link: 'https://github.com/cisagov/malcolm#ArkimeZeek', + name: 'malcolm', + description: 'Log fields for Arkime as part of Malcolm', + link: 'https://github.com/cisagov/malcolm', types: [], cacheable: false, displayable: true, fields: [] }); - return new ZeekSource(api, 'zeek'); + return new MalcolmSource(api, 'malcolm'); }; diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 2faedbaa3..e7b19d504 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -128,7 +128,7 @@ x-pcap-capture-variables: &pcap-capture-variables services: elasticsearch: - image: malcolmnetsec/elasticsearch-od:3.4.0 + image: malcolmnetsec/elasticsearch-od:4.0.0 restart: "no" stdin_open: false tty: true @@ -165,7 +165,7 @@ services: retries: 3 start_period: 180s kibana-helper: - image: malcolmnetsec/kibana-helper:3.4.0 + image: malcolmnetsec/kibana-helper:4.0.0 restart: "no" stdin_open: false tty: true @@ -193,7 +193,7 @@ services: retries: 3 start_period: 30s kibana: - image: malcolmnetsec/kibana-od:3.4.0 + image: malcolmnetsec/kibana-od:4.0.0 restart: "no" stdin_open: false tty: true @@ -214,7 +214,7 @@ services: retries: 3 start_period: 210s logstash: - image: malcolmnetsec/logstash-oss:3.4.0 + image: malcolmnetsec/logstash-oss:4.0.0 restart: "no" stdin_open: false tty: true @@ -249,7 +249,7 @@ services: retries: 3 start_period: 600s filebeat: - image: malcolmnetsec/filebeat-oss:3.4.0 + image: malcolmnetsec/filebeat-oss:4.0.0 restart: "no" stdin_open: false tty: true @@ -286,7 +286,7 @@ services: retries: 3 start_period: 60s arkime: - image: malcolmnetsec/arkime:3.4.0 + image: malcolmnetsec/arkime:4.0.0 restart: "no" stdin_open: false tty: true @@ -325,7 +325,7 @@ services: retries: 3 start_period: 210s zeek: - image: malcolmnetsec/zeek:3.4.0 + image: malcolmnetsec/zeek:4.0.0 restart: "no" stdin_open: false tty: true @@ -351,7 +351,7 @@ services: retries: 3 start_period: 60s file-monitor: - image: malcolmnetsec/file-monitor:3.4.0 + image: malcolmnetsec/file-monitor:4.0.0 restart: "no" stdin_open: false tty: true @@ -374,7 +374,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: malcolmnetsec/pcap-capture:3.4.0 + image: malcolmnetsec/pcap-capture:4.0.0 restart: "no" stdin_open: false tty: true @@ -394,7 +394,7 @@ services: volumes: - ./pcap/upload:/pcap pcap-monitor: - image: malcolmnetsec/pcap-monitor:3.4.0 + image: malcolmnetsec/pcap-monitor:4.0.0 restart: "no" stdin_open: false tty: true @@ -417,7 +417,7 @@ services: retries: 3 start_period: 90s upload: - image: malcolmnetsec/file-upload:3.4.0 + image: malcolmnetsec/file-upload:4.0.0 restart: "no" stdin_open: false tty: true @@ -443,7 +443,7 @@ services: retries: 3 start_period: 60s htadmin: - image: malcolmnetsec/htadmin:3.4.0 + image: malcolmnetsec/htadmin:4.0.0 restart: "no" stdin_open: false tty: true @@ -465,7 +465,7 @@ services: retries: 3 start_period: 60s freq: - image: malcolmnetsec/freq:3.4.0 + image: malcolmnetsec/freq:4.0.0 restart: "no" stdin_open: false tty: true @@ -483,7 +483,7 @@ services: retries: 3 start_period: 60s name-map-ui: - image: malcolmnetsec/name-map-ui:3.4.0 + image: malcolmnetsec/name-map-ui:4.0.0 restart: "no" stdin_open: false tty: true @@ -504,7 +504,7 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: malcolmnetsec/nginx-proxy:3.4.0 + image: malcolmnetsec/nginx-proxy:4.0.0 restart: "no" stdin_open: false tty: true diff --git a/docker-compose.yml b/docker-compose.yml index 4038ab7c3..439d1e063 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -131,7 +131,7 @@ services: build: context: . dockerfile: Dockerfiles/elasticsearch.Dockerfile - image: malcolmnetsec/elasticsearch-od:3.4.0 + image: malcolmnetsec/elasticsearch-od:4.0.0 restart: "no" stdin_open: false tty: true @@ -171,7 +171,7 @@ services: build: context: . dockerfile: Dockerfiles/kibana-helper.Dockerfile - image: malcolmnetsec/kibana-helper:3.4.0 + image: malcolmnetsec/kibana-helper:4.0.0 restart: "no" stdin_open: false tty: true @@ -202,7 +202,7 @@ services: build: context: . dockerfile: Dockerfiles/kibana.Dockerfile - image: malcolmnetsec/kibana-od:3.4.0 + image: malcolmnetsec/kibana-od:4.0.0 restart: "no" stdin_open: false tty: true @@ -226,7 +226,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: malcolmnetsec/logstash-oss:3.4.0 + image: malcolmnetsec/logstash-oss:4.0.0 restart: "no" stdin_open: false tty: true @@ -266,7 +266,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: malcolmnetsec/filebeat-oss:3.4.0 + image: malcolmnetsec/filebeat-oss:4.0.0 restart: "no" stdin_open: false tty: true @@ -307,7 +307,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: malcolmnetsec/arkime:3.4.0 + image: malcolmnetsec/arkime:4.0.0 restart: "no" stdin_open: false tty: true @@ -352,7 +352,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: malcolmnetsec/zeek:3.4.0 + image: malcolmnetsec/zeek:4.0.0 restart: "no" stdin_open: false tty: true @@ -382,7 +382,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: malcolmnetsec/file-monitor:3.4.0 + image: malcolmnetsec/file-monitor:4.0.0 restart: "no" stdin_open: false tty: true @@ -408,7 +408,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: malcolmnetsec/pcap-capture:3.4.0 + image: malcolmnetsec/pcap-capture:4.0.0 restart: "no" stdin_open: false tty: true @@ -431,7 +431,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: malcolmnetsec/pcap-monitor:3.4.0 + image: malcolmnetsec/pcap-monitor:4.0.0 restart: "no" stdin_open: false tty: true @@ -457,7 +457,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: malcolmnetsec/file-upload:3.4.0 + image: malcolmnetsec/file-upload:4.0.0 restart: "no" stdin_open: false tty: true @@ -483,7 +483,7 @@ services: retries: 3 start_period: 60s htadmin: - image: malcolmnetsec/htadmin:3.4.0 + image: malcolmnetsec/htadmin:4.0.0 build: context: . dockerfile: Dockerfiles/htadmin.Dockerfile @@ -508,7 +508,7 @@ services: retries: 3 start_period: 60s freq: - image: malcolmnetsec/freq:3.4.0 + image: malcolmnetsec/freq:4.0.0 build: context: . dockerfile: Dockerfiles/freq.Dockerfile @@ -529,7 +529,7 @@ services: retries: 3 start_period: 60s name-map-ui: - image: malcolmnetsec/name-map-ui:3.4.0 + image: malcolmnetsec/name-map-ui:4.0.0 build: context: . dockerfile: Dockerfiles/name-map-ui.Dockerfile @@ -556,7 +556,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: malcolmnetsec/nginx-proxy:3.4.0 + image: malcolmnetsec/nginx-proxy:4.0.0 restart: "no" stdin_open: false tty: true diff --git a/kibana/anomaly_detectors/zeek_filetype_AD.json b/kibana/anomaly_detectors/zeek_filetype_AD.json index 12e246ed8..bc51c6252 100644 --- a/kibana/anomaly_detectors/zeek_filetype_AD.json +++ b/kibana/anomaly_detectors/zeek_filetype_AD.json @@ -1,5 +1,5 @@ { - "name": "zeek_filetype_AD", + "name": "file_mime_type_AD", "description": "Detect anomalies based on transferred file type", "time_field": "firstPacket", "indices": [ @@ -7,12 +7,12 @@ ], "feature_attributes": [ { - "feature_name": "zeek_filetype", + "feature_name": "file_mime_type", "feature_enabled": true, "aggregation_query": { - "zeek_filetype": { + "file_mime_type": { "value_count": { - "field": "zeek.filetype" + "field": "file.mime_type" } } } @@ -23,7 +23,7 @@ "filter": [ { "exists": { - "field": "zeek.filetype", + "field": "file.mime_type", "boost": 1 } } diff --git a/kibana/anomaly_detectors/zeek_service_AD.json b/kibana/anomaly_detectors/zeek_service_AD.json index 5cdb74596..72c8901e1 100644 --- a/kibana/anomaly_detectors/zeek_service_AD.json +++ b/kibana/anomaly_detectors/zeek_service_AD.json @@ -6,27 +6,27 @@ "arkime_sessions3-*" ], "category_field": [ - "zeek.service" + "network.protocol" ], "feature_attributes": [ { - "feature_name": "zeek_action", + "feature_name": "event_action", "feature_enabled": true, "aggregation_query": { - "zeek_action": { + "event_action": { "value_count": { - "field": "zeek.action" + "field": "event.action" } } } }, { - "feature_name": "zeek_result", + "feature_name": "event_result", "feature_enabled": true, "aggregation_query": { - "zeek_result": { + "event_result": { "value_count": { - "field": "zeek.result" + "field": "event.result" } } } @@ -37,19 +37,19 @@ "filter": [ { "exists": { - "field": "zeek.service", + "field": "network.protocol", "boost": 1 } }, { "exists": { - "field": "zeek.action", + "field": "event.action", "boost": 1 } }, { "exists": { - "field": "zeek.result", + "field": "event.result", "boost": 1 } } diff --git a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index a2c6d5eb3..82303c384 100644 --- a/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -165,7 +165,7 @@ "version": "WzYsMV0=", "attributes": { "title": "X.509 - Certificate Signing Algorithm", - "visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithm\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_x509.certificate_sig_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"}}]}", + "visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithm\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.x509.certificate_sig_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -194,7 +194,7 @@ "updated_at": "2021-10-12T17:34:03.402Z", "version": "WzcsMV0=", "attributes": { - "visState": "{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.x509.certificate_subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}", "description": "", "title": "X.509 - Certificate Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -224,7 +224,7 @@ "updated_at": "2021-10-12T17:34:03.402Z", "version": "WzgsMV0=", "attributes": { - "visState": "{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_issuer_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.x509.certificate_issuer_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}", "description": "", "title": "X.509 - Certificate Issuer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -255,7 +255,7 @@ "version": "WzksMV0=", "attributes": { "title": "X.509 - Certificate Key Length", - "visState": "{\"title\":\"X.509 - Certificate Key Length\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.certificate_key_length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Length\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"X.509 - Certificate Key Length\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.certificate_key_length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Length\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -285,7 +285,7 @@ "version": "WzEwLDFd", "attributes": { "title": "X.509 - Certificate Key Algorithm", - "visState": "{\"title\":\"X.509 - Certificate Key Algorithm\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.certificate_key_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":7,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"X.509 - Certificate Key Algorithm\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.certificate_key_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":7,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -345,12 +345,12 @@ "version": "WzM5NywxXQ==", "attributes": { "title": "SSL - Relevant Notices", - "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -375,12 +375,12 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "OCSP - Certificate Revocation", - "visState": "{\"title\":\"OCSP - Certificate Revocation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ocsp.certStatus\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Status\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ocsp.revokereason\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revocation Reason\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"OCSP - Certificate Revocation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ocsp.certStatus\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Status\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ocsp.revokereason\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revocation Reason\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek_ocsp.certStatus:good\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.ocsp.certStatus:good\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -405,7 +405,7 @@ "version": "WzEzLDFd", "attributes": { "title": "X.509 - Is Host Certificate", - "visState": "{\"title\":\"X.509 - Is Host Certificate\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.host_cert\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host Certificate\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":false}}", + "visState": "{\"title\":\"X.509 - Is Host Certificate\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.host_cert\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host Certificate\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":false}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -435,7 +435,7 @@ "version": "WzE0LDFd", "attributes": { "title": "X.509 - Is Client Certificate", - "visState": "{\"title\":\"X.509 - Is Client Certificate\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.client_cert\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Certificate\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"X.509 - Is Client Certificate\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.client_cert\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Certificate\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -465,7 +465,7 @@ "version": "WzE1LDFd", "attributes": { "title": "X.509 - Certificate Fingerprint", - "visState": "{\"title\":\"X.509 - Certificate Fingerprint\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.fingerprint\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Fingerprint\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"X.509 - Certificate Fingerprint\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.fingerprint\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Fingerprint\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -498,12 +498,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_x509.certificate_issuer.CN", - "zeek_x509.certificate_subject.CN", - "zeek_x509.host_cert", - "zeek_x509.client_cert", - "zeek_x509.certificate_sig_alg", - "zeek_x509.certificate_version" + "zeek.x509.certificate_issuer.CN", + "zeek.x509.certificate_subject.CN", + "zeek.x509.host_cert", + "zeek.x509.client_cert", + "zeek.x509.certificate_sig_alg", + "zeek.x509.certificate_version" ], "sort": [ [ @@ -513,7 +513,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:x509\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:x509\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -540,18 +540,18 @@ "description": "", "hits": 0, "columns": [ - "zeek_ocsp.thisUpdate", - "zeek_ocsp.nextUpdate", - "zeek_ocsp.certStatus", - "zeek_ocsp.revokereason", - "zeek_ocsp.revoketime", - "zeek_ocsp.serialNumber", - "zeek.fuid" + "zeek.ocsp.thisUpdate", + "zeek.ocsp.nextUpdate", + "zeek.ocsp.certStatus", + "zeek.ocsp.revokereason", + "zeek.ocsp.revoketime", + "zeek.ocsp.serialNumber", + "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -578,12 +578,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -593,7 +593,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json index 0b5b11f65..6d60deea9 100644 --- a/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json +++ b/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -151,13 +151,13 @@ "source.ip", "destination.ip", "destination.port", - "zeek_ldap.version", - "zeek_ldap.message_id", - "zeek.action", - "zeek_ldap.object", - "zeek_ldap.argument", - "zeek.result", - "zeek.uid" + "zeek.ldap.version", + "zeek.ldap.message_id", + "event.action", + "zeek.ldap.object", + "zeek.ldap.argument", + "event.result", + "event.id" ], "sort": [ [ @@ -167,7 +167,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -251,12 +251,12 @@ "version": "WzE0MTcsMV0=", "attributes": { "title": "LDAP - Log Count", - "visState": "{\"title\":\"LDAP - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}}}}", + "visState": "{\"title\":\"LDAP - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}}}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -281,12 +281,12 @@ "version": "WzE1MzgsMV0=", "attributes": { "title": "LDAP - Bind", - "visState": "{\"title\":\"LDAP - Bind\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Version\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ldap.object\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Object/Mechanism\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"LDAP - Bind\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Version\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ldap.object\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Object/Mechanism\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:bind*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.action:bind*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -311,7 +311,7 @@ "version": "WzE1NzcsMV0=", "attributes": { "title": "LDAP - Search Scope", - "visState": "{\"title\":\"LDAP - Search Scope\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Searches\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ldap_search.scope\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Search Scope\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"zeek_ldap_search.result_count\",\"customLabel\":\"Entries Returned\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Searches\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true},{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"id\":\"3\",\"label\":\"Entries Returned\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"LDAP - Search Scope\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Searches\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ldap_search.scope\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Search Scope\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"zeek.ldap_search.result_count\",\"customLabel\":\"Entries Returned\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Searches\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true},{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"id\":\"3\",\"label\":\"Entries Returned\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -341,12 +341,12 @@ "version": "WzEzMzUsMV0=", "attributes": { "title": "LDAP - Result Code", - "visState": "{\"title\":\"LDAP - Result Code\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result Code\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"LDAP - Result Code\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result Code\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -371,12 +371,12 @@ "version": "WzEyOTksMV0=", "attributes": { "title": "LDAP - Operation", - "visState": "{\"title\":\"LDAP - Operation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":199,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"LDAP - Operation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":199,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ldap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -407,17 +407,18 @@ "source.ip", "destination.ip", "destination.port", - "zeek_ldap_search.message_id", - "zeek.action", - "zeek_ldap_search.base_object", - "zeek_ldap_search.result_count", - "zeek.result", - "zeek.uid" + "zeek.ldap_search.message_id", + "event.action", + "zeek.ldap_search.base_object", + "zeek.ldap_search.filter", + "zeek.ldap_search.result_count", + "event.result", + "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"ldap_search\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap_search\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -444,14 +445,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -461,7 +462,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index 291776d32..eddd96feb 100644 --- a/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -139,7 +139,7 @@ "updated_at": "2021-02-10T21:24:07.693Z", "version": "WzgzLDFd", "attributes": { - "visState": "{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.arg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ftp.arg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}", "description": "", "title": "FTP - Argument", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -170,7 +170,7 @@ "version": "Wzg0LDFd", "attributes": { "title": "FTP - Commands and Replies", - "visState": "{\"title\":\"FTP - Commands and Replies\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.action: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_ftp.reply_code: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.reply_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Code\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.reply_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Reply\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Message\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", + "visState": "{\"title\":\"FTP - Commands and Replies\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"event.action: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.ftp.reply_code: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"event.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ftp.reply_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Code\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ftp.reply_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Reply\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Message\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -200,7 +200,7 @@ "version": "WzE4ODksMV0=", "attributes": { "title": "FTP - Reply", - "visState": "{\"title\":\"FTP - Reply\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"FTP - Reply\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -289,7 +289,7 @@ "updated_at": "2021-02-10T21:24:07.693Z", "version": "Wzg4LDFd", "attributes": { - "visState": "{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", "description": "", "title": "FTP - Username", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", @@ -355,10 +355,9 @@ "columns": [ "source.ip", "destination.ip", - "zeek_ftp.command", - "zeek_ftp.reply_msg", - "zeek.uid", - "zeek.fuid" + "zeek.ftp.command", + "zeek.ftp.reply_msg", + "event.id" ], "sort": [ [ @@ -368,7 +367,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ftp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ftp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index dc4e7432c..18136925d 100644 --- a/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -1,5 +1,5 @@ { - "version": "7.10.0", + "version": "7.10.2", "objects": [ { "id": "0a490422-0ce9-44bf-9a2d-19329ddde8c3", @@ -7,18 +7,18 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "WzkxLDFd", + "updated_at": "2021-11-16T21:13:35.008Z", + "version": "WzEzMzEsMV0=", "attributes": { "title": "PE", "hits": 0, "description": "", - "panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":29,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":11,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":11,\"w\":15,\"h\":18,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":11,\"w\":14,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":29,\"w\":21,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":37,\"y\":11,\"w\":11,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":11,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":29,\"w\":27,\"h\":18,\"i\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\"},\"panelIndex\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":23,\"i\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\"},\"panelIndex\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\",\"embeddableConfig\":{\"title\":\"Executable Capabilities\"},\"title\":\"Executable Capabilities\",\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":39,\"i\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\"},\"panelIndex\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", + "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":11,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":15,\"x\":22,\"y\":11},\"panelIndex\":\"5\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"7\",\"w\":14,\"x\":8,\"y\":11},\"panelIndex\":\"7\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"9\",\"w\":21,\"x\":27,\"y\":29},\"panelIndex\":\"9\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":11,\"x\":37,\"y\":11},\"panelIndex\":\"10\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"11\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"11\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\",\"w\":27,\"x\":0,\"y\":29},\"panelIndex\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"title\":\"Executable Capabilities\"},\"gridData\":{\"h\":23,\"i\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\",\"title\":\"Executable Capabilities\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":39,\"i\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\",\"w\":48,\"x\":0,\"y\":70},\"panelIndex\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}}}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" } }, "references": [ @@ -83,8 +83,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:25:09.616Z", - "version": "Wzg3MiwxXQ==", + "updated_at": "2021-11-16T20:41:10.924Z", + "version": "WzkzNiwxXQ==", "attributes": { "title": "Zeek Logs", "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/kibana/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[β†ͺ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/kibana/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", @@ -106,8 +106,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "WzkzLDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIwNSwxXQ==", "attributes": { "visState": "{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -136,11 +136,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk0LDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIwNiwxXQ==", "attributes": { "title": "PE - OS", - "visState": "{\"title\":\"PE - OS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_pe.os: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.os\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"PE - OS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.pe.os: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.pe.os\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -166,11 +166,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk1LDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIwNywxXQ==", "attributes": { "title": "PE - Subsystem", - "visState": "{\"title\":\"PE - Subsystem\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_pe.subsystem: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.subsystem\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"PE - Subsystem\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.pe.subsystem: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.pe.subsystem\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -196,23 +196,23 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk2LDFd", + "updated_at": "2021-11-16T21:13:15.537Z", + "version": "WzEzMjAsMV0=", "attributes": { - "visState": "{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.section_names\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", - "description": "", "title": "PE - Section Name", + "visState": "{\"title\":\"PE - Section Name\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.pe.section_names\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Section Name\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, "references": [ { - "type": "search", "name": "search_0", + "type": "search", "id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768" } ], @@ -226,10 +226,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk3LDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIwOSwxXQ==", "attributes": { - "visState": "{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.machine\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.pe.machine\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}", "description": "", "title": "PE - Machine", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -256,8 +256,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk4LDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIxMCwxXQ==", "attributes": { "title": "PE - Log Count", "visState": "{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -286,11 +286,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "Wzk5LDFd", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIxMSwxXQ==", "attributes": { "title": "Capa Signatures", - "visState": "{\"title\":\"Capa Signatures\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_signatures.signature_id: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature\"}}]}", + "visState": "{\"title\":\"Capa Signatures\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.signatures.signature_id: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -316,15 +316,15 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "WzEwMCwxXQ==", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIxMiwxXQ==", "attributes": { "title": "Signatures (Capa) - Logs", "description": "", "hits": 0, "columns": [ - "zeek_signatures.signature_id", - "zeek.fuid" + "zeek.signatures.signature_id", + "event.id" ], "sort": [ [ @@ -334,7 +334,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:signatures AND zeek_signatures.engine:Capa\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:signatures AND zeek.signatures.engine:Capa\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -354,17 +354,17 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:08.721Z", - "version": "WzEwMSwxXQ==", + "updated_at": "2021-11-16T20:40:06.406Z", + "version": "WzIxMywxXQ==", "attributes": { "title": "PE - Logs", "description": "", "hits": 0, "columns": [ - "zeek_pe.machine", - "zeek_pe.os", - "zeek_pe.subsystem", - "zeek.fuid" + "zeek.pe.machine", + "zeek.pe.os", + "zeek.pe.subsystem", + "event.id" ], "sort": [ [ @@ -374,7 +374,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:pe\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:pe\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 54e7f15cb..ee0a0cca3 100644 --- a/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -135,7 +135,7 @@ "version": "WzExMiwxXQ==", "attributes": { "title": "Connections - Service By Destination Country", - "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"row\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", + "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"row\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -165,7 +165,7 @@ "version": "WzExMywxXQ==", "attributes": { "title": "Log Type", - "visState": "{\"title\":\"Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.logType\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}", + "visState": "{\"title\":\"Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -224,7 +224,7 @@ "version": "WzExNSwxXQ==", "attributes": { "title": "DNS - Queries", - "visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}", + "visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -254,7 +254,7 @@ "version": "WzExNiwxXQ==", "attributes": { "title": "Application Protocol", - "visState": "{\"title\":\"Application Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}", + "visState": "{\"title\":\"Application Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -283,12 +283,12 @@ "version": "WzExNywxXQ==", "attributes": { "title": "Actions and Results", - "visState": "{\"title\":\"Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"}}]}", + "visState": "{\"title\":\"Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:* OR zeek.result:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.action:* OR event.result:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -315,14 +315,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -332,7 +332,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -359,14 +359,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -376,7 +376,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -405,9 +405,9 @@ "columns": [ "source.ip", "destination.ip", - "zeek_dns.query", - "zeek_dns.answers", - "zeek.uid" + "zeek.dns.query", + "zeek.dns.answers", + "event.id" ], "sort": [ [ @@ -417,7 +417,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index 002f1c8b5..74c09b573 100644 --- a/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -56,7 +56,7 @@ "updated_at": "2021-02-10T21:24:10.810Z", "version": "WzEzMiwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Destination - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Destination - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Destination - Top Connection Duration", "uiStateJSON": "{}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index 34d015162..8cc4e817f 100644 --- a/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -220,7 +220,7 @@ "version": "WzE1MCwxXQ==", "attributes": { "title": "SIP - Destination Country", - "visState": "{\"title\":\"SIP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.destination_geo.country_name: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"SIP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"destination.geo.country_name: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -249,7 +249,7 @@ "updated_at": "2021-02-10T21:24:11.908Z", "version": "WzE1MSwxXQ==", "attributes": { - "visState": "{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.request_path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.sip.request_path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}", "description": "", "title": "SIP - Request Path", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -279,7 +279,7 @@ "updated_at": "2021-02-10T21:24:11.908Z", "version": "WzE1MiwxXQ==", "attributes": { - "visState": "{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.sip.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", "description": "", "title": "SIP - URI", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -309,7 +309,7 @@ "updated_at": "2021-02-10T21:24:11.908Z", "version": "WzE1MywxXQ==", "attributes": { - "visState": "{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", "description": "", "title": "SIP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -340,7 +340,7 @@ "version": "WzE1NCwxXQ==", "attributes": { "title": "SIP - Content Type", - "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_sip.content_type: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_sip.content_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Content Type\"}}]}", + "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.sip.content_type: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.sip.content_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Content Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -369,7 +369,7 @@ "updated_at": "2021-02-10T21:24:11.908Z", "version": "WzE1NSwxXQ==", "attributes": { - "visState": "{\"title\":\"SIP - Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_sip.method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SIP - Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.sip.method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}", "description": "", "title": "SIP - Method", "uiStateJSON": "{}", @@ -460,7 +460,7 @@ "version": "WzE1OCwxXQ==", "attributes": { "title": "SIP - Status", - "visState": "{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}", + "visState": "{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.sip.status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.sip.status_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -496,10 +496,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_sip.method", - "zeek_sip.content_type", - "zeek_sip.status_msg", - "zeek.uid" + "zeek.sip.method", + "zeek.sip.content_type", + "zeek.sip.status_msg", + "event.id" ], "sort": [ [ @@ -509,7 +509,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:sip\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:sip\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index f6b9aec2d..dd0d3c7bf 100644 --- a/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -135,7 +135,7 @@ "version": "WzM3OTIsMV0=", "attributes": { "title": "Tunnels - Type", - "visState": "{\"title\":\"Tunnels - Type\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tunnel.tunnel_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"Tunnels - Type\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.tunnel.tunnel_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -225,7 +225,7 @@ "version": "WzM4MTEsMV0=", "attributes": { "title": "Tunnels - Country", - "visState": "{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -255,7 +255,7 @@ "version": "WzM3NjAsMV0=", "attributes": { "title": "Tunnels - Action", - "visState": "{\"title\":\"Tunnels - Action\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tunnel.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"Tunnels - Action\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.tunnel.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -322,9 +322,9 @@ "source.port", "destination.ip", "destination.port", - "zeek_tunnel.action", - "zeek_tunnel.tunnel_type", - "zeek.uid" + "zeek.tunnel.action", + "zeek.tunnel.tunnel_type", + "event.id" ], "sort": [ [ @@ -334,7 +334,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:tunnel\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:tunnel\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index b2157c276..6c67f8e9a 100644 --- a/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -144,11 +144,11 @@ "hits": 0, "columns": [ "source.ip", - "zeek.user_agent", + "user_agent.original", "destination.ip", "quic.host", "quic.version", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -158,7 +158,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:gquic\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:gquic\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -272,7 +272,7 @@ "version": "WzE5OCwxXQ==", "attributes": { "title": "QUIC - User Agent", - "visState": "{\"title\":\"QUIC - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user_agent\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}", + "visState": "{\"title\":\"QUIC - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -332,7 +332,7 @@ "version": "WzIwMCwxXQ==", "attributes": { "title": "QUIC - CYU Fingerprint", - "visState": "{\"title\":\"QUIC - CYU Fingerprint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyutags\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint Tags\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyu\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint MD5\"}}]}", + "visState": "{\"title\":\"QUIC - CYU Fingerprint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.gquic.cyutags\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint Tags\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.gquic.cyu\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint MD5\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, diff --git a/kibana/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/kibana/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json index 19a6d6ea8..e6e1d961b 100644 --- a/kibana/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json +++ b/kibana/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json @@ -188,7 +188,7 @@ "version": "Wzg1NywxXQ==", "attributes": { "title": "Best Guess Protocol - Destination", - "visState": "{\"title\":\"Best Guess Protocol - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"Best Guess Protocol - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -218,7 +218,7 @@ "version": "WzgzNywxXQ==", "attributes": { "title": "Best Guess - Summary", - "visState": "{\"title\":\"Best Guess - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Details\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"Best Guess - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Details\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -248,7 +248,7 @@ "version": "Wzg4NSwxXQ==", "attributes": { "title": "Best Guess Protocol - Source", - "visState": "{\"title\":\"Best Guess Protocol - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tranport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"Best Guess Protocol - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tranport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -278,7 +278,7 @@ "version": "WzExNywxXQ==", "attributes": { "title": "Best Guess - Category", - "visState": "{\"title\":\"Best Guess - Category\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"Best Guess - Category\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -312,13 +312,13 @@ "hits": 0, "columns": [ "protocol", - "zeek_bestguess.category", - "zeek_bestguess.name", + "zeek.bestguess.category", + "zeek.bestguess.name", "source.ip", "source.port", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [], "version": 1, diff --git a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index 194c4bba1..832ff0947 100644 --- a/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -140,7 +140,7 @@ "version": "WzIwNCwxXQ==", "attributes": { "title": "Modbus - Functions", - "visState": "{\"title\":\"Modbus - Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Function\"}}]}", + "visState": "{\"title\":\"Modbus - Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Function\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus Function Codes", "version": 1, @@ -176,9 +176,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek_modbus.func", - "zeek_modbus.exception", - "zeek.uid" + "zeek.modbus.func", + "zeek.modbus.exception", + "event.id" ], "sort": [ [ @@ -188,7 +188,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"modbus\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"modbus\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -272,7 +272,7 @@ "version": "WzIwOCwxXQ==", "attributes": { "title": "Modbus - Observed Clients and Servers", - "visState": "{\"title\":\"Modbus - Observed Clients and Servers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Times Observed\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Device Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", + "visState": "{\"title\":\"Modbus - Observed Clients and Servers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Times Observed\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Device Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "Modbus observed client and server devices", "version": 1, @@ -302,7 +302,7 @@ "version": "WzIwOSwxXQ==", "attributes": { "title": "Modbus - Observed Client/Server Ratio", - "visState": "{\"title\":\"Modbus - Observed Client/Server Ratio\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Role\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Role\"}}]}", + "visState": "{\"title\":\"Modbus - Observed Client/Server Ratio\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Role\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Role\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "Modbus Observed Clients and Servers Chart", "version": 1, @@ -332,12 +332,12 @@ "version": "WzIxMCwxXQ==", "attributes": { "title": "Modbus - Log Count", - "visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "Count of Modbus logs including Modbus Detailed and Modbus Register Change", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*modbus*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*modbus*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -361,12 +361,12 @@ "version": "WzIxMSwxXQ==", "attributes": { "title": "Modbus - Logs Over Time", - "visState": "{\"title\":\"Modbus - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:33:54.363Z\",\"max\":\"2021-01-14T16:33:54.363Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"Modbus - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:33:54.363Z\",\"max\":\"2021-01-14T16:33:54.363Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "Modbus Logs over Time", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*modbus*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*modbus*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -390,7 +390,7 @@ "version": "WzIxMiwxXQ==", "attributes": { "title": "Modbus - Exceptions", - "visState": "{\"title\":\"Modbus - Exceptions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Exception\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.exception\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}", + "visState": "{\"title\":\"Modbus - Exceptions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Exception\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus.exception\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus Exception Codes", "version": 1, @@ -420,7 +420,7 @@ "version": "WzIxMywxXQ==", "attributes": { "title": "Modbus Detailed - Request and Response", - "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek_modbus_detailed.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_modbus_detailed.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus_detailed.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus_detailed.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -450,12 +450,12 @@ "version": "WzIxNCwxXQ==", "attributes": { "title": "Modbus - Writes", - "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}", + "visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus write register and write coil overview from modbus_detailed.log", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_modbus_detailed.network_direction:(\\\"request\\\")\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus_detailed.network_direction:(\\\"request\\\")\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -480,12 +480,12 @@ "version": "WzIxNSwxXQ==", "attributes": { "title": "Modbus - Reads", - "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}", + "visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_modbus_detailed.network_direction:(\\\"response\\\") AND zeek_modbus_detailed.func:(\\\"READ_DISCRETE_INPUTS\\\" OR \\\"READ_COILS\\\" OR \\\"READ_HOLDING_REGISTERS\\\" OR \\\"READ_INPUT_REGISTERS\\\")\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus_detailed.network_direction:(\\\"response\\\") AND zeek.modbus_detailed.func:(\\\"READ_DISCRETE_INPUTS\\\" OR \\\"READ_COILS\\\" OR \\\"READ_HOLDING_REGISTERS\\\" OR \\\"READ_INPUT_REGISTERS\\\")\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -515,12 +515,12 @@ "columns": [ "source.ip", "destination.ip", - "zeek_modbus_detailed.func", - "zeek_modbus_detailed.network_direction", - "zeek_modbus_detailed.unit_id", - "zeek_modbus_detailed.address", - "zeek_modbus_detailed.quantity", - "zeek_modbus_detailed.values" + "zeek.modbus_detailed.func", + "zeek.modbus_detailed.network_direction", + "zeek.modbus_detailed.unit_id", + "zeek.modbus_detailed.address", + "zeek.modbus_detailed.quantity", + "zeek.modbus_detailed.values" ], "sort": [ [ @@ -530,7 +530,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_detailed\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_detailed\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -559,12 +559,12 @@ "columns": [ "source.ip", "destination.ip", - "zeek_modbus_mask_write_register.network_direction", - "zeek_modbus_mask_write_register.func", - "zeek_modbus_mask_write_register.unit_id", - "zeek_modbus_mask_write_register.address", - "zeek_modbus_mask_write_register.and_mask", - "zeek_modbus_mask_write_register.or_mask" + "zeek.modbus_mask_write_register.network_direction", + "zeek.modbus_mask_write_register.func", + "zeek.modbus_mask_write_register.unit_id", + "zeek.modbus_mask_write_register.address", + "zeek.modbus_mask_write_register.and_mask", + "zeek.modbus_mask_write_register.or_mask" ], "sort": [ [ @@ -574,7 +574,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_mask_write_register\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_mask_write_register\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -603,13 +603,13 @@ "columns": [ "source.ip", "destination.ip", - "zeek_modbus_read_write_multiple_registers.network_direction", - "zeek_modbus_read_write_multiple_registers.func", - "zeek_modbus_read_write_multiple_registers.unit_id", - "zeek_modbus_read_write_multiple_registers.write_start_address", - "zeek_modbus_read_write_multiple_registers.write_registers", - "zeek_modbus_read_write_multiple_registers.read_start_address", - "zeek_modbus_read_write_multiple_registers.read_registers" + "zeek.modbus_read_write_multiple_registers.network_direction", + "zeek.modbus_read_write_multiple_registers.func", + "zeek.modbus_read_write_multiple_registers.unit_id", + "zeek.modbus_read_write_multiple_registers.write_start_address", + "zeek.modbus_read_write_multiple_registers.write_registers", + "zeek.modbus_read_write_multiple_registers.read_start_address", + "zeek.modbus_read_write_multiple_registers.read_registers" ], "sort": [ [ @@ -619,7 +619,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_read_write_multiple_registers\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_read_write_multiple_registers\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -649,9 +649,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek_modbus.func", - "zeek_modbus.exception", - "zeek.uid" + "zeek.modbus.func", + "zeek.modbus.exception", + "event.id" ], "sort": [ [ @@ -661,7 +661,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -689,8 +689,8 @@ "hits": 0, "columns": [ "source.ip", - "zeek_known_modbus.device_type", - "zeek.uid" + "zeek.known_modbus.device_type", + "event.id" ], "sort": [ [ @@ -700,7 +700,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"known_modbus\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"known_modbus\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index 2f0b187ca..5a148b41b 100644 --- a/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 0938b7314..0d31d03d6 100644 --- a/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -200,7 +200,7 @@ "version": "WzI1NCwxXQ==", "attributes": { "title": "Weird - Notice Generated", - "visState": "{\"title\":\"Weird - Notice Generated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_weird.notice: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_weird.notice\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"Weird - Notice Generated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.weird.notice: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.weird.notice\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -229,7 +229,7 @@ "updated_at": "2021-02-10T21:24:17.046Z", "version": "WzI1NSwxXQ==", "attributes": { - "visState": "{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", "description": "", "title": "Weird - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", @@ -320,7 +320,7 @@ "version": "WzI1OCwxXQ==", "attributes": { "title": "Weird - Name", - "visState": "{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}", + "visState": "{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -357,8 +357,8 @@ "source.port", "destination.ip", "destination.port", - "zeek_weird.name", - "zeek.uid" + "zeek.weird.name", + "event.id" ], "sort": [ [ @@ -368,7 +368,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:weird\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:weird\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index 0b157e8c9..330f23355 100644 --- a/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -130,12 +130,12 @@ "version": "WzI2MiwxXQ==", "attributes": { "title": "EtherNet/IP - Log Count", - "visState": "{\"title\":\"EtherNet/IP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"EtherNet/IP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -159,12 +159,12 @@ "version": "WzI2MywxXQ==", "attributes": { "title": "EtherNet/IP - Logs Over Time", - "visState": "{\"title\":\"EtherNet/IP - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:48:06.557Z\",\"max\":\"2021-01-14T16:48:06.557Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"EtherNet/IP - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:48:06.557Z\",\"max\":\"2021-01-14T16:48:06.557Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -188,7 +188,7 @@ "version": "WzI2NCwxXQ==", "attributes": { "title": "Ethernet/IP - Commands", - "visState": "{\"title\":\"Ethernet/IP - Commands\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Command\"}}]}", + "visState": "{\"title\":\"Ethernet/IP - Commands\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Command\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -218,7 +218,7 @@ "version": "WzI2NSwxXQ==", "attributes": { "title": "CIP - Services", - "visState": "{\"title\":\"CIP - Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request/Response\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CIP Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Status\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request/Response\"}}]}", + "visState": "{\"title\":\"CIP - Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request/Response\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.cip_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CIP Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.cip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Status\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request/Response\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "CIP Services and Status", "version": 1, @@ -253,7 +253,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -282,7 +282,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -306,7 +306,7 @@ "version": "WzI2OCwxXQ==", "attributes": { "title": "EtherNet/IP - Detailed Information", - "visState": "{\"title\":\"EtherNet/IP - Detailed Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Data Length\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.session_handle\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Session Identifier\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.sender_context\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sender Context\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"EtherNet/IP Command\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data Length\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.enip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", + "visState": "{\"title\":\"EtherNet/IP - Detailed Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Data Length\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.enip.session_handle\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Session Identifier\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.enip.sender_context\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sender Context\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"EtherNet/IP Command\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.enip.length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data Length\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.enip.enip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "Includes: Session Identifier, Sender Context, EtherNet/IP Command, Data Length, and Status", "version": 1, @@ -336,7 +336,7 @@ "version": "WzI2OSwxXQ==", "attributes": { "title": "CIP - Request Path", - "visState": "{\"title\":\"CIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Data ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.class_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.class_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.instance_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Instance ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.attribute_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Attribute ID\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.data_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Data ID\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.other_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Other ID\"}}]}", + "visState": "{\"title\":\"CIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Data ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.class_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.class_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.instance_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Instance ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.attribute_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Attribute ID\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.data_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Data ID\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip.other_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Other ID\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", "description": "CIP Request Path data", "version": 1, @@ -366,7 +366,7 @@ "version": "WzI3MCwxXQ==", "attributes": { "title": "CIP - Device Identity", - "visState": "{\"title\":\"CIP - Device Identity\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"N/A\"}},\"params\":{},\"label\":\"Serial Number\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.product_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Product Name\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.device_type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Device Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.vendor_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Vendor Name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.serial_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Serial Number\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.revision\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Revision Number\"}}]}", + "visState": "{\"title\":\"CIP - Device Identity\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"N/A\"}},\"params\":{},\"label\":\"Serial Number\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip_identity.product_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Product Name\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip_identity.device_type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Device Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip_identity.vendor_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Vendor Name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip_identity.serial_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Serial Number\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.cip_identity.revision\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Revision Number\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "CIP Identity Results", "version": 1, @@ -401,13 +401,13 @@ "columns": [ "source.ip", "destination.ip", - "zeek_cip.cip_service", - "zeek_cip.cip_status", - "zeek_cip.direction", - "zeek_cip.cip_sequence_count", - "zeek_cip.class_id", - "zeek_cip.class_name", - "zeek_cip.instance_id" + "zeek.cip.cip_service", + "zeek.cip.cip_status", + "zeek.cip.direction", + "zeek.cip.cip_sequence_count", + "zeek.cip.class_id", + "zeek.cip.class_name", + "zeek.cip.instance_id" ], "sort": [ [ @@ -417,7 +417,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -446,11 +446,11 @@ "columns": [ "source.ip", "destination.ip", - "zeek_cip_identity.device_type_name", - "zeek_cip_identity.product_name", - "zeek_cip_identity.vendor_name", - "zeek_cip_identity.revision", - "zeek_cip_identity.serial_number" + "zeek.cip_identity.device_type_name", + "zeek.cip_identity.product_name", + "zeek.cip_identity.vendor_name", + "zeek.cip_identity.revision", + "zeek.cip_identity.serial_number" ], "sort": [ [ @@ -460,7 +460,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip_identity\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_identity\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -489,12 +489,12 @@ "columns": [ "source.ip", "destination.ip", - "zeek_enip.enip_command", - "zeek_enip.enip_status", - "zeek_enip.options", - "zeek_enip.sender_context", - "zeek_enip.session_handle", - "zeek.uid" + "zeek.enip.enip_command", + "zeek.enip.enip_status", + "zeek.enip.options", + "zeek.enip.sender_context", + "zeek.enip.session_handle", + "event.id" ], "sort": [ [ @@ -504,7 +504,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:enip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:enip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -533,10 +533,10 @@ "columns": [ "source.ip", "destination.ip", - "zeek_cip_io.connection_id", - "zeek_cip_io.sequence_number", - "zeek_cip_io.data_length", - "zeek.uid" + "zeek.cip_io.connection_id", + "zeek.cip_io.sequence_number", + "zeek.cip_io.data_length", + "event.id" ], "sort": [ [ @@ -546,7 +546,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip_io\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_io\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index db94dc394..efdc20148 100644 --- a/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -130,12 +130,12 @@ "version": "WzI5MywxXQ==", "attributes": { "title": "BACnet - Log Count", - "visState": "{\"title\":\"BACnet - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"BACnet - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "Count of BACnet logs including BACnet Discovery and Property logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -159,12 +159,12 @@ "version": "WzI5NCwxXQ==", "attributes": { "title": "BACnet - Logs Over Time", - "visState": "{\"title\":\"BACnet - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:39:09.309Z\",\"max\":\"2021-01-14T16:39:09.309Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"BACnet - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:39:09.309Z\",\"max\":\"2021-01-14T16:39:09.309Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "BACnet Logs over Time", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -188,7 +188,7 @@ "version": "WzI5NSwxXQ==", "attributes": { "title": "BACnet - BVLC Functions", - "visState": "{\"title\":\"BACnet - BVLC Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.bvlc_function\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"BVLC Function\"}}]}", + "visState": "{\"title\":\"BACnet - BVLC Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.bvlc_function\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"BVLC Function\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "BACnet Virtual Link Control Functions (Link-Layer Control)", "version": 1, @@ -218,7 +218,7 @@ "version": "WzI5NiwxXQ==", "attributes": { "title": "BACnet - Protocol Data Units (PDUs)", - "visState": "{\"title\":\"BACnet - Protocol Data Units (PDUs)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}", + "visState": "{\"title\":\"BACnet - Protocol Data Units (PDUs)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "BACnet Application Layer Protocol Data Unit types and services", "version": 1, @@ -248,7 +248,7 @@ "version": "WzI5NywxXQ==", "attributes": { "title": "BACnet - Errors", - "visState": "{\"title\":\"BACnet - Errors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.result_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result Code\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}", + "visState": "{\"title\":\"BACnet - Errors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.result_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result Code\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "BACnet Result Codes for Abort, Reject or Error", "version": 1, @@ -283,7 +283,7 @@ "description": "Source IP Addresses from bacnet.log", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -312,7 +312,7 @@ "description": "Destination IP Addresses from bacnet.log", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -336,7 +336,7 @@ "version": "WzMwMCwxXQ==", "attributes": { "title": "BACnet - Device Vendors", - "visState": "{\"title\":\"BACnet - Device Vendors\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Unique count of zeek_bacnet_discovery.instance_number\",\"aggType\":\"cardinality\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Device Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_bacnet_discovery.instance_number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Vendor\"}}]}", + "visState": "{\"title\":\"BACnet - Device Vendors\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Unique count of zeek.bacnet_discovery.instance_number\",\"aggType\":\"cardinality\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Device Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.bacnet_discovery.instance_number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Vendor\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "BACnet Device Vendors from i-am messages", "version": 1, @@ -366,7 +366,7 @@ "version": "WzMwMSwxXQ==", "attributes": { "title": "BACnet - Read and Write Property ", - "visState": "{\"title\":\"BACnet - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}", + "visState": "{\"title\":\"BACnet - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}}", "description": "Results from BACnet Read-Property and Write-Property Commands", "version": 1, @@ -396,7 +396,7 @@ "version": "WzMwMiwxXQ==", "attributes": { "title": "BACnet - Device Discovery", - "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}", + "visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "Results from BACnet i-am and i-have commands", "version": 1, @@ -431,10 +431,10 @@ "columns": [ "source.ip", "destination.ip", - "zeek_bacnet.bvlc_function", - "zeek_bacnet.pdu_type", - "zeek_bacnet.pdu_service", - "zeek_bacnet.invoke_id" + "zeek.bacnet.bvlc_function", + "zeek.bacnet.pdu_type", + "zeek.bacnet.pdu_service", + "zeek.bacnet.invoke_id" ], "sort": [ [ @@ -444,7 +444,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -473,11 +473,11 @@ "columns": [ "source.ip", "destination.ip", - "zeek_bacnet_property.pdu_service", - "zeek_bacnet_property.object_type", - "zeek_bacnet_property.instance_number", - "zeek_bacnet_property.property", - "zeek_bacnet_property.value" + "zeek.bacnet_property.pdu_service", + "zeek.bacnet_property.object_type", + "zeek.bacnet_property.instance_number", + "zeek.bacnet_property.property", + "zeek.bacnet_property.value" ], "sort": [ [ @@ -487,7 +487,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet_property\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_property\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -516,10 +516,10 @@ "columns": [ "source.ip", "destination.ip", - "zeek_bacnet_discovery.pdu_service", - "zeek_bacnet_discovery.object_type", - "zeek_bacnet_discovery.instance_number", - "zeek_bacnet_discovery.vendor" + "zeek.bacnet_discovery.pdu_service", + "zeek.bacnet_discovery.object_type", + "zeek.bacnet_discovery.instance_number", + "zeek.bacnet_discovery.vendor" ], "sort": [ [ @@ -529,7 +529,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet_discovery\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_discovery\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 4f9010010..29c0f3ca2 100644 --- a/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -190,7 +190,7 @@ "version": "WzM1MywxXQ==", "attributes": { "title": "DNS - Query Class", - "visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Query Class\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dns.qclass_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Class\"}}]}", + "visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Query Class\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.dns.qclass_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Class\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -219,7 +219,7 @@ "updated_at": "2021-05-11T12:24:17.423Z", "version": "WzM1NCwxXQ==", "attributes": { - "visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}", "description": "", "title": "DNS - Query/Answer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -340,7 +340,7 @@ "version": "WzM1OCwxXQ==", "attributes": { "title": "DNS - Answers", - "visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}", + "visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -370,7 +370,7 @@ "version": "WzM1OSwxXQ==", "attributes": { "title": "DNS - Response Code (Name)", - "visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.rcode_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}", + "visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.rcode_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -400,7 +400,7 @@ "version": "WzM2MCwxXQ==", "attributes": { "title": "DNS - Query Type", - "visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.qtype_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}", + "visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dns.qtype_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -430,7 +430,7 @@ "version": "WzM2MSwxXQ==", "attributes": { "title": "DNS - Protocol", - "visState": "{\"title\":\"DNS - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"DNS - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -460,7 +460,7 @@ "version": "WzYzMSwxXQ==", "attributes": { "title": "DNS Queries by Randomness", - "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}", "description": "", "version": 1, @@ -495,9 +495,9 @@ "columns": [ "source.ip", "destination.ip", - "zeek_dns.query", - "zeek_dns.answers", - "zeek.uid" + "zeek.dns.query", + "zeek.dns.answers", + "event.id" ], "sort": [ [ @@ -507,7 +507,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index fc90abe54..5177e7b9a 100644 --- a/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -260,7 +260,7 @@ "version": "WzMzNSwxXQ==", "attributes": { "title": "DHCP - IP to MAC Assignment", - "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.assigned_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", + "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.assigned_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -290,7 +290,7 @@ "version": "WzMzNiwxXQ==", "attributes": { "title": "DHCP - Client Software", - "visState": "{\"title\":\"DHCP - Client Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Server Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.client_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client Software\"}}]}", + "visState": "{\"title\":\"DHCP - Client Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Server Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.client_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client Software\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -320,7 +320,7 @@ "version": "WzMzNywxXQ==", "attributes": { "title": "DHCP - Server Software", - "visState": "{\"title\":\"DHCP - Server Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.server_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Server Software\"}}]}", + "visState": "{\"title\":\"DHCP - Server Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dhcp.server_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Server Software\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -353,15 +353,15 @@ "description": "", "hits": 0, "columns": [ - "zeek_dhcp.mac", - "zeek_dhcp.assigned_ip", + "zeek.dhcp.mac", + "zeek.dhcp.assigned_ip", "destination.ip", - "zeek_dhcp.host_name", - "zeek_dhcp.domain", - "zeek_dhcp.msg_types", - "zeek_dhcp.client_software", - "zeek_dhcp.server_software", - "zeek.uid" + "zeek.dhcp.host_name", + "zeek.dhcp.domain", + "zeek.dhcp.msg_types", + "zeek.dhcp.client_software", + "zeek.dhcp.server_software", + "event.id" ], "sort": [ [ @@ -371,7 +371,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dhcp\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dhcp\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json index f02d71055..d17221e7c 100644 --- a/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -101,9 +101,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek_tds_rpc.procedure_name", - "zeek_tds_rpc.parameter", - "zeek.uid" + "zeek.tds_rpc.procedure_name", + "zeek.tds_rpc.parameter", + "event.id" ], "sort": [ [ @@ -113,7 +113,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"tds_rpc\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"tds_rpc\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -197,7 +197,7 @@ "version": "WzM1NywxXQ==", "attributes": { "title": "Tabular Data Stream - RPC Procedure", - "visState": "{\"title\":\"Tabular Data Stream - RPC Procedure\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_rpc.procedure_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Procedure\"}}]}", + "visState": "{\"title\":\"Tabular Data Stream - RPC Procedure\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.tds_rpc.procedure_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Procedure\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, diff --git a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index 6df7be8a6..d644ed93a 100644 --- a/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -13,7 +13,7 @@ "title": "Intel", "hits": 0, "description": "", - "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source.ip\",\"destination.ip\",\"destination.port\",\"zeek.uid\",\"zeek.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]", + "panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"source.ip\",\"destination.ip\",\"destination.port\",\"event.id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -155,7 +155,7 @@ "version": "WzM3MSwxXQ==", "attributes": { "title": "Intel - Seen", - "visState": "{\"title\":\"Intel - Seen\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_intel.seen_where\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}", + "visState": "{\"title\":\"Intel - Seen\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.intel.seen_where\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -184,7 +184,7 @@ "updated_at": "2021-02-10T21:24:23.239Z", "version": "WzM3MiwxXQ==", "attributes": { - "visState": "{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.sources\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.intel.sources\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}", "description": "", "title": "Intel - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -274,7 +274,7 @@ "updated_at": "2021-02-10T21:24:23.239Z", "version": "WzM3NSwxXQ==", "attributes": { - "visState": "{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.indicator\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.intel.indicator\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}", "description": "", "title": "Intel - Indicator", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -304,7 +304,7 @@ "updated_at": "2021-02-10T21:24:23.239Z", "version": "WzM3NiwxXQ==", "attributes": { - "visState": "{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.intel.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", "title": "Intel - MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -334,7 +334,7 @@ "updated_at": "2021-02-10T21:24:23.239Z", "version": "WzM3NywxXQ==", "attributes": { - "visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.matched\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.intel.matched\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}", "description": "", "title": "Intel - Matched", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -375,15 +375,13 @@ "title": "Intel - Logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event.dataset:intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" }, "columns": [ "source.ip", "destination.ip", "destination.port", - "zeek.uid", - "zeek.fuid", - "_id" + "event.id" ] }, "references": [ @@ -437,7 +435,7 @@ "version": "WzM4MCwxXQ==", "attributes": { "title": "Intel - Indicator Type", - "visState": "{\"title\":\"Intel - Indicator Type\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_intel.indicator_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}", + "visState": "{\"title\":\"Intel - Indicator Type\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.intel.indicator_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, diff --git a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index 7aaaa5503..3cb2c3aaa 100644 --- a/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -150,7 +150,7 @@ "version": "WzM5OCwxXQ==", "attributes": { "title": "HTTP - Status Over Time", - "visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}", + "visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -179,7 +179,7 @@ "updated_at": "2021-02-23T18:46:21.647Z", "version": "WzM5OSwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", "description": "", "title": "HTTP - Sites", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -209,7 +209,7 @@ "updated_at": "2021-02-23T18:46:21.647Z", "version": "WzQwMCwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}", "description": "", "title": "HTTP - Sites Hosting EXEs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -238,7 +238,7 @@ "updated_at": "2021-02-23T18:46:21.647Z", "version": "WzQwMSwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}", "description": "", "title": "HTTP - URIs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -328,7 +328,7 @@ "updated_at": "2021-02-23T18:46:21.647Z", "version": "WzQwNCwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}", "description": "", "title": "HTTP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -358,7 +358,7 @@ "updated_at": "2021-02-23T18:46:21.647Z", "version": "WzQwNSwxXQ==", "attributes": { - "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", "title": "HTTP - Referrer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -419,7 +419,7 @@ "version": "WzQwNywxXQ==", "attributes": { "title": "HTTP - Destination Country", - "visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}", + "visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -479,7 +479,7 @@ "version": "WzE2NzAsMV0=", "attributes": { "title": "HTTP - Status and Method", - "visState": "{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.http.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -509,7 +509,7 @@ "version": "WzQxMCwxXQ==", "attributes": { "title": "HTTP - Unique Usernames and Passwords", - "visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}", + "visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"related.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -539,7 +539,7 @@ "version": "WzE1NzgsMV0=", "attributes": { "title": "HTTP - Method and Status", - "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", + "visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -569,12 +569,12 @@ "version": "WzE3NzAsMV0=", "attributes": { "title": "HTTP - Version", - "visState": "{\"title\":\"HTTP - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HTTP Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"HTTP - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HTTP Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.service_version:\\\"0.0\\\"\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"NOT network.protocol_version:\\\"0.0\\\"\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -599,7 +599,7 @@ "version": "WzQxMSwxXQ==", "attributes": { "title": "HTTP - File Type", - "visState": "{\"title\":\"HTTP - File Type\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}", + "visState": "{\"title\":\"HTTP - File Type\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -635,11 +635,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_http.host", - "zeek_http.method", - "zeek_http.status_msg", - "zeek.uid", - "zeek.fuid" + "zeek.http.host", + "zeek.http.method", + "zeek.http.status_msg", + "event.id" ], "sort": [ [ @@ -649,7 +648,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:http\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:http\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index f0d082055..26225ff0e 100644 --- a/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -80,7 +80,7 @@ "version": "WzQxNiwxXQ==", "attributes": { "title": "Connections - Source - Top Connection Duration (region map)", - "visState": "{\"title\":\"Connections - Source - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "visState": "{\"title\":\"Connections - Source - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[37.17328344112096,15.644531250000002],\"mapZoom\":3}", "description": "", "version": 1, @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index fc25c9d4e..545e7c162 100644 --- a/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -1,5 +1,5 @@ { - "version": "7.10.0", + "version": "7.10.2", "objects": [ { "id": "42e831b9-41a9-4f35-8b7d-e1566d368773", @@ -7,18 +7,18 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-11T18:04:53.082Z", - "version": "WzMxNjAsMV0=", + "updated_at": "2021-11-12T20:12:35.920Z", + "version": "WzEyMzMsMV0=", "attributes": { "title": "SMB", "hits": 0, "description": "", - "panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":13,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":50,\"w\":20,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":50,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":21,\"y\":13,\"w\":12,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":32,\"w\":23,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":23,\"y\":32,\"w\":25,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":13,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":40,\"y\":50,\"w\":8,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":13,\"w\":13,\"h\":19,\"i\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\"},\"panelIndex\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":33,\"y\":13,\"w\":15,\"h\":19,\"i\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\"},\"panelIndex\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":87,\"w\":48,\"h\":42,\"i\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\"},\"panelIndex\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]", + "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":13,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":50,\"w\":20,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":20,\"y\":50,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":21,\"y\":13,\"w\":12,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":23,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":23,\"y\":32,\"w\":25,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":13,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":40,\"y\":50,\"w\":8,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":13,\"w\":13,\"h\":19,\"i\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\"},\"panelIndex\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":33,\"y\":13,\"w\":15,\"h\":19,\"i\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\"},\"panelIndex\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":87,\"w\":48,\"h\":42,\"i\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\"},\"panelIndex\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}" } }, "references": [ @@ -98,8 +98,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:25:09.616Z", - "version": "Wzg3MiwxXQ==", + "updated_at": "2021-11-12T19:33:10.652Z", + "version": "WzkzNywxXQ==", "attributes": { "title": "Zeek Logs", "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/kibana/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[β†ͺ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/kibana/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", @@ -121,8 +121,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyMiwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0MiwxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -151,8 +151,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyMywxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0MywxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -181,8 +181,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyNCwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0NCwxXQ==", "attributes": { "visState": "{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -211,11 +211,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyNSwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0NSwxXQ==", "attributes": { "title": "SMB - Version", - "visState": "{\"title\":\"SMB - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"SMB Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Version\"}}]}", + "visState": "{\"title\":\"SMB - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"SMB Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Version\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -241,10 +241,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyNiwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0NiwxXQ==", "attributes": { - "visState": "{\"title\":\"SMB - File Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMB - File Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}", "description": "", "title": "SMB - FIle Path", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -271,10 +271,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyNywxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0NywxXQ==", "attributes": { - "visState": "{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}", "description": "", "title": "SMB - File Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -301,10 +301,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyOCwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0OCwxXQ==", "attributes": { - "visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}", "description": "", "title": "SMB - File/Path Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", @@ -331,11 +331,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQyOSwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ0OSwxXQ==", "attributes": { "title": "SMB - Log Count", - "visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Log Type\"}}]}", + "visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", "version": 1, @@ -361,8 +361,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQzMCwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ1MCwxXQ==", "attributes": { "title": "SMB - Destination Port", "visState": "{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}", @@ -391,16 +391,16 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQzMSwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ1MSwxXQ==", "attributes": { "title": "SMB - Relevant Notices", - "visState": "{\"title\":\"SMB - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "visState": "{\"title\":\"SMB - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(EternalSafety OR SMB OR ATTACK)\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.notice.category:(EternalSafety OR SMB OR ATTACK)\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -421,11 +421,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQzMiwxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ1MiwxXQ==", "attributes": { "title": "SMB Action", - "visState": "{\"title\":\"SMB Action\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.action: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"SMB Action\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"event.action: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -451,20 +451,20 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:26.351Z", - "version": "WzQzMywxXQ==", + "updated_at": "2021-11-12T19:32:24.674Z", + "version": "WzQ1MywxXQ==", "attributes": { "title": "SMB - Logs", "description": "", "hits": 0, "columns": [ - "zeek.logType", + "event.dataset", "source.ip", "destination.ip", "destination.port", - "zeek.service_version", - "zeek.action", - "zeek.uid" + "network.protocol_version", + "event.action", + "event.id" ], "sort": [ [ @@ -474,7 +474,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -494,19 +494,19 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:25:06.578Z", - "version": "Wzg0OCwxXQ==", + "updated_at": "2021-11-12T19:33:06.558Z", + "version": "WzkwMywxXQ==", "attributes": { "title": "Notices - Logs", "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -516,7 +516,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 41307de4d..f67658ae6 100644 --- a/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -209,7 +209,7 @@ "updated_at": "2021-02-10T21:24:27.443Z", "version": "WzQ0MCwxXQ==", "attributes": { - "visState": "{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}", "description": "", "title": "DCE/RPC - Endpoint", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -239,7 +239,7 @@ "updated_at": "2021-02-10T21:24:27.443Z", "version": "WzQ0MSwxXQ==", "attributes": { - "visState": "{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}", "description": "", "title": "DCE/RPC - Named Pipe", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -269,7 +269,7 @@ "updated_at": "2021-02-10T21:24:27.443Z", "version": "WzQ0MiwxXQ==", "attributes": { - "visState": "{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}", "description": "", "title": "DCE/RPC - Operation", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -300,7 +300,7 @@ "version": "WzQ0MywxXQ==", "attributes": { "title": "DCE/RPC - Round Trip Time", - "visState": "{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}", + "visState": "{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -390,7 +390,7 @@ "version": "WzQ0NiwxXQ==", "attributes": { "title": "DCE/RPC - Summary", - "visState": "{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}", + "visState": "{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -427,9 +427,9 @@ "source.port", "destination.ip", "destination.port", - "zeek_dce_rpc.operation", - "zeek_dce_rpc.endpoint", - "zeek.uid" + "zeek.dce_rpc.operation", + "zeek.dce_rpc.endpoint", + "event.id" ], "sort": [ [ @@ -439,7 +439,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/kibana/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json index 7dcfea6ab..b5c22763e 100644 --- a/kibana/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json +++ b/kibana/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json @@ -105,7 +105,7 @@ "version": "WzExNzgsMV0=", "attributes": { "title": "EtherCAT - Log Count", - "visState": "{\"title\":\"EtherCAT - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", + "visState": "{\"title\":\"EtherCAT - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -135,7 +135,7 @@ "version": "WzEyNDcsMV0=", "attributes": { "title": "EtherCAT - Log Count Over Time", - "visState": "{\"title\":\"EtherCAT - Log Count Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2021-03-01T05:59:58.120Z\",\"to\":\"2021-03-01T06:00:51.365Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}", + "visState": "{\"title\":\"EtherCAT - Log Count Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2021-03-01T05:59:58.120Z\",\"to\":\"2021-03-01T06:00:51.365Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -225,7 +225,7 @@ "version": "WzE0ODgsMV0=", "attributes": { "title": "EtherCAT - Commands", - "visState": "{\"title\":\"EtherCAT - Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"EtherCAT - Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -255,12 +255,12 @@ "version": "WzE1NzcsMV0=", "attributes": { "title": "EtherCAT - Register Types and Commands", - "visState": "{\"title\":\"EtherCAT - Register Types and Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ecat_registers.register_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Register Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"EtherCAT - Register Types and Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ecat_registers.register_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Register Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ecat_registers\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ecat_registers\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -292,15 +292,15 @@ "srcOui", "destination.mac", "dstOui", - "zeek.action", - "zeek_ecat_registers.register_type", - "zeek_ecat_registers.server_addr", - "zeek_ecat_registers.register_addr" + "event.action", + "zeek.ecat_registers.register_type", + "zeek.ecat_registers.server_addr", + "zeek.ecat_registers.register_addr" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:ecat_registers\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:ecat_registers\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -327,8 +327,8 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.action", + "event.dataset", + "event.action", "source.mac", "srcOui", "destination.mac", @@ -337,7 +337,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"zeek.logType:ecat*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ecat*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json index a508405df..fd3287d6a 100644 --- a/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json +++ b/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json @@ -115,7 +115,7 @@ "version": "WzQ1MCwxXQ==", "attributes": { "title": "ICS/IoT Log Counts", - "visState": "{\"title\":\"ICS/IoT Log Counts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"ICS/IoT Log Counts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -145,7 +145,7 @@ "version": "WzQ1MSwxXQ==", "attributes": { "title": "ICS/IoT Traffic Over Time", - "visState": "{\"title\":\"ICS/IoT Traffic Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-04T15:18:33.141Z\",\"max\":\"2020-02-04T15:18:33.141Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"ICS/IoT Traffic Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-04T15:18:33.141Z\",\"max\":\"2020-02-04T15:18:33.141Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,7 +175,7 @@ "version": "WzQ1MiwxXQ==", "attributes": { "title": "ICS/IoT External Traffic", - "visState": "{\"title\":\"ICS/IoT External Traffic\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Destination Country\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":499,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Country\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Destination Country\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Country\"}}]}", + "visState": "{\"title\":\"ICS/IoT External Traffic\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Destination Country\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":499,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Country\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Destination Country\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Country\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -235,7 +235,7 @@ "version": "WzQ1NCwxXQ==", "attributes": { "title": "Non-ICS/IoT Protocols Observed", - "visState": "{\"title\":\"Non-ICS/IoT Protocols Observed\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":true,\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"Non-ICS/IoT Protocols Observed\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":true,\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -264,7 +264,7 @@ "version": "WzQ1NSwxXQ==", "attributes": { "title": "ICS/IoT Source IP", - "visState": "{\"title\":\"ICS/IoT Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"ICS/IoT Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -294,12 +294,12 @@ "version": "WzQ1NiwxXQ==", "attributes": { "title": "ICS/IoT Actions and Results", - "visState": "{\"title\":\"ICS/IoT Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", + "visState": "{\"title\":\"ICS/IoT Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:* OR zeek.result:*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.action:* OR event.result:*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -324,7 +324,7 @@ "version": "WzQ1NywxXQ==", "attributes": { "title": "ICS/IoT Destination IP", - "visState": "{\"title\":\"ICS/IoT Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"ICS/IoT Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -354,7 +354,7 @@ "version": "WzQ1OCwxXQ==", "attributes": { "title": "File Types by Transport", - "visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}", + "visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -387,14 +387,13 @@ "description": "", "hits": 0, "columns": [ - "zeek.service", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", - "zeek.action", - "zeek.result", - "zeek.uid" + "event.action", + "event.result" ], "sort": [ [ @@ -431,14 +430,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -448,7 +447,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -475,12 +474,11 @@ "description": "", "hits": 0, "columns": [ - "zeek_files.tx_hosts", + "source.ip", "destination.ip", - "zeek_files.source", - "zeek_files.mime_type", - "zeek.uid", - "zeek.fuid" + "zeek.files.source", + "file.mime_type", + "event.id" ], "sort": [ [ @@ -490,7 +488,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index 661688bb7..f349ebd3e 100644 --- a/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -199,7 +199,7 @@ "updated_at": "2021-02-23T18:46:26.687Z", "version": "WzQ2NiwxXQ==", "attributes": { - "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}", "description": "", "title": "SNMP - Session Duration", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -230,7 +230,7 @@ "version": "WzQ2NywxXQ==", "attributes": { "title": "SNMP - Log Count", - "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}", + "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "description": "", "version": 1, @@ -260,7 +260,7 @@ "version": "WzQ2OCwxXQ==", "attributes": { "title": "SNMP - Community String", - "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}", + "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -290,7 +290,7 @@ "version": "WzQ2OSwxXQ==", "attributes": { "title": "SNMP - PDU Type", - "visState": "{\"title\":\"SNMP - PDU Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true,\"orderBucketsBySum\":false}}", + "visState": "{\"title\":\"SNMP - PDU Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true,\"orderBucketsBySum\":false}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -320,7 +320,7 @@ "version": "WzEwOTcsMV0=", "attributes": { "title": "SNMP - Version and PDU Type", - "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", + "visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -356,10 +356,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_snmp.version", - "zeek.action", - "zeek_snmp.community", - "zeek.uid" + "zeek.snmp.version", + "event.action", + "zeek.snmp.community", + "event.id" ], "sort": [ [ @@ -369,7 +369,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:snmp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:snmp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index fedf906ff..d82fccd4c 100644 --- a/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -67,7 +67,7 @@ "version": "WzIyNjEsMV0=", "attributes": { "title": "MySQL - Log Count Over Time", - "visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"group\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T17:52:43.825Z\",\"max\":\"2020-02-12T17:52:43.825Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"group\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T17:52:43.825Z\",\"max\":\"2020-02-12T17:52:43.825Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -150,7 +150,7 @@ "version": "WzIyNzgsMV0=", "attributes": { "title": "MySQL - Success", - "visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_mysql.success: Descending\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.mysql.success: Descending\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -180,7 +180,7 @@ "version": "WzQ3NywxXQ==", "attributes": { "title": "MySQL - Commands", - "visState": "{\"title\":\"MySQL - Commands\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Argument\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Response\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.arg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Argument\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.response\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Response\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Success\"}}]}", + "visState": "{\"title\":\"MySQL - Commands\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Argument\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Response\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mysql.arg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Argument\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mysql.response\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Response\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Success\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -216,9 +216,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek_mysql.cmd", - "zeek_mysql.success", - "zeek.uid" + "zeek.mysql.cmd", + "zeek.mysql.success", + "event.id" ], "sort": [ [ @@ -228,7 +228,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:mysql\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:mysql\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index d4ba8cc6d..7453bbb33 100644 --- a/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -13,7 +13,7 @@ "title": "NTLM", "hits": 0, "description": "", - "panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":16,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":26,\"w\":12,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":26,\"w\":12,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":44,\"w\":16,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":16,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":44,\"w\":16,\"h\":18,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":24,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":15,\"i\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\"},\"panelIndex\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":62,\"w\":48,\"h\":40,\"i\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\"},\"panelIndex\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\",\"embeddableConfig\":{\"columns\":[\"source.ip\",\"destination.ip\",\"destination.port\",\"zeek_ntlm.host\",\"zeek_ntlm.domain\",\"zeek_ntlm.server_nb_computer\",\"zeek_ntlm.server_dns_computer\",\"zeek_ntlm.server_tree\",\"zeek.uid\"]},\"panelRefName\":\"panel_11\"}]", + "panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":16,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":26,\"w\":12,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":26,\"w\":12,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":44,\"w\":16,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":16,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":44,\"w\":16,\"h\":18,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":24,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":15,\"i\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\"},\"panelIndex\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":62,\"w\":48,\"h\":40,\"i\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\"},\"panelIndex\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\",\"embeddableConfig\":{\"columns\":[\"source.ip\",\"destination.ip\",\"destination.port\",\"zeek.ntlm.host\",\"zeek.ntlm.domain\",\"zeek.ntlm.server_nb_computer\",\"zeek.ntlm.server_dns_computer\",\"zeek.ntlm.server_tree\",\"event.id\"]},\"panelRefName\":\"panel_11\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -150,7 +150,7 @@ "version": "WzQ4MiwxXQ==", "attributes": { "title": "NTLM - Hostname", - "visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Hostname\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}", + "visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Hostname\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ntlm.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -179,7 +179,7 @@ "updated_at": "2021-02-10T21:24:31.603Z", "version": "WzQ4MywxXQ==", "attributes": { - "visState": "{\"title\":\"NTLM - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"NTLM - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}", "description": "", "title": "NTLM - Domain Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -209,7 +209,7 @@ "updated_at": "2021-02-10T21:24:31.603Z", "version": "WzQ4NCwxXQ==", "attributes": { - "visState": "{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}", "description": "", "title": "NTLM - Username", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", @@ -360,7 +360,7 @@ "version": "WzQ4OSwxXQ==", "attributes": { "title": "NTLM - Hostname to Username", - "visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}", + "visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -390,7 +390,7 @@ "version": "WzQ5MCwxXQ==", "attributes": { "title": "NTLM - Success", - "visState": "{\"title\":\"NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}", + "visState": "{\"title\":\"NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -426,12 +426,12 @@ "source.ip", "destination.ip", "destination.port", - "zeek_ntlm.host", - "zeek_ntlm.domain", - "zeek_ntlm.server_nb_computer", - "zeek_ntlm.server_dns_computer", - "zeek_ntlm.server_tree", - "zeek.uid" + "zeek.ntlm.host", + "zeek.ntlm.domain", + "zeek.ntlm.server_nb_computer", + "zeek.ntlm.server_dns_computer", + "zeek.ntlm.server_tree", + "event.id" ], "sort": [ [ @@ -441,7 +441,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:ntlm\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:ntlm\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index 6129beabd..34bd53874 100644 --- a/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -70,7 +70,7 @@ "version": "WzQ5NCwxXQ==", "attributes": { "title": "Connections - Destination - Originator Bytes (region map)", - "visState": "{\"title\":\"Connections - Destination - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "visState": "{\"title\":\"Connections - Destination - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -103,14 +103,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -120,7 +120,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index 8840dca5c..344fa0e96 100644 --- a/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -56,7 +56,7 @@ "updated_at": "2021-02-10T21:24:33.654Z", "version": "WzQ5NywxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Destination - Sum of Total Bytes", "uiStateJSON": "{}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index e2c29e975..5f203a921 100644 --- a/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -95,7 +95,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"zeek.logType:signatures\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"event.dataset:signatures\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -152,10 +152,10 @@ "description": "", "hits": 0, "columns": [ - "zeek_signatures.note", - "zeek_signatures.signature_id", - "zeek_signatures.signature_count", - "zeek.fuid" + "zeek.signatures.note", + "zeek.signatures.signature_id", + "zeek.signatures.signature_count", + "event.id" ], "sort": [ [ @@ -165,7 +165,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -189,7 +189,7 @@ "version": "WzYyMywxXQ==", "attributes": { "title": "Signatures - Signature IDs", - "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", + "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -219,7 +219,7 @@ "version": "WzUwOCwxXQ==", "attributes": { "title": "Signatures - Engines", - "visState": "{\"title\":\"Signatures - Engines\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.engine\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Engines\"}}]}", + "visState": "{\"title\":\"Signatures - Engines\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.signatures.engine\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Engines\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, diff --git a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index a6524ff98..95da14455 100644 --- a/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -255,7 +255,7 @@ "version": "WzUxNiwxXQ==", "attributes": { "title": "IRC - Destination Country", - "visState": "{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", + "visState": "{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -285,7 +285,7 @@ "version": "WzUxNywxXQ==", "attributes": { "title": "IRC - Command", - "visState": "{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_irc.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}", + "visState": "{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.irc.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -321,10 +321,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_irc.nick", - "zeek_irc.command", - "zeek_irc.value", - "zeek.uid" + "zeek.irc.nick", + "zeek.irc.command", + "zeek.irc.value", + "event.id" ], "sort": [ [ @@ -334,7 +334,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:irc\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:irc\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index fb54abff2..3b1acabbc 100644 --- a/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -80,7 +80,7 @@ "version": "WzUyMSwxXQ==", "attributes": { "title": "Connections - Destination - Responder Bytes (region map)", - "visState": "{\"title\":\"Connections - Destination - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "visState": "{\"title\":\"Connections - Destination - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index 82fa37571..365275fa7 100644 --- a/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -204,7 +204,7 @@ "updated_at": "2021-02-10T21:24:38.098Z", "version": "WzUzMSwxXQ==", "attributes": { - "visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rdp.cookie\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rdp.cookie\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}", "description": "", "title": "RDP - Cookie", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -235,7 +235,7 @@ "version": "WzI2NjYsMV0=", "attributes": { "title": "RDP - Result", - "visState": "{\"title\":\"RDP - Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"RDP - Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rdp.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -265,7 +265,7 @@ "version": "WzI2ODAsMV0=", "attributes": { "title": "RDP - Keyboard Layout", - "visState": "{\"title\":\"RDP - Keyboard Layout\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.keyboard_layout\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Keyboard Layout\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"RDP - Keyboard Layout\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rdp.keyboard_layout\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Keyboard Layout\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -295,7 +295,7 @@ "version": "WzI4MTcsMV0=", "attributes": { "title": "RDP - Client Version", - "visState": "{\"title\":\"RDP - Client Version\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.client_build\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Version\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"RDP - Client Version\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rdp.client_build\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Version\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -355,7 +355,7 @@ "version": "WzI3OTMsMV0=", "attributes": { "title": "RDP - Encryption", - "visState": "{\"title\":\"RDP - Encryption\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.encryption_level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.encryption_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Method\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Level\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Method\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"RDP - Encryption\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rdp.encryption_level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rdp.encryption_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Method\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Level\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Method\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -391,12 +391,12 @@ "source.ip", "destination.ip", "destination.port", - "zeek_rdp.client_build", - "zeek_rdp.keyboard_layout", - "zeek_rdp.security_protocol", - "zeek_rdp.encryption_method", - "zeek_rdp.result", - "zeek.uid" + "zeek.rdp.client_build", + "zeek.rdp.keyboard_layout", + "zeek.rdp.security_protocol", + "zeek.rdp.encryption_method", + "zeek.rdp.result", + "event.id" ], "sort": [ [ @@ -406,7 +406,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:rdp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:rdp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index 3446b6cd3..133070f8a 100644 --- a/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -180,7 +180,7 @@ "version": "WzM3MiwxXQ==", "attributes": { "title": "SSL - Version", - "visState": "{\"title\":\"SSL - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_ssl.ssl_version: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"SSL - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.ssl.ssl_version: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ssl.ssl_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -300,7 +300,7 @@ "version": "WzM3NiwxXQ==", "attributes": { "title": "SSL - Server", - "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Server\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Randomness Score (method 1)\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Server\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Randomness Score (method 1)\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssl.server_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -330,7 +330,7 @@ "version": "WzM3NywxXQ==", "attributes": { "title": "SSL - Destination Country", - "visState": "{\"title\":\"SSL - Destination Country\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"zeek.destination_geo.country_name: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", + "visState": "{\"title\":\"SSL - Destination Country\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.geo.country_name: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -359,7 +359,7 @@ "updated_at": "2021-10-12T14:14:37.087Z", "version": "WzM3OCwxXQ==", "attributes": { - "visState": "{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}", "description": "", "title": "SSL - Validation Status", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -420,7 +420,7 @@ "version": "WzM4MCwxXQ==", "attributes": { "title": "SSL - Client JA3 Lookup", - "visState": "{\"title\":\"SSL - Client JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client JA3 Lookup\"}}]}", + "visState": "{\"title\":\"SSL - Client JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tls.client.ja3_description\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client JA3 Lookup\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -450,7 +450,7 @@ "version": "WzM4MSwxXQ==", "attributes": { "title": "SSL - Server JA3 Lookup", - "visState": "{\"title\":\"SSL - Server JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3s_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server JA3 Lookup\"}}]}", + "visState": "{\"title\":\"SSL - Server JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tls.server.ja3s_description\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server JA3 Lookup\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -480,12 +480,12 @@ "version": "WzM4MiwxXQ==", "attributes": { "title": "SSL - Relevant Notices", - "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -510,7 +510,7 @@ "version": "WzM4MywxXQ==", "attributes": { "title": "SSL - Connection Established", - "visState": "{\"title\":\"SSL - Connection Established\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Established\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.established\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Established\"}}]}", + "visState": "{\"title\":\"SSL - Connection Established\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Established\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ssl.established\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Established\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -540,7 +540,7 @@ "version": "Wzg0NSwxXQ==", "attributes": { "title": "SSL - Certificate Fingerprint", - "visState": "{\"title\":\"SSL - Certificate Fingerprint\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.fingerprint\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Fingerprint\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"SSL - Certificate Fingerprint\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.x509.fingerprint\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Fingerprint\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -570,7 +570,7 @@ "version": "WzM4NCwxXQ==", "attributes": { "title": "SSL - Next Protocol", - "visState": "{\"title\":\"SSL - Next Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.next_protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Next Protocol\"}}]}", + "visState": "{\"title\":\"SSL - Next Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssl.next_protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Next Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -600,7 +600,7 @@ "version": "WzM4NSwxXQ==", "attributes": { "title": "SSL - Elliptic Curve", - "visState": "{\"title\":\"SSL - Elliptic Curve\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Elliptic Curve\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.curve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Elliptic Curve\"}}]}", + "visState": "{\"title\":\"SSL - Elliptic Curve\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Elliptic Curve\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ssl.curve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Elliptic Curve\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -636,12 +636,12 @@ "source.ip", "destination.ip", "destination.port", - "zeek_ssl.server_name", - "zeek_ssl.established", - "zeek_ssl.validation_status", - "zeek_ssl.ssl_history", - "zeek_ssl.sni_matches_cert", - "zeek.uid" + "zeek.ssl.server_name", + "zeek.ssl.established", + "zeek.ssl.validation_status", + "zeek.ssl.ssl_history", + "zeek.ssl.sni_matches_cert", + "event.id" ], "sort": [ [ @@ -651,7 +651,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssl\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssl\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -678,12 +678,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -693,7 +693,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index 6166839d7..210173a7d 100644 --- a/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -159,7 +159,7 @@ "updated_at": "2021-02-10T21:24:40.130Z", "version": "WzU2MiwxXQ==", "attributes": { - "visState": "{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.cname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.kerberos.cname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}", "description": "", "title": "Kerberos - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -190,7 +190,7 @@ "version": "WzIxMDUsMV0=", "attributes": { "title": "Kerberos - Success Status", - "visState": "{\"title\":\"Kerberos - Success Status\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_kerberos.success: Descending\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Kerberos - Success Status\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.kerberos.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.kerberos.success: Descending\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -219,7 +219,7 @@ "updated_at": "2021-02-10T21:24:40.130Z", "version": "WzU2NCwxXQ==", "attributes": { - "visState": "{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.kerberos.sname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", "description": "", "title": "Kerberos - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -250,7 +250,7 @@ "version": "WzIwNjMsMV0=", "attributes": { "title": "Kerberos - Cipher", - "visState": "{\"title\":\"Kerberos - Cipher\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.cipher\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"Kerberos - Cipher\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.kerberos.cipher\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -340,7 +340,7 @@ "version": "WzU2OCwxXQ==", "attributes": { "title": "Kerberos - Service", - "visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", + "visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.kerberos.sname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -400,7 +400,7 @@ "version": "WzIwODksMV0=", "attributes": { "title": "Kerberos - Request Types", - "visState": "{\"title\":\"Kerberos - Request Types\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.request_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request Type\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Kerberos - Request Types\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.kerberos.request_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request Type\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -430,7 +430,7 @@ "version": "WzIwNDUsMV0=", "attributes": { "title": "Kerberos - Renewable Ticket Requested", - "visState": "{\"title\":\"Kerberos - Renewable Ticket Requested\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.renewable\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Renewable ticket requested\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Renewable ticket requested\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Kerberos - Renewable Ticket Requested\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.kerberos.renewable\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Renewable ticket requested\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Renewable ticket requested\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -496,10 +496,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_kerberos.request_type", - "zeek_kerberos.success", - "zeek_kerberos.error_msg", - "zeek.uid" + "zeek.kerberos.request_type", + "zeek.kerberos.success", + "zeek.kerberos.error_msg", + "event.id" ], "sort": [ [ @@ -509,7 +509,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:kerberos\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:kerberos\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index be085f0d2..2be139ad3 100644 --- a/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -185,7 +185,7 @@ "version": "WzU3OCwxXQ==", "attributes": { "title": "DNP3 - Function Request", - "visState": "{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_request\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request\"}}]}", + "visState": "{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3.fc_request\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "DNP3 function in request packet from dnp3.log", "version": 1, @@ -215,7 +215,7 @@ "version": "WzU3OSwxXQ==", "attributes": { "title": "DNP3 - Function Reply", - "visState": "{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_reply\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}", + "visState": "{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3.fc_reply\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "DNP3 function in reply packet from dnp3.log", "version": 1, @@ -245,12 +245,12 @@ "version": "WzU4MCwxXQ==", "attributes": { "title": "DNP3 - Log Count", - "visState": "{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "Count of DNP3 logs including DNP3 Control and Objects logs", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -274,12 +274,12 @@ "version": "WzU4MSwxXQ==", "attributes": { "title": "DNP3 - Logs Over Time", - "visState": "{\"title\":\"DNP3 - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:42:16.432Z\",\"max\":\"2021-01-14T16:42:16.432Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"DNP3 - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:42:16.432Z\",\"max\":\"2021-01-14T16:42:16.432Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "DNP3 logs over time", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -303,7 +303,7 @@ "version": "WzU4MiwxXQ==", "attributes": { "title": "DNP3 - Internal Indicators Overview", - "visState": "{\"title\":\"DNP3 - Internal Indicators Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Internal Indicators\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dnp3.iin_flags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Internal Indicators\"}}]}", + "visState": "{\"title\":\"DNP3 - Internal Indicators Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Internal Indicators\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.dnp3.iin_flags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Internal Indicators\"}}]}", "uiStateJSON": "{}", "description": "DNP3 Internal Indicators from dnp3.iin in dnp3.log", "version": 1, @@ -333,7 +333,7 @@ "version": "WzU4MywxXQ==", "attributes": { "title": "DNP3 - Objects Overview", - "visState": "{\"title\":\"DNP3 - Objects Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.object_count\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Count\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.range_low\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range Start\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.range_high\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range End\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", + "visState": "{\"title\":\"DNP3 - Objects Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_objects.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_objects.object_count\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Count\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_objects.range_low\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range Start\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_objects.range_high\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range End\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":null}}}}", "description": "Overview of DNP3 objects from READ-RESPONSE messages in dnp3_objects.log", "version": 1, @@ -363,7 +363,7 @@ "version": "WzU4NCwxXQ==", "attributes": { "title": "DNP3 - Control Overview", - "visState": "{\"title\":\"DNP3 - Control Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Control Code\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.index_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Index Number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.function_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.block_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Block Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.operation_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.trip_control_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Control Code\"}}]}", + "visState": "{\"title\":\"DNP3 - Control Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Control Code\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_control.index_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Index Number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_control.function_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_control.block_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Block Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_control.operation_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.dnp3_control.trip_control_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Control Code\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":null}}}}", "description": "Overview of DNP3 control functions from dnp3_control.log", "version": 1, @@ -399,10 +399,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_dnp3.fc_request", - "zeek_dnp3.fc_reply", - "zeek_dnp3.iin_flags", - "zeek.uid" + "zeek.dnp3.fc_request", + "zeek.dnp3.fc_reply", + "zeek.dnp3.iin_flags", + "event.id" ], "sort": [ [ @@ -412,7 +412,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:dnp3\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:dnp3\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -441,10 +441,10 @@ "columns": [ "source.ip", "destination.ip", - "zeek_dnp3_control.function_code", - "zeek_dnp3_control.trip_control_code", - "zeek_dnp3_control.operation_type", - "zeek_dnp3_control.status_code" + "zeek.dnp3_control.function_code", + "zeek.dnp3_control.trip_control_code", + "zeek.dnp3_control.operation_type", + "zeek.dnp3_control.status_code" ], "sort": [ [ @@ -454,7 +454,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType==\\\"dnp3_control\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset==\\\"dnp3_control\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -483,11 +483,11 @@ "columns": [ "source.ip", "destination.ip", - "zeek_dnp3_objects.function_code", - "zeek_dnp3_objects.object_type", - "zeek_dnp3_objects.object_count", - "zeek_dnp3_objects.range_high", - "zeek_dnp3_objects.range_low" + "zeek.dnp3_objects.function_code", + "zeek.dnp3_objects.object_type", + "zeek.dnp3_objects.object_count", + "zeek.dnp3_objects.range_high", + "zeek.dnp3_objects.range_low" ], "sort": [ [ @@ -497,7 +497,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType==\\\"dnp3_objects\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset==\\\"dnp3_objects\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json index 3ba221b52..d52fb81b8 100644 --- a/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json +++ b/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -115,7 +115,7 @@ "version": "WzU5MCwxXQ==", "attributes": { "title": "MQTT - Log Count", - "visState": "{\"title\":\"MQTT - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", + "visState": "{\"title\":\"MQTT - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -145,7 +145,7 @@ "version": "WzU5MSwxXQ==", "attributes": { "title": "MQTT - Log Count Over Time", - "visState": "{\"title\":\"MQTT - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", + "visState": "{\"title\":\"MQTT - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -235,7 +235,7 @@ "version": "WzU5NCwxXQ==", "attributes": { "title": "MQTT - Protocol", - "visState": "{\"title\":\"MQTT - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"MQTT Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_version\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol Version\"}}]}", + "visState": "{\"title\":\"MQTT - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.mqtt_connect.proto_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"MQTT Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.mqtt_connect.proto_version\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol Version\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -265,7 +265,7 @@ "version": "WzU5NSwxXQ==", "attributes": { "title": "MQTT - Client ID", - "visState": "{\"title\":\"MQTT - Client ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_connect.client_id\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client ID\"}}]}", + "visState": "{\"title\":\"MQTT - Client ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_connect.client_id\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client ID\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -295,7 +295,7 @@ "version": "WzU5NiwxXQ==", "attributes": { "title": "MQTT - Subscription", - "visState": "{\"title\":\"MQTT - Subscription\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.topics\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.action\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Action\"}}]}", + "visState": "{\"title\":\"MQTT - Subscription\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_subscribe.topics\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_subscribe.action\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Action\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -325,7 +325,7 @@ "version": "WzU5NywxXQ==", "attributes": { "title": "MQTT - Publish", - "visState": "{\"title\":\"MQTT - Publish\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", + "visState": "{\"title\":\"MQTT - Publish\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -355,7 +355,7 @@ "version": "WzU5OCwxXQ==", "attributes": { "title": "MQTT - Publish Payload", - "visState": "{\"title\":\"MQTT - Publish Payload\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload_len\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Length\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Payload\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", + "visState": "{\"title\":\"MQTT - Publish Payload\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.payload_len\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Length\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.payload\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Payload\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -391,8 +391,8 @@ "source.ip", "destination.ip", "destination.port", - "zeek.logType", - "zeek.uid" + "event.dataset", + "event.id" ], "sort": [ [ @@ -402,7 +402,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -430,12 +430,12 @@ "hits": 0, "columns": [ "source.ip", - "zeek_mqtt_connect.client_id", + "zeek.mqtt_connect.client_id", "destination.ip", "destination.port", - "zeek_mqtt_connect.proto_name", - "zeek_mqtt_connect.connect_status", - "zeek.uid" + "zeek.mqtt_connect.proto_name", + "zeek.mqtt_connect.connect_status", + "event.id" ], "sort": [ [ @@ -445,7 +445,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -475,10 +475,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_mqtt_subscribe.action", - "zeek_mqtt_subscribe.topics", - "zeek_mqtt_subscribe.ack", - "zeek.uid" + "zeek.mqtt_subscribe.action", + "zeek.mqtt_subscribe.topics", + "zeek.mqtt_subscribe.ack", + "event.id" ], "sort": [ [ @@ -488,7 +488,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -518,10 +518,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_mqtt_publish.from_client", - "zeek_mqtt_publish.topic", - "zeek_mqtt_publish.status", - "zeek.uid" + "zeek.mqtt_publish.from_client", + "zeek.mqtt_publish.topic", + "zeek.mqtt_publish.status", + "event.id" ], "sort": [ [ @@ -531,7 +531,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"mqtt_publish\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"mqtt_publish\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index 65219b7ac..ecad1ef1c 100644 --- a/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -144,7 +144,7 @@ "updated_at": "2021-02-10T21:24:43.189Z", "version": "WzYwNywxXQ==", "attributes": { - "visState": "{\"title\":\"Software - Summary\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.software_type\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.name\",\"otherBucket\":false,\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_major\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_minor\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Software - Summary\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.software.software_type\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.software.name\",\"otherBucket\":false,\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.software.version_major\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.software.version_minor\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", "title": "Software - Summary", "uiStateJSON": "{}", @@ -179,9 +179,10 @@ "hits": 0, "columns": [ "source.ip", - "zeek_software.software_type", - "zeek_software.name", - "zeek_software.unparsed_version" + "zeek.software.software_type", + "zeek.software.name", + "zeek.software.unparsed_version", + "url.full" ], "sort": [ [ @@ -191,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:software\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:software\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 3d36755fe..4af61c134 100644 --- a/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -260,7 +260,7 @@ "version": "WzYxNiwxXQ==", "attributes": { "title": "Syslog - Severity", - "visState": "{\"title\":\"Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Severity\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_syslog.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Severity\"}}]}", + "visState": "{\"title\":\"Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Severity\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.syslog.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Severity\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -290,7 +290,7 @@ "version": "WzM1NTcsMV0=", "attributes": { "title": "Syslog - Facility", - "visState": "{\"title\":\"Syslog - Facility\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_syslog.facility\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Facility\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Syslog - Facility\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.syslog.facility\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Facility\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -320,7 +320,7 @@ "version": "WzYxOCwxXQ==", "attributes": { "title": "Syslog - Protocol", - "visState": "{\"title\":\"Syslog - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Protocol\"}}]}", + "visState": "{\"title\":\"Syslog - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -356,10 +356,10 @@ "source.ip", "destination.ip", "destination.port", - "zeek_syslog.severity", - "zeek_syslog.facility", - "zeek_syslog.message", - "zeek.uid" + "zeek.syslog.severity", + "zeek.syslog.facility", + "zeek.syslog.message", + "event.id" ], "sort": [ [ @@ -369,7 +369,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:syslog\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:syslog\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json index d79ade603..94d0ebfab 100644 --- a/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json +++ b/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -120,7 +120,7 @@ "version": "WzQ2NywxXQ==", "attributes": { "title": "Notices by Category", - "visState": "{\"title\":\"Notices by Category\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"}}]}", + "visState": "{\"title\":\"Notices by Category\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -150,7 +150,7 @@ "version": "WzQ2OCwxXQ==", "attributes": { "title": "Signatures - Signature IDs", - "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", + "visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -180,7 +180,7 @@ "version": "WzQ2OSwxXQ==", "attributes": { "title": "Clear-text Transmission of Passwords ", - "visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"}}]}", + "visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -209,12 +209,12 @@ "version": "WzQ3MCwxXQ==", "attributes": { "title": "Outdated/Insecure Application Protocols", - "visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}", + "visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"(NOT zeek.logType:known*) AND ((zeek.service:ssh AND zeek.service_version < 2) OR (zeek.service:smb AND zeek.service_version < 2) OR (zeek.service:tls AND NOT zeek.service_version:(*TLS*v12* OR *TLS*v13*)) OR (zeek.service:ntp AND zeek.service_version < 4) OR (zeek.service:rfb AND zeek.service_version < 3.8) OR (zeek.service:rdp AND zeek.service_version < 6.0) OR (zeek.service:snmp AND zeek.service_version < 3) OR (zeek.service:ldap AND zeek.service_version < 3) OR (zeek.service:ftp) OR (zeek.service:tftp) OR (zeek.service:telnet) OR (zeek.service:rlogin) OR (zeek.service:rsh))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"(NOT event.dataset:known*) AND ((network.protocol:ssh AND network.protocol_version < 2) OR (network.protocol:smb AND network.protocol_version < 2) OR (network.protocol:tls AND NOT network.protocol_version:(*TLS*v12* OR *TLS*v13*)) OR (network.protocol:ntp AND network.protocol_version < 4) OR (network.protocol:rfb AND network.protocol_version < 3.8) OR (network.protocol:rdp AND network.protocol_version < 6.0) OR (network.protocol:snmp AND network.protocol_version < 3) OR (network.protocol:ldap AND network.protocol_version < 3) OR (network.protocol:ftp) OR (network.protocol:tftp) OR (network.protocol:telnet) OR (network.protocol:rlogin) OR (network.protocol:rsh))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -238,7 +238,7 @@ "version": "WzQ3MSwxXQ==", "attributes": { "title": "Connections by Destination Country (region map)", - "visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service

\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", + "visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"

OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service

\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[37.16031654673677,-5.7511603125000015]}", "description": "", "version": 1, @@ -268,7 +268,7 @@ "version": "WzQ3MiwxXQ==", "attributes": { "title": "Inbound External Traffic by Country", - "visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}", + "visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -297,7 +297,7 @@ "version": "WzQ3MywxXQ==", "attributes": { "title": "Outbound Internal Traffic by Country", - "visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}", + "visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -326,7 +326,7 @@ "version": "WzQ3NCwxXQ==", "attributes": { "title": "DNS Queries by Randomness", - "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", + "visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}", "description": "", "version": 1, @@ -356,7 +356,7 @@ "version": "WzQ3NiwxXQ==", "attributes": { "title": "File Types Observed", - "visState": "{\"title\":\"File Types Observed\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":true}}", + "visState": "{\"title\":\"File Types Observed\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":true}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -385,12 +385,12 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "OCSP - Certificate Revocation", - "visState": "{\"title\":\"OCSP - Certificate Revocation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ocsp.certStatus\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Status\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ocsp.revokereason\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revocation Reason\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"OCSP - Certificate Revocation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ocsp.certStatus\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Certificate Status\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ocsp.revokereason\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revocation Reason\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek_ocsp.certStatus:good\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.ocsp.certStatus:good\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -415,12 +415,12 @@ "version": "WzQ3NSwxXQ==", "attributes": { "title": "External Remote Access Over Time", - "visState": "{\"title\":\"External Remote Access Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"External Remote Access Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.service:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -448,12 +448,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -463,7 +463,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -490,10 +490,10 @@ "description": "", "hits": 0, "columns": [ - "zeek_signatures.note", - "zeek_signatures.signature_id", - "zeek_signatures.signature_count", - "zeek.fuid" + "zeek.signatures.note", + "zeek.signatures.signature_id", + "zeek.signatures.signature_count", + "event.id" ], "sort": [ [ @@ -503,7 +503,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -530,14 +530,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -547,7 +547,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -576,9 +576,9 @@ "columns": [ "source.ip", "destination.ip", - "zeek_dns.query", - "zeek_dns.answers", - "zeek.uid" + "zeek.dns.query", + "zeek.dns.answers", + "event.id" ], "sort": [ [ @@ -588,7 +588,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -615,18 +615,18 @@ "description": "", "hits": 0, "columns": [ - "zeek_ocsp.thisUpdate", - "zeek_ocsp.nextUpdate", - "zeek_ocsp.certStatus", - "zeek_ocsp.revokereason", - "zeek_ocsp.revoketime", - "zeek_ocsp.serialNumber", - "zeek.fuid" + "zeek.ocsp.thisUpdate", + "zeek.ocsp.nextUpdate", + "zeek.ocsp.certStatus", + "zeek.ocsp.revokereason", + "zeek.ocsp.revoketime", + "zeek.ocsp.serialNumber", + "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index 0404cf5e9..ed1f8c396 100644 --- a/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -139,7 +139,7 @@ "updated_at": "2021-02-10T21:24:46.241Z", "version": "WzYzOSwxXQ==", "attributes": { - "visState": "{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.seen_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.files.seen_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}", "description": "", "title": "Files - Files By Size (Bytes)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -199,7 +199,7 @@ "updated_at": "2021-02-10T21:24:46.241Z", "version": "WzY0MSwxXQ==", "attributes": { - "visState": "{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.tx_hosts\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}", "description": "", "title": "FIles - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -230,7 +230,7 @@ "version": "WzY0MiwxXQ==", "attributes": { "title": "Files - MIME Type", - "visState": "{\"title\":\"Files - MIME Type\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}", + "visState": "{\"title\":\"Files - MIME Type\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -259,7 +259,7 @@ "updated_at": "2021-02-10T21:24:46.241Z", "version": "WzY0MywxXQ==", "attributes": { - "visState": "{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", "title": "FIles - MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -320,7 +320,7 @@ "version": "WzY0NSwxXQ==", "attributes": { "title": "Files - Source", - "visState": "{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}", + "visState": "{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.files.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -353,12 +353,11 @@ "description": "", "hits": 0, "columns": [ - "zeek_files.tx_hosts", + "source.ip", "destination.ip", - "zeek_files.source", - "zeek_files.mime_type", - "zeek.uid", - "zeek.fuid" + "zeek.files.source", + "file.mime_type", + "event.id" ], "sort": [ [ @@ -368,7 +367,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index 846a5de8e..0d03931cf 100644 --- a/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/kibana/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json index 8beb8f33d..31edce27d 100644 --- a/kibana/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json +++ b/kibana/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json @@ -100,7 +100,7 @@ "version": "WzY1MywxXQ==", "attributes": { "title": "Filter by Application Protocol", - "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -129,7 +129,7 @@ "version": "WzY1NCwxXQ==", "attributes": { "title": "Total Log Count Over Time by Application Protocol", - "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}", + "visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -188,12 +188,12 @@ "version": "WzkyMywxXQ==", "attributes": { "title": "Top Actions and Results by Service", - "visState": "{\"title\":\"Top Actions and Results by Service\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", + "visState": "{\"title\":\"Top Actions and Results by Service\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.service:* AND (zeek.action:* OR zeek.result:*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:* AND (event.action:* OR event.result:*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -217,7 +217,7 @@ "version": "WzY1NiwxXQ==", "attributes": { "title": "Actions", - "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}", + "visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -246,7 +246,7 @@ "version": "WzY1NywxXQ==", "attributes": { "title": "Results", - "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", + "visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -278,14 +278,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -295,7 +295,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index deec7780d..f5ccdfc94 100644 --- a/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -110,12 +110,12 @@ "version": "WzY2MywxXQ==", "attributes": { "title": "PROFINET - Log Count", - "visState": "{\"title\":\"PROFINET - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"PROFINET - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"profinet\"}},{\"match_phrase\":{\"event.dataset\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -144,12 +144,12 @@ "version": "WzY2NCwxXQ==", "attributes": { "title": "PROFINET - Logs Over Time", - "visState": "{\"title\":\"PROFINET - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"PROFINET - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"profinet\"}},{\"match_phrase\":{\"event.dataset\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -185,10 +185,10 @@ "source.port", "destination.ip", "destination.port", - "zeek_profinet.operation_type", - "zeek_profinet.index", - "zeek_profinet_dce_rpc.operation", - "zeek.uid" + "zeek.profinet.operation_type", + "zeek.profinet.index", + "zeek.profinet_dce_rpc.operation", + "event.id" ], "sort": [ [ @@ -198,7 +198,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -282,7 +282,7 @@ "version": "WzY2OCwxXQ==", "attributes": { "title": "PROFINET - Operation", - "visState": "{\"title\":\"PROFINET - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}}]}", + "visState": "{\"title\":\"PROFINET - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -312,7 +312,7 @@ "version": "WzY2OSwxXQ==", "attributes": { "title": "PROFINET - Operation Details", - "visState": "{\"title\":\"PROFINET - Operation Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.slot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Slot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.subslot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Subslot\"}}]}", + "visState": "{\"title\":\"PROFINET - Operation Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.slot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Slot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.profinet.subslot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Subslot\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -342,7 +342,7 @@ "version": "WzY3MCwxXQ==", "attributes": { "title": "PROFINET DCE/RPC - Operation", - "visState": "{\"title\":\"PROFINET DCE/RPC - Operation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.operation\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", + "visState": "{\"title\":\"PROFINET DCE/RPC - Operation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.profinet_dce_rpc.operation\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -372,7 +372,7 @@ "version": "WzY3MSwxXQ==", "attributes": { "title": "PROFINET DCE/RPC - Packet Type", - "visState": "{\"title\":\"PROFINET DCE/RPC - Packet Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.packet_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Packet Type\"}}]}", + "visState": "{\"title\":\"PROFINET DCE/RPC - Packet Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.profinet_dce_rpc.packet_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Packet Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -409,10 +409,10 @@ "source.port", "destination.ip", "destination.port", - "zeek_profinet.block_version", - "zeek_profinet.operation_type", - "zeek_profinet.index", - "zeek.uid" + "zeek.profinet.block_version", + "zeek.profinet.operation_type", + "zeek.profinet.index", + "event.id" ], "sort": [ [ @@ -422,7 +422,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -453,9 +453,9 @@ "source.port", "destination.ip", "destination.port", - "zeek_profinet_dce_rpc.version", - "zeek_profinet_dce_rpc.operation", - "zeek.uid" + "zeek.profinet_dce_rpc.version", + "zeek.profinet_dce_rpc.operation", + "event.id" ], "sort": [ [ @@ -465,7 +465,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index 2888e1acf..1770ca661 100644 --- a/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -220,7 +220,7 @@ "version": "WzY3NywxXQ==", "attributes": { "title": "Connections - Service By Destination Country", - "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}", + "visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination.geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -309,7 +309,7 @@ "updated_at": "2021-02-10T21:24:50.357Z", "version": "WzY4MCwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_code2\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.geo.country_code2\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}", "description": "", "title": "Connections - Source Country", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -339,7 +339,7 @@ "updated_at": "2021-02-10T21:24:50.357Z", "version": "WzY4MSwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.conn.resp_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}", "description": "", "title": "Connections - Responder Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -369,7 +369,7 @@ "updated_at": "2021-02-10T21:24:50.357Z", "version": "WzY4MiwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.missed_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.conn.missed_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}", "description": "", "title": "Connections - Missed Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -400,7 +400,7 @@ "version": "WzY4MywxXQ==", "attributes": { "title": "Connections - Connection State", - "visState": "{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection State Description\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_conn.conn_state_description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State Description\"}}]}", + "visState": "{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection State Description\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.conn.conn_state_description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State Description\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -430,7 +430,7 @@ "version": "WzY4NCwxXQ==", "attributes": { "title": "Connections - Top 10 - Total Bytes By Connection", - "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":false,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.uid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.uid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}}]}", + "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":false,\"truncate\":100,\"rotate\":75},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"max\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Connection ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection ID\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -663,7 +663,7 @@ "version": "WzY5MiwxXQ==", "attributes": { "title": "Connections - Source MAC OUI", - "visState": "{\"title\":\"Connections - Source MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.orig_l2_oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}}]}", + "visState": "{\"title\":\"Connections - Source MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC OUI\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -693,7 +693,7 @@ "version": "WzY5MywxXQ==", "attributes": { "title": "Connections - Destination MAC OUI", - "visState": "{\"title\":\"Connections - Destination MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_l2_oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}}]}", + "visState": "{\"title\":\"Connections - Destination MAC OUI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.oui\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC OUI\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -843,7 +843,7 @@ "version": "WzY5OCwxXQ==", "attributes": { "title": "Connections - Protocol", - "visState": "{\"title\":\"Connections - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"Connections - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -906,14 +906,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -923,7 +923,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 65be484ba..baa251d7b 100644 --- a/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -1,5 +1,5 @@ { - "version": "7.10.0", + "version": "7.10.2", "objects": [ { "id": "ae79b7d1-4281-4095-b2f6-fa7eafda9970", @@ -7,13 +7,13 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-11T16:14:34.527Z", - "version": "WzI2MjYsMV0=", + "updated_at": "2021-11-12T20:01:32.314Z", + "version": "WzEwMzgsMV0=", "attributes": { "title": "RADIUS", "hits": 0, "description": "", - "panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":12,\"y\":27,\"w\":14,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":26,\"y\":27,\"w\":22,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":17,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":35,\"i\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\"},\"panelIndex\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":24,\"h\":15,\"i\":\"118a0612-bdbb-4918-aab5-79830ee636aa\"},\"panelIndex\":\"118a0612-bdbb-4918-aab5-79830ee636aa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", + "panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":12,\"y\":27,\"w\":14,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":26,\"y\":27,\"w\":22,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":20,\"y\":8,\"w\":17,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":35,\"i\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\"},\"panelIndex\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, @@ -71,11 +71,6 @@ "name": "panel_9", "type": "search", "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0" - }, - { - "name": "panel_10", - "type": "visualization", - "id": "168e6b40-6c83-11eb-b775-c574dc643cbb" } ], "migrationVersion": { @@ -88,8 +83,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:25:09.616Z", - "version": "Wzg3MiwxXQ==", + "updated_at": "2021-11-12T19:33:10.652Z", + "version": "WzkzNywxXQ==", "attributes": { "title": "Zeek Logs", "visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/kibana/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[β†ͺ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/kibana/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", @@ -111,8 +106,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcwMywxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "WzczNSwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}", "description": "", @@ -141,8 +136,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcwNCwxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "WzczNiwxXQ==", "attributes": { "visState": "{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}", "description": "", @@ -171,8 +166,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-11T16:09:23.116Z", - "version": "WzI0MzgsMV0=", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "WzczNywxXQ==", "attributes": { "title": "RADIUS - Destination IP Address", "visState": "{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}", @@ -201,10 +196,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcwNiwxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "WzczOCwxXQ==", "attributes": { - "visState": "{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.radius.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}", "description": "", "title": "RADIUS - MAC", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -231,10 +226,10 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcwNywxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "WzczOSwxXQ==", "attributes": { - "visState": "{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.connect_info\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.radius.connect_info\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}", "description": "", "title": "RADIUS - Connection Information", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -261,8 +256,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcwOSwxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "Wzc0MCwxXQ==", "attributes": { "title": "RADIUS - Log Count", "visState": "{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}", @@ -291,11 +286,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcxMCwxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "Wzc0MSwxXQ==", "attributes": { "title": "RADIUS - Username", - "visState": "{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}", + "visState": "{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -321,11 +316,11 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-11T16:06:45.852Z", - "version": "WzI0MTYsMV0=", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "Wzc0MiwxXQ==", "attributes": { "title": "RADIUS - Authentication Result", - "visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_radius.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.radius.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -351,8 +346,8 @@ "namespaces": [ "default" ], - "updated_at": "2021-02-10T21:24:51.359Z", - "version": "WzcxMiwxXQ==", + "updated_at": "2021-11-12T19:32:50.243Z", + "version": "Wzc0MywxXQ==", "attributes": { "title": "RADIUS - Logs", "description": "", @@ -361,11 +356,11 @@ "source.ip", "destination.ip", "destination.port", - "zeek.user", - "zeek_radius.mac", - "zeek_radius.framed_addr", - "zeek_radius.result", - "zeek.uid" + "related.user", + "zeek.radius.mac", + "zeek.radius.framed_addr", + "zeek.radius.result", + "event.id" ], "sort": [ [ @@ -375,7 +370,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:radius\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:radius\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -388,36 +383,6 @@ "migrationVersion": { "search": "7.9.3" } - }, - { - "id": "168e6b40-6c83-11eb-b775-c574dc643cbb", - "type": "visualization", - "namespaces": [ - "default" - ], - "updated_at": "2021-02-11T16:06:23.988Z", - "version": "WzI0MDEsMV0=", - "attributes": { - "title": "RADIUS - Authentication Result", - "visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_radius.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "name": "search_0", - "type": "search", - "id": "33bc7949-5692-4044-9e3c-0791dc7d70c0" - } - ], - "migrationVersion": { - "visualization": "7.10.0" - } } ] } \ No newline at end of file diff --git a/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json index 8c7e577b8..bb256599a 100644 --- a/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json +++ b/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -115,12 +115,12 @@ "columns": [ "source.ip", "destination.ip", - "zeek_ntp.version", - "zeek_ntp.stratum", - "zeek_ntp.mode_str", - "zeek_ntp.org_time", - "zeek_ntp.xmt_time", - "zeek.uid" + "zeek.ntp.version", + "zeek.ntp.stratum", + "zeek.ntp.mode_str", + "zeek.ntp.org_time", + "zeek.ntp.xmt_time", + "event.id" ], "sort": [ [ @@ -130,7 +130,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:ntp\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:ntp\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -184,7 +184,7 @@ "version": "WzcxNywxXQ==", "attributes": { "title": "NTP - Log Count Over Time", - "visState": "{\"title\":\"NTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Version\"}}]}", + "visState": "{\"title\":\"NTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Version\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -214,7 +214,7 @@ "version": "WzcxOCwxXQ==", "attributes": { "title": "NTP - Stratum", - "visState": "{\"title\":\"NTP - Stratum\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.stratum\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Stratum\"}}]}", + "visState": "{\"title\":\"NTP - Stratum\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ntp.stratum\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Stratum\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -244,7 +244,7 @@ "version": "WzcxOSwxXQ==", "attributes": { "title": "NTP - Version", - "visState": "{\"title\":\"NTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Version\"}}]}", + "visState": "{\"title\":\"NTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Version\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -274,7 +274,7 @@ "version": "WzcyMCwxXQ==", "attributes": { "title": "NTP - Mode", - "visState": "{\"title\":\"NTP - Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.mode_str\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Mode\"}}]}", + "visState": "{\"title\":\"NTP - Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ntp.mode_str\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Mode\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -304,7 +304,7 @@ "version": "WzcyMSwxXQ==", "attributes": { "title": "NTP - Polling Interval", - "visState": "{\"title\":\"NTP - Polling Interval\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.poll\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Polling Interval (seconds)\"}}]}", + "visState": "{\"title\":\"NTP - Polling Interval\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.ntp.poll\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Polling Interval (seconds)\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, diff --git a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index a8768bfdf..316cfc4c2 100644 --- a/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -79,7 +79,7 @@ "updated_at": "2021-02-10T21:24:53.414Z", "version": "WzcyNiwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Source - Originator Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Source - Originator Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.orig_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Source - Originator Bytes", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index 13ffadc94..ca4f7ce58 100644 --- a/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -80,7 +80,7 @@ "version": "WzczMiwxXQ==", "attributes": { "title": "Connections - Destination - Top Connection Duration (region map)", - "visState": "{\"title\":\"Connections - Destination - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", + "visState": "{\"title\":\"Connections - Destination - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[38.28591031601368,16.875000000000004],\"mapZoom\":3}", "description": "", "version": 1, @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index 639e9f049..cafbd375b 100644 --- a/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -159,7 +159,7 @@ "updated_at": "2021-02-10T21:24:55.450Z", "version": "WzczOSwxXQ==", "attributes": { - "visState": "{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.subject\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smtp.subject\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}", "description": "", "title": "SMTP - Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -190,7 +190,7 @@ "version": "Wzc0MCwxXQ==", "attributes": { "title": "SMTP - Destination Country", - "visState": "{\"title\":\"SMTP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}", + "visState": "{\"title\":\"SMTP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -219,7 +219,7 @@ "updated_at": "2021-02-10T21:24:55.450Z", "version": "Wzc0MSwxXQ==", "attributes": { - "visState": "{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.mailfrom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smtp.mailfrom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}", "description": "", "title": "SMTP - \"From\" Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -249,7 +249,7 @@ "updated_at": "2021-02-10T21:24:55.450Z", "version": "Wzc0MiwxXQ==", "attributes": { - "visState": "{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.rcptto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.smtp.rcptto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}", "description": "", "title": "SMTP - \"To\" Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -280,7 +280,7 @@ "version": "Wzc0MywxXQ==", "attributes": { "title": "SMTP - TLS", - "visState": "{\"title\":\"SMTP - TLS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Using TLS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Using TLS\"}}]}", + "visState": "{\"title\":\"SMTP - TLS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Using TLS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Using TLS\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -369,7 +369,7 @@ "updated_at": "2021-02-10T21:24:55.450Z", "version": "Wzc0NiwxXQ==", "attributes": { - "visState": "{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.original\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}", "description": "", "title": "SMTP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -460,7 +460,7 @@ "version": "Wzc0OSwxXQ==", "attributes": { "title": "SMTP - Webmail", - "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Is Webmail\",\"field\":\"zeek_smtp.is_webmail\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Unknown\",\"otherBucketLabel\":\"Other\"}},\"label\":\"Using TLS\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"SMTP - Webmail\",\"type\":\"pie\"}", + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Is Webmail\",\"field\":\"zeek.smtp.is_webmail\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Unknown\",\"otherBucketLabel\":\"Other\"}},\"label\":\"Using TLS\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"SMTP - Webmail\",\"type\":\"pie\"}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -493,13 +493,13 @@ "description": "", "hits": 0, "columns": [ - "zeek_smtp.x_originating_ip", + "zeek.smtp.x_originating_ip", "source.ip", "destination.ip", "destination.port", - "zeek_smtp.mailfrom", - "zeek.user_agent", - "zeek.uid" + "zeek.smtp.mailfrom", + "user_agent.original", + "event.id" ], "sort": [ [ @@ -509,7 +509,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:smtp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:smtp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json index 115bce6ec..fee334e2e 100644 --- a/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -101,9 +101,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek.logType", - "zeek_tds.command", - "zeek.uid" + "event.dataset", + "zeek.tds.command", + "event.id" ], "sort": [ [ @@ -113,7 +113,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -137,7 +137,7 @@ "version": "Wzc1NCwxXQ==", "attributes": { "title": "Tabular Data Stream - Log Count", - "visState": "{\"title\":\"Tabular Data Stream - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"Tabular Data Stream - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -167,7 +167,7 @@ "version": "Wzc1NSwxXQ==", "attributes": { "title": "Tabular Data Stream - Log Count Over Time", - "visState": "{\"title\":\"Tabular Data Stream - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"Tabular Data Stream - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -197,7 +197,7 @@ "version": "WzM2MTAsMV0=", "attributes": { "title": "Tabular Data Stream - Command", - "visState": "{\"title\":\"Tabular Data Stream - Command\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tds.command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"Tabular Data Stream - Command\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.tds.command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -293,8 +293,8 @@ "source.ip", "destination.ip", "destination.port", - "zeek_tds.command", - "zeek.uid" + "zeek.tds.command", + "event.id" ], "sort": [ [ @@ -304,7 +304,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/kibana/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json index 081bdbdc0..50312d090 100644 --- a/kibana/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json +++ b/kibana/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json @@ -135,7 +135,7 @@ "version": "WzU3OSwxXQ==", "attributes": { "title": "TFTP - Log Count Over Time", - "visState": "{\"title\":\"TFTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-02-04T15:21:21.768Z\",\"max\":\"2021-02-04T15:21:21.768Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", + "visState": "{\"title\":\"TFTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-02-04T15:21:21.768Z\",\"max\":\"2021-02-04T15:21:21.768Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "description": "", "version": 1, @@ -165,7 +165,7 @@ "version": "WzU4MCwxXQ==", "attributes": { "title": "TFTP - Filename", - "visState": "{\"title\":\"TFTP - Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filename\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"TFTP - Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.path\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -255,7 +255,7 @@ "version": "WzU4MywxXQ==", "attributes": { "title": "TFTP - Transfer Mode", - "visState": "{\"title\":\"TFTP - Transfer Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Transfer Mode\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tftp.mode\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transfer Mode\"}}]}", + "visState": "{\"title\":\"TFTP - Transfer Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Transfer Mode\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.tftp.mode\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transfer Mode\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -285,7 +285,7 @@ "version": "WzU4NCwxXQ==", "attributes": { "title": "TFTP - Operation Results", - "visState": "{\"title\":\"TFTP - Operation Results\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\"}}]}", + "visState": "{\"title\":\"TFTP - Operation Results\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"event.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -322,11 +322,11 @@ "source.port", "destination.ip", "destination.port", - "zeek_tftp.mode", - "zeek.filename", - "zeek.action", - "zeek.result", - "zeek.uid" + "zeek.tftp.mode", + "file.path", + "event.action", + "event.result", + "event.id" ], "sort": [ [ @@ -336,7 +336,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:tftp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:tftp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/kibana/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index d5397eff3..956d9c04a 100644 --- a/kibana/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/kibana/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -100,7 +100,7 @@ "version": "Wzc2NywxXQ==", "attributes": { "title": "Telnet, rlogin and rsh - Log Count", - "visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -130,7 +130,7 @@ "version": "Wzc2OCwxXQ==", "attributes": { "title": "Telnet, rlogin and rsh - Login Success", - "visState": "{\"title\":\"Telnet, rlogin and rsh - Login Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Login Succeeded\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Login Succeeded\"}}]}", + "visState": "{\"title\":\"Telnet, rlogin and rsh - Login Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Login Succeeded\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Login Succeeded\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -160,7 +160,7 @@ "version": "Wzc2OSwxXQ==", "attributes": { "title": "Telnet, rlogin and rsh - Log Count Over Time", - "visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1995-04-15T15:43:18.959Z\",\"max\":\"2020-04-15T15:43:18.959Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.service: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}", + "visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1995-04-15T15:43:18.959Z\",\"max\":\"2020-04-15T15:43:18.959Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"network.protocol: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -190,12 +190,12 @@ "version": "Wzc3MCwxXQ==", "attributes": { "title": "Telnet, rlogin and rsh - Login Attempts with Cleartext Passwords", - "visState": "{\"title\":\"Telnet, rlogin and rsh - Login Attempts with Cleartext Passwords\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"User\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Succeeded\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":99,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"User\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Success\"}}]}", + "visState": "{\"title\":\"Telnet, rlogin and rsh - Login Attempts with Cleartext Passwords\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"User\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Succeeded\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"related.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":99,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"User\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Success\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.password:*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"related.password:*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -220,7 +220,7 @@ "version": "Wzc3MSwxXQ==", "attributes": { "title": "Telnet, rsh and rlogin - Source", - "visState": "{\"title\":\"Telnet, rsh and rlogin - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Source IP\"}}]}", + "visState": "{\"title\":\"Telnet, rsh and rlogin - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Source IP\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}}}}", "description": "", "version": 1, @@ -250,7 +250,7 @@ "version": "Wzc3MiwxXQ==", "attributes": { "title": "Telnet, rlogin and rsh - Destination", - "visState": "{\"title\":\"Telnet, rlogin and rsh - Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination IP\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination Port\"}}]}", + "visState": "{\"title\":\"Telnet, rlogin and rsh - Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination IP\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination Port\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -283,14 +283,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.service", + "network.protocol", "source.ip", "destination.ip", "destination.port", "user", - "zeek_login.client_user", - "zeek_login.success", - "zeek.uid" + "zeek.login.client_user", + "zeek.login.success", + "event.id" ], "sort": [ [ @@ -300,7 +300,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:login\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:login\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/kibana/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json index 76ca8d694..aa45016ca 100644 --- a/kibana/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json +++ b/kibana/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json @@ -115,12 +115,12 @@ "version": "Wzc3NiwxXQ==", "attributes": { "title": "BSAP - Log Count", - "visState": "{\"title\":\"BSAP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"BSAP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -145,12 +145,12 @@ "version": "Wzc3NywxXQ==", "attributes": { "title": "BSAP - Logs Over Time", - "visState": "{\"title\":\"BSAP - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT3H\",\"intervalESValue\":3,\"intervalESUnit\":\"h\",\"format\":\"YYYY-MM-DD HH:mm\",\"bounds\":{\"min\":\"2020-07-21T04:54:40.645Z\",\"max\":\"2020-07-27T11:08:08.319Z\"}},\"label\":\"firstPacket per 3 hours\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.logType: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2020-07-21T04:54:40.645Z\",\"to\":\"2020-07-27T11:08:08.319Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"BSAP - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT3H\",\"intervalESValue\":3,\"intervalESUnit\":\"h\",\"format\":\"YYYY-MM-DD HH:mm\",\"bounds\":{\"min\":\"2020-07-21T04:54:40.645Z\",\"max\":\"2020-07-27T11:08:08.319Z\"}},\"label\":\"firstPacket per 3 hours\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"event.dataset: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2020-07-21T04:54:40.645Z\",\"to\":\"2020-07-27T11:08:08.319Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -180,7 +180,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -205,7 +205,7 @@ "version": "Wzc3OSwxXQ==", "attributes": { "title": "BSAP IP - Function", - "visState": "{\"title\":\"BSAP IP - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_bsap_ip_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_ip_rdb.app_func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_ip_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subfunction\"}}]}", + "visState": "{\"title\":\"BSAP IP - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.bsap_ip_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_ip_rdb.app_func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_ip_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subfunction\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -235,12 +235,12 @@ "version": "Wzc4MCwxXQ==", "attributes": { "title": "BSAP - Transport", - "visState": "{\"title\":\"BSAP - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.proto: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", + "visState": "{\"title\":\"BSAP - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"network.transport: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:bsap*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -265,7 +265,7 @@ "version": "Wzc4MSwxXQ==", "attributes": { "title": "BSAP Serial - RDB Function", - "visState": "{\"title\":\"BSAP Serial - RDB Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_bsap_serial_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"RDB Function\"}}]}", + "visState": "{\"title\":\"BSAP Serial - RDB Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.bsap_serial_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_serial_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"RDB Function\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -295,7 +295,7 @@ "version": "Wzc4MiwxXQ==", "attributes": { "title": "BSAP Serial - Function", - "visState": "{\"title\":\"BSAP Serial - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Destination Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Message Type\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.sfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.dfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Function\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.nsb\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Node Status\"}}]}", + "visState": "{\"title\":\"BSAP Serial - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Destination Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_serial_header.type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Message Type\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_serial_header.sfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_serial_header.dfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Function\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.bsap_serial_header.nsb\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Node Status\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -328,13 +328,13 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", + "event.dataset", "source.ip", "destination.ip", - "zeek_bsap_ip_rdb.app_func_code", - "zeek_bsap_ip_rdb.func_code", - "zeek_bsap_ip_rdb.node_status", - "zeek.uid" + "zeek.bsap_ip_rdb.app_func_code", + "zeek.bsap_ip_rdb.func_code", + "zeek.bsap_ip_rdb.node_status", + "event.id" ], "sort": [ [ @@ -344,7 +344,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"zeek.logType:bsap_ip_*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:bsap_ip_*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -371,15 +371,15 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", + "event.dataset", "source.ip", "destination.ip", - "zeek_bsap_serial_header.type_name", - "zeek_bsap_serial_header.sfun", - "zeek_bsap_serial_header.dfun", - "zeek_bsap_serial_rdb.func_code", - "zeek_bsap_serial_header.nsb", - "zeek.uid" + "zeek.bsap_serial_header.type_name", + "zeek.bsap_serial_header.sfun", + "zeek.bsap_serial_header.dfun", + "zeek.bsap_serial_rdb.func_code", + "zeek.bsap_serial_header.nsb", + "event.id" ], "sort": [ [ @@ -389,7 +389,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:bsap_serial_*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:bsap_serial_*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -418,7 +418,7 @@ "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -446,14 +446,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -463,7 +463,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index fff31746f..3c1cc98d8 100644 --- a/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -214,7 +214,7 @@ "updated_at": "2021-02-10T21:25:00.506Z", "version": "Wzc5MywxXQ==", "attributes": { - "visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.client\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.client\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}", "description": "", "title": "SSH - Client/Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -275,7 +275,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "SSH -Server", - "visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}", + "visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -305,7 +305,7 @@ "version": "WzMzNzYsMV0=", "attributes": { "title": "SSH - Version", - "visState": "{\"title\":\"SSH - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ssh.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"SSH Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"SSH Version\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"SSH - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.ssh.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"SSH Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"SSH Version\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -335,7 +335,7 @@ "version": "Wzc5NywxXQ==", "attributes": { "title": "SSH - Client Algorithms", - "visState": "{\"title\":\"SSH - Client Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Server\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Client\"}}]}", + "visState": "{\"title\":\"SSH - Client Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Server\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.hasshAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Client\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -365,7 +365,7 @@ "version": "WzgwMCwxXQ==", "attributes": { "title": "SSH - HASSH Server Hash", - "visState": "{\"title\":\"SSH - HASSH Server Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Server Hash\"}}]}", + "visState": "{\"title\":\"SSH - HASSH Server Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.hasshServer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Server Hash\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -395,7 +395,7 @@ "version": "Wzc5OSwxXQ==", "attributes": { "title": "SSH - HASSH Client Hash", - "visState": "{\"title\":\"SSH - HASSH Client Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hassh\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Client Hash\"}}]}", + "visState": "{\"title\":\"SSH - HASSH Client Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.hassh\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Client Hash\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "description": "", "version": 1, @@ -425,7 +425,7 @@ "version": "Wzc5OCwxXQ==", "attributes": { "title": "SSH - Server Algorithms", - "visState": "{\"title\":\"SSH - Server Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Client\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServerAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Server\"}}]}", + "visState": "{\"title\":\"SSH - Server Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Client\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.ssh.hasshServerAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Server\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -461,11 +461,11 @@ "source.ip", "destination.ip", "destination.port", - "zeek_ssh.auth_success", - "zeek_ssh.sshka", - "zeek_ssh.cipher_alg", - "zeek_ssh.mac_alg", - "zeek.uid" + "zeek.ssh.auth_success", + "zeek.ssh.sshka", + "zeek.ssh.cipher_alg", + "zeek.ssh.mac_alg", + "event.id" ], "sort": [ [ @@ -475,7 +475,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssh\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssh\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/kibana/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json index dd3cf687e..fb58da4df 100644 --- a/kibana/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json +++ b/kibana/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json @@ -195,7 +195,7 @@ "version": "WzY1NCwxXQ==", "attributes": { "title": "Severity - Notices", - "visState": "{\"title\":\"Severity - Notices\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Severity - Notices\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -225,7 +225,7 @@ "version": "WzY1NSwxXQ==", "attributes": { "title": "Severity - Application Protocol", - "visState": "{\"title\":\"Severity - Application Protocol\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol Version\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Severity - Application Protocol\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"params\":{\"field\":\"event.risk_score\",\"customLabel\":\"High Raw Severity\"},\"schema\":\"metric\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol Version\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -284,7 +284,7 @@ "version": "WzY1NywxXQ==", "attributes": { "title": "File Types by Transport", - "visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}", + "visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -494,12 +494,12 @@ "version": "WzY2NCwxXQ==", "attributes": { "title": "Actions and Results", - "visState": "{\"title\":\"Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"}}]}", + "visState": "{\"title\":\"Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:* OR zeek.result:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.action:* OR event.result:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -526,17 +526,17 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.proto", - "zeek.service", + "event.dataset", + "network.transport", + "network.protocol", "source.ip", "destination.ip", "destination.port", - "zeek.action", - "zeek.result", + "event.action", + "event.result", "event.severity", "event.severity_tags", - "zeek.uid" + "event.id" ], "sort": [], "version": 1, @@ -568,14 +568,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -585,7 +585,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -612,12 +612,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -627,7 +627,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -654,12 +654,11 @@ "description": "", "hits": 0, "columns": [ - "zeek_files.tx_hosts", + "source.ip", "destination.ip", - "zeek_files.source", - "zeek_files.mime_type", - "zeek.uid", - "zeek.fuid" + "zeek.files.source", + "file.mime_type", + "event.id" ], "sort": [ [ @@ -669,7 +668,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index 6f3672c35..6abd2eeb8 100644 --- a/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -80,7 +80,7 @@ "version": "WzgwNCwxXQ==", "attributes": { "title": "Connections - Source - Originator Bytes (region map)", - "visState": "{\"title\":\"Connections - Source - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Originator Bytes\",\"aggType\":\"cardinality\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "visState": "{\"title\":\"Connections - Source - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"OpenStreetMap contributors | OpenMapTiles | MapTiler | Elastic Maps Service\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Originator Bytes\",\"aggType\":\"cardinality\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[37.73168660636539,16.171875000000004],\"mapZoom\":3}", "description": "", "version": 1, @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index 8c16ed62b..65a596f0a 100644 --- a/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -79,7 +79,7 @@ "updated_at": "2021-02-10T21:25:02.530Z", "version": "WzgxMCwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Destination - Responder Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Destination - Responder Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.resp_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Destination - Responder Bytes", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index d3902b6f8..140cee2cb 100644 --- a/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -79,7 +79,7 @@ "updated_at": "2021-02-10T21:25:03.541Z", "version": "WzgxNiwxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Source - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Source - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Source - Top Connection Duration", "uiStateJSON": "{}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index db644a142..8c96903b3 100644 --- a/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -110,12 +110,12 @@ "version": "WzgyMiwxXQ==", "attributes": { "title": "S7comm - Log Count", - "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"s7comm\"}},{\"match_phrase\":{\"event.dataset\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -144,12 +144,12 @@ "version": "WzgyMywxXQ==", "attributes": { "title": "S7comm - Logs Over Time", - "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", + "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"s7comm\"}},{\"match_phrase\":{\"event.dataset\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -178,7 +178,7 @@ "version": "WzgyNCwxXQ==", "attributes": { "title": "S7comm - Message Type", - "visState": "{\"title\":\"S7comm - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}}]}", + "visState": "{\"title\":\"S7comm - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.s7comm.rosctr\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -208,7 +208,7 @@ "version": "WzgyNSwxXQ==", "attributes": { "title": "COTP - PDU Type", - "visState": "{\"title\":\"COTP - PDU Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_iso_cotp.pdu_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"PDU Type\"}}]}", + "visState": "{\"title\":\"COTP - PDU Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.iso_cotp.pdu_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"PDU Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -298,12 +298,12 @@ "version": "WzgyOCwxXQ==", "attributes": { "title": "S7comm - User Data", - "visState": "{\"title\":\"S7comm - User Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.group\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Group\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.mode\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Mode\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.sub\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub Parameter\"}}]}", + "visState": "{\"title\":\"S7comm - User Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.group\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Group\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.mode\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Mode\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.sub\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub Parameter\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek_s7comm.rosctr:\\\"User Data\\\"\",\"language\":\"lucene\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.s7comm.rosctr:\\\"User Data\\\"\",\"language\":\"lucene\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -328,12 +328,12 @@ "version": "WzgyOSwxXQ==", "attributes": { "title": "S7comm - Job Request and Acknowledgement", - "visState": "{\"title\":\"S7comm - Job Request and Acknowledgement\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.class\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Class\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.code\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Code\"}}]}", + "visState": "{\"title\":\"S7comm - Job Request and Acknowledgement\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.rosctr\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.class\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Class\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.code\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Code\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"zeek_s7comm.rosctr:(\\\"Acknowledge Data\\\" OR \\\"Job\\\")\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"zeek.s7comm.rosctr:(\\\"Acknowledge Data\\\" OR \\\"Job\\\")\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -363,9 +363,9 @@ "columns": [ "source.ip", "destination.ip", - "zeek_s7comm.rosctr", - "zeek_s7comm.parameter", - "zeek.uid" + "zeek.s7comm.rosctr", + "zeek.s7comm.parameter", + "event.id" ], "sort": [ [ @@ -375,7 +375,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:s7comm\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:s7comm\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -406,8 +406,8 @@ "source.port", "destination.ip", "destination.port", - "zeek_iso_cotp.pdu_type", - "zeek.uid" + "zeek.iso_cotp.pdu_type", + "event.id" ], "sort": [ [ @@ -417,7 +417,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:iso_cotp\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:iso_cotp\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -446,11 +446,11 @@ "columns": [ "source.ip", "destination.ip", - "zeek_iso_cotp.pdu_type", - "zeek_s7comm.parameter", - "zeek_s7comm.data_info", - "zeek_s7comm.rosctr", - "zeek.uid" + "zeek.iso_cotp.pdu_type", + "zeek.s7comm.parameter", + "zeek.s7comm.data_info", + "zeek.s7comm.rosctr", + "event.id" ], "sort": [ [ @@ -460,7 +460,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:(iso_cotp OR s7comm)\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:(iso_cotp OR s7comm)\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index 3e035bcb7..f049c32a0 100644 --- a/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -70,7 +70,7 @@ "version": "WzgzNSwxXQ==", "attributes": { "title": "Connections - Source - Responder Bytes (region map)", - "visState": "{\"title\":\"Connections - Source - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", + "visState": "{\"title\":\"Connections - Source - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}", "uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}", "description": "", "version": 1, @@ -103,14 +103,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -120,7 +120,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index bb7d02892..7e6f10a24 100644 --- a/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -107,7 +107,7 @@ "version": "WzcwNSwxXQ==", "attributes": { "title": "Notices - Log Count Over Time", - "visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT1S\",\"intervalESValue\":1,\"intervalESUnit\":\"s\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2017-04-16T17:22:12.510Z\",\"max\":\"2017-04-16T17:23:40.195Z\"}},\"label\":\"firstPacket per second\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2017-04-16T17:22:12.510Z\",\"to\":\"2017-04-16T17:23:40.195Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}}]}", + "visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT1S\",\"intervalESValue\":1,\"intervalESUnit\":\"s\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2017-04-16T17:22:12.510Z\",\"max\":\"2017-04-16T17:23:40.195Z\"}},\"label\":\"firstPacket per second\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2017-04-16T17:22:12.510Z\",\"to\":\"2017-04-16T17:23:40.195Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -220,7 +220,7 @@ "version": "WzcwOSwxXQ==", "attributes": { "title": "Notices - Notice Type", - "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", + "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -249,7 +249,7 @@ "updated_at": "2021-09-02T22:31:06.322Z", "version": "WzcxMCwxXQ==", "attributes": { - "visState": "{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}", "description": "", "title": "Notices - File MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -279,7 +279,7 @@ "updated_at": "2021-09-02T22:31:06.322Z", "version": "WzcxMSwxXQ==", "attributes": { - "visState": "{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_desc\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.file_desc\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}", "description": "", "title": "Notices - File Description", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -340,7 +340,7 @@ "version": "WzcxMywxXQ==", "attributes": { "title": "Notice - Message Details", - "visState": "{\"title\":\"Notice - Message Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Sub-Message\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subcategory\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}", + "visState": "{\"title\":\"Notice - Message Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Sub-Message\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subcategory\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -403,12 +403,12 @@ "description": "", "hits": 0, "columns": [ - "zeek_notice.category", - "zeek_notice.sub_category", - "zeek_notice.msg", + "zeek.notice.category", + "zeek.notice.sub_category", + "zeek.notice.msg", "source.ip", "destination.ip", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -418,7 +418,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -442,7 +442,7 @@ "version": "WzcxNiwxXQ==", "attributes": { "title": "Notices - Notice Types by Source and Destination", - "visState": "{\"title\":\"Notices - Notice Types by Source and Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Note\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}", + "visState": "{\"title\":\"Notices - Notice Types by Source and Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Note\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -472,7 +472,7 @@ "version": "WzcxNywxXQ==", "attributes": { "title": "Notices - Destination Country", - "visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", + "visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -502,7 +502,7 @@ "version": "Wzg0NCwxXQ==", "attributes": { "title": "Notices - Source Country", - "visState": "{\"title\":\"Notices - Source Country\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"Notices - Source Country\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, diff --git a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index 6eac6752c..1ca539749 100644 --- a/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -79,7 +79,7 @@ "updated_at": "2021-02-10T21:25:07.590Z", "version": "Wzg1MywxXQ==", "attributes": { - "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", + "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"network.bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}", "description": "", "title": "Connections - Source - Sum of Total Bytes", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", @@ -110,7 +110,7 @@ "version": "Wzg1NCwxXQ==", "attributes": { "title": "Connections - Protocol Filters", - "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"network.transport\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"network.protocol\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -175,14 +175,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.proto", - "zeek.service", + "network.transport", + "network.protocol", "source.ip", "source.port", "destination.ip", "destination.port", "network.bytes", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -192,7 +192,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index 6ffcbbed0..559db4c2d 100644 --- a/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -155,7 +155,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "RFB - Authentication Status", - "visState": "{\"title\":\"RFB - Authentication Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Authenticated\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.auth\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"F\",\"customLabel\":\"Authenticated\"}}]}", + "visState": "{\"title\":\"RFB - Authentication Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Authenticated\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.rfb.auth\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"F\",\"customLabel\":\"Authenticated\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -185,7 +185,7 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "RFB - Exclusive Session", - "visState": "{\"title\":\"RFB - Exclusive Session\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_rfb.share_flag: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exclusive Session\"}}]}", + "visState": "{\"title\":\"RFB - Exclusive Session\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.rfb.share_flag: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exclusive Session\"}}]}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -214,7 +214,7 @@ "updated_at": "2021-02-10T21:25:08.611Z", "version": "Wzg2MiwxXQ==", "attributes": { - "visState": "{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.desktop_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rfb.desktop_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}", "description": "", "title": "RFB - Desktop Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -334,7 +334,7 @@ "updated_at": "2021-02-10T21:25:08.611Z", "version": "Wzg2NiwxXQ==", "attributes": { - "visState": "{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rfb.server_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rfb.server_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", "title": "RFB - Server Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -364,7 +364,7 @@ "updated_at": "2021-02-10T21:25:08.611Z", "version": "Wzg2NywxXQ==", "attributes": { - "visState": "{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", + "visState": "{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rfb.client_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.rfb.client_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}", "description": "", "title": "RFB - Client Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", @@ -395,7 +395,7 @@ "version": "WzI5ODksMV0=", "attributes": { "title": "RFB - Authentication Method", - "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rfb.authentication_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Authentication Method\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Method\",\"aggType\":\"terms\"}]}}}", + "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.rfb.authentication_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Authentication Method\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Method\",\"aggType\":\"terms\"}]}}}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -461,11 +461,11 @@ "source.ip", "destination.ip", "destination.port", - "zeek_rfb.desktop_name", - "zeek_rfb.authentication_method", - "zeek_rfb.auth", - "zeek_rfb.share_flag", - "zeek.uid" + "zeek.rfb.desktop_name", + "zeek.rfb.authentication_method", + "zeek.rfb.auth", + "zeek.rfb.share_flag", + "event.id" ], "sort": [ [ @@ -475,7 +475,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:rfb\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:rfb\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json index cb6ddf9b6..4fe947d70 100644 --- a/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json +++ b/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -106,9 +106,9 @@ "source.ip", "destination.ip", "destination.port", - "zeek_tds_sql_batch.header_type", - "zeek_tds_sql_batch.query", - "zeek.uid" + "zeek.tds_sql_batch.header_type", + "zeek.tds_sql_batch.query", + "event.id" ], "sort": [ [ @@ -118,7 +118,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -202,7 +202,7 @@ "version": "Wzg3NiwxXQ==", "attributes": { "title": "Tabular Data Stream - SQL Header Type", - "visState": "{\"title\":\"Tabular Data Stream - SQL Header Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tds_sql_batch.header_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Header Type\"}}]}", + "visState": "{\"title\":\"Tabular Data Stream - SQL Header Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.tds_sql_batch.header_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Header Type\"}}]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -292,7 +292,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Tabular Data Stream - SQL Query", - "visState": "{\"title\":\"Tabular Data Stream - SQL Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_sql_batch.query\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Query\"}}]}", + "visState": "{\"title\":\"Tabular Data Stream - SQL Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.tds_sql_batch.query\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Query\"}}]}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, diff --git a/kibana/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/kibana/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json index 3cae79289..7b7efce08 100644 --- a/kibana/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json +++ b/kibana/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json @@ -125,12 +125,12 @@ "version": "WzkzOCwxXQ==", "attributes": { "title": "STUN - Log Count", - "visState": "{\"title\":\"STUN - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}", + "visState": "{\"title\":\"STUN - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}", "uiStateJSON": "{}", "description": "", "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:stun*\",\"language\":\"kuery\"},\"filter\":[]}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:stun*\",\"language\":\"kuery\"},\"filter\":[]}" }, "savedSearchRefName": "search_0" }, @@ -185,7 +185,7 @@ "version": "Wzk0MCwxXQ==", "attributes": { "title": "STUN - Attribute Type", - "visState": "{\"title\":\"STUN - Attribute Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun.attr_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Attribute Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "visState": "{\"title\":\"STUN - Attribute Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun.attr_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Attribute Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -215,7 +215,7 @@ "version": "Wzk0MiwxXQ==", "attributes": { "title": "STUN - Method and Class", - "visState": "{\"title\":\"STUN - Method and Class\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun.attr_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Attribute Type\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun.class\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"STUN - Method and Class\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun.attr_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Attribute Type\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun.class\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -245,7 +245,7 @@ "version": "WzEwMzYsMV0=", "attributes": { "title": "STUN - Class", - "visState": "{\"title\":\"STUN - Class\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun.class\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"STUN Class\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "visState": "{\"title\":\"STUN - Class\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun.class\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"STUN Class\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "description": "", "version": 1, @@ -275,7 +275,7 @@ "version": "WzEwMTAsMV0=", "attributes": { "title": "STUN - Action and Result", - "visState": "{\"title\":\"STUN - Action and Result\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"STUN - Action and Result\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -365,7 +365,7 @@ "version": "Wzk0NiwxXQ==", "attributes": { "title": "STUN - LAN", - "visState": "{\"title\":\"STUN - LAN\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun_nat.lan_addr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"LAN Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"STUN - LAN\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun_nat.lan_addr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"LAN Address\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -395,7 +395,7 @@ "version": "Wzk0NSwxXQ==", "attributes": { "title": "STUN - WAN", - "visState": "{\"title\":\"STUN - WAN\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun_nat.wan_addr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"WAN Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_stun_nat.wan_port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"WAN Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "visState": "{\"title\":\"STUN - WAN\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun_nat.wan_addr\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"WAN Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.stun_nat.wan_port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"WAN Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "description": "", "version": 1, @@ -432,16 +432,16 @@ "source.port", "destination.ip", "destination.port", - "zeek_stun.is_orig", - "zeek_stun.method", - "zeek_stun.class", - "zeek_stun.attr_type", - "zeek.uid" + "zeek.stun.is_orig", + "zeek.stun.method", + "zeek.stun.class", + "zeek.stun.attr_type", + "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:stun\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:stun\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -468,20 +468,20 @@ "description": "", "hits": 0, "columns": [ - "zeek.orig_h", - "zeek.orig_p", - "zeek.resp_h", - "zeek.resp_p", - "zeek_stun_nat.is_orig", - "zeek_stun_nat.wan_addr", - "zeek_stun_nat.wan_port", - "zeek_stun_nat.lan_addr", - "zeek.uid" + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "zeek.stun_nat.is_orig", + "zeek.stun_nat.wan_addr", + "zeek.stun_nat.wan_port", + "zeek.stun_nat.lan_addr", + "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:stun_nat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:stun_nat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -508,14 +508,14 @@ "description": "", "hits": 0, "columns": [ - "zeek.logType", - "zeek.service", - "zeek.action", - "zeek.result", + "event.dataset", + "network.protocol", + "event.action", + "event.result", "source.ip", "destination.ip", "destination.port", - "zeek.uid" + "event.id" ], "sort": [ [ @@ -525,7 +525,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/kibana/malcolm_template.json b/kibana/malcolm_template.json new file mode 100644 index 000000000..b56f647df --- /dev/null +++ b/kibana/malcolm_template.json @@ -0,0 +1,1007 @@ +{ + "index_patterns" : ["arkime_sessions3-*"], + "order" : 0, + "settings" : { + "index" : { + "mapping.total_fields.limit" : "2000" + } + }, + "mappings": { + "session": { + "properties": { + "malcolmDocId": { "type": "keyword" }, + "client.domain": { "type": "keyword" }, + "destination.domain": { "type": "keyword" }, + "destination.geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "destination.geo.continent_code": { "type": "keyword" }, + "destination.geo.country_code2": { "type": "keyword" }, + "destination.geo.country_code3": { "type": "keyword" }, + "destination.geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "destination.geo.dma_code": { "type": "short" }, + "destination.geo.ip": { "type": "ip" }, + "destination.geo.latitude": { "type": "float" }, + "destination.geo.location": { "type": "geo_point" }, + "destination.geo.longitude": { "type": "float" }, + "destination.geo.postal_code": { "type": "keyword" }, + "destination.geo.region_code": { "type": "keyword" }, + "destination.geo.region_name": { "type": "keyword" }, + "destination.geo.timezone": { "type": "keyword" }, + "destination.hostname": { "type": "keyword" }, + "destination.ip": { "type": "ip" }, + "destination.ip_reverse_dns": { "type": "keyword" }, + "destination.mac": { "type": "keyword" }, + "destination.oui": { "type": "keyword" }, + "destination.port": { "type": "long" }, + "destination.segment": { "type": "keyword" }, + "dns.answers": { "type": "nested" }, + "dns.header_flags": { "type": "keyword" }, + "dns.id": { "type": "keyword" }, + "dns.op_code": { "type": "keyword" }, + "dns.question.class": { "type": "keyword" }, + "dns.question.name": { "type": "keyword" }, + "dns.question.type": { "type": "keyword" }, + "dns.resolved_ip": { "type": "ip" }, + "dns.response_code": { "type": "keyword" }, + "dns.type": { "type": "keyword" }, + "ecs.version": { "type": "keyword" }, + "event.action": { "type": "keyword" }, + "event.category": { "type": "keyword" }, + "event.dataset": { "type": "keyword" }, + "event.duration": { "type": "long" }, + "event.end": { "type": "date" }, + "event.freq_score_v1": { "type": "float" }, + "event.freq_score_v2": { "type": "float" }, + "event.id": { "type": "keyword" }, + "event.ingested": { "type": "date" }, + "event.kind": { "type": "keyword" }, + "event.outcome": { "type": "keyword" }, + "event.provider": { "type": "keyword" }, + "event.result": { "type": "keyword" }, + "event.severity_tags": { "type": "keyword" }, + "event.start": { "type": "date" }, + "file.accessed": { "type": "date" }, + "file.created": { "type": "date" }, + "file.ctime": { "type": "date" }, + "file.directory": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "file.extension": { "type": "keyword" }, + "file.hash.md5": { "type": "keyword" }, + "file.hash.sha1": { "type": "keyword" }, + "file.hash.sha256": { "type": "keyword" }, + "file.mime_type": { "type": "keyword" }, + "file.mtime": { "type": "date" }, + "file.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "file.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "file.size": { "type": "long" }, + "file.type": { "type": "keyword" }, + "http.request.body.bytes": { "type": "long" }, + "http.request.method": { "type": "keyword" }, + "http.request.mime_type": { "type": "keyword" }, + "http.request.referrer": { "type": "keyword" }, + "http.response.body.bytes": { "type": "long" }, + "http.response.mime_type": { "type": "keyword" }, + "http.response.status_code": { "type": "long" }, + "http.version": { "type": "keyword" }, + "network.application": { "type": "keyword" }, + "network.bytes": { "type": "long" }, + "network.community_id": { "type": "keyword" }, + "network.direction": { "type": "keyword" }, + "network.iana_number": { "type": "keyword" }, + "network.inner.vlan.id": { "type": "keyword" }, + "network.name": { "type": "keyword" }, + "network.packets": { "type": "long" }, + "network.protocol": { "type": "keyword" }, + "network.protocol_version": { "type": "keyword" }, + "network.transport": { "type": "keyword" }, + "network.type": { "type": "keyword" }, + "network.vlan.id": { "type": "keyword" }, + "related.hash": { "type": "keyword" }, + "related.ip": { "type": "ip" }, + "related.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "related.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "rule.author": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text", "norms": false } } }, + "rule.category": { "type": "keyword" }, + "rule.description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "rule.license": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "rule.name": { "type": "keyword" }, + "rule.reference": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "rule.ruleset": { "type": "keyword" }, + "server.domain": { "type": "keyword" }, + "source.geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "source.geo.continent_code": { "type": "keyword" }, + "source.geo.country_code2": { "type": "keyword" }, + "source.geo.country_code3": { "type": "keyword" }, + "source.geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "source.geo.dma_code": { "type": "short" }, + "source.geo.ip": { "type": "ip" }, + "source.geo.latitude": { "type": "float" }, + "source.geo.location": { "type": "geo_point" }, + "source.geo.longitude": { "type": "float" }, + "source.geo.postal_code": { "type": "keyword" }, + "source.geo.region_code": { "type": "keyword" }, + "source.geo.region_name": { "type": "keyword" }, + "source.geo.timezone": { "type": "keyword" }, + "source.hostname": { "type": "keyword" }, + "source.ip": { "type": "ip" }, + "source.ip_reverse_dns": { "type": "keyword" }, + "source.mac": { "type": "keyword" }, + "source.nat.ip": { "type": "ip" }, + "source.nat.port": { "type": "long" }, + "source.oui": { "type": "keyword" }, + "source.port": { "type": "long" }, + "source.segment": { "type": "keyword" }, + "threat.framework": { "type": "keyword" }, + "threat.tactic.id": { "type": "keyword" }, + "threat.tactic.name": { "type": "keyword" }, + "threat.tactic.reference": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "threat.technique.id": { "type": "keyword" }, + "threat.technique.name": { "type": "keyword" }, + "threat.technique.reference": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "tls.cipher": { "type": "keyword" }, + "tls.client.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.client.ja3": { "type": "keyword" }, + "tls.client.ja3_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.client.server_name": { "type": "keyword" }, + "tls.client.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.curve": { "type": "keyword" }, + "tls.established": { "type": "keyword" }, + "tls.next_protocol": { "type": "keyword" }, + "tls.resumed": { "type": "keyword" }, + "tls.server.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.server.ja3s": { "type": "keyword" }, + "tls.server.ja3s_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.server.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "tls.version": { "type": "keyword" }, + "tls.version_protocol": { "type": "keyword" }, + "url.domain": { "type": "keyword" }, + "url.extension": { "type": "keyword" }, + "url.fragment": { "type": "keyword" }, + "url.full": { "type": "keyword" }, + "url.original": { "type": "keyword" }, + "url.password": { "type": "keyword" }, + "url.path": { "type": "keyword" }, + "url.port": { "type": "long" }, + "url.query": { "type": "keyword" }, + "url.scheme": { "type": "keyword" }, + "url.user": { "type": "keyword" }, + "user_agent.original": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "vulnerability.category": { "type": "keyword" }, + "vulnerability.description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "vulnerability.reference": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "vulnerability.scanner.vendor": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.bacnet.bvlc_function": { "type": "keyword" }, + "zeek.bacnet.invoke_id": { "type": "integer" }, + "zeek.bacnet.pdu_service": { "type": "keyword" }, + "zeek.bacnet.pdu_type": { "type": "keyword" }, + "zeek.bacnet.result_code": { "type": "keyword" }, + "zeek.bacnet_discovery.instance_number": { "type": "integer" }, + "zeek.bacnet_discovery.object_name": { "type": "keyword" }, + "zeek.bacnet_discovery.object_type": { "type": "keyword" }, + "zeek.bacnet_discovery.pdu_service": { "type": "keyword" }, + "zeek.bacnet_discovery.range": { "type": "keyword" }, + "zeek.bacnet_discovery.range_high": { "type": "integer" }, + "zeek.bacnet_discovery.range_low": { "type": "integer" }, + "zeek.bacnet_discovery.vendor": { "type": "keyword" }, + "zeek.bacnet_property.array_index": { "type": "integer" }, + "zeek.bacnet_property.instance_number": { "type": "integer" }, + "zeek.bacnet_property.object_type": { "type": "keyword" }, + "zeek.bacnet_property.pdu_service": { "type": "keyword" }, + "zeek.bacnet_property.property": { "type": "keyword" }, + "zeek.bacnet_property.value": { "type": "keyword" }, + "zeek.bestguess.category": { "type": "keyword" }, + "zeek.bestguess.name": { "type": "keyword" }, + "zeek.bsap_ip_header.num_msg": { "type": "keyword" }, + "zeek.bsap_ip_header.type_name": { "type": "integer" }, + "zeek.bsap_ip_rdb.app_func_code": { "type": "keyword" }, + "zeek.bsap_ip_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.bsap_ip_rdb.data_len": { "type": "integer" }, + "zeek.bsap_ip_rdb.func_code": { "type": "keyword" }, + "zeek.bsap_ip_rdb.header_size": { "type": "integer" }, + "zeek.bsap_ip_rdb.mes_seq": { "type": "integer" }, + "zeek.bsap_ip_rdb.node_status": { "type": "integer" }, + "zeek.bsap_ip_rdb.res_seq": { "type": "integer" }, + "zeek.bsap_ip_rdb.sequence": { "type": "integer" }, + "zeek.bsap_ip_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.bsap_serial_header.ctl": { "type": "integer" }, + "zeek.bsap_serial_header.dadd": { "type": "integer" }, + "zeek.bsap_serial_header.dfun": { "type": "keyword" }, + "zeek.bsap_serial_header.nsb": { "type": "integer" }, + "zeek.bsap_serial_header.sadd": { "type": "integer" }, + "zeek.bsap_serial_header.seq": { "type": "integer" }, + "zeek.bsap_serial_header.ser": { "type": "keyword" }, + "zeek.bsap_serial_header.sfun": { "type": "keyword" }, + "zeek.bsap_serial_header.type_name": { "type": "keyword" }, + "zeek.bsap_serial_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.bsap_serial_rdb.func_code": { "type": "keyword" }, + "zeek.bsap_serial_rdb_ext.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.bsap_serial_rdb_ext.dfun": { "type": "keyword" }, + "zeek.bsap_serial_rdb_ext.extfun": { "type": "keyword" }, + "zeek.bsap_serial_rdb_ext.nsb": { "type": "integer" }, + "zeek.bsap_serial_rdb_ext.seq": { "type": "integer" }, + "zeek.bsap_serial_rdb_ext.sfun": { "type": "keyword" }, + "zeek.bsap_serial_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.cip.attribute_id": { "type": "keyword" }, + "zeek.cip.cip_sequence_count": { "type": "integer" }, + "zeek.cip.cip_service": { "type": "keyword" }, + "zeek.cip.cip_status": { "type": "keyword" }, + "zeek.cip.class_id": { "type": "keyword" }, + "zeek.cip.class_name": { "type": "keyword" }, + "zeek.cip.data_id": { "type": "keyword" }, + "zeek.cip.direction": { "type": "keyword" }, + "zeek.cip.instance_id": { "type": "keyword" }, + "zeek.cip.other_id": { "type": "keyword" }, + "zeek.cip_identity.device_state": { "type": "keyword" }, + "zeek.cip_identity.device_status": { "type": "keyword" }, + "zeek.cip_identity.device_type_id": { "type": "integer" }, + "zeek.cip_identity.device_type_name": { "type": "keyword" }, + "zeek.cip_identity.encapsulation_version": { "type": "integer" }, + "zeek.cip_identity.product_code": { "type": "integer" }, + "zeek.cip_identity.product_name": { "type": "keyword" }, + "zeek.cip_identity.revision": { "type": "keyword" }, + "zeek.cip_identity.serial_number": { "type": "keyword" }, + "zeek.cip_identity.socket_address": { "type": "ip" }, + "zeek.cip_identity.socket_address_asn": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.cip_identity.socket_address_geo.continent_code": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.country_code2": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.country_code3": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.cip_identity.socket_address_geo.dma_code": { "type": "short" }, + "zeek.cip_identity.socket_address_geo.ip": { "type": "ip" }, + "zeek.cip_identity.socket_address_geo.latitude": { "type": "float" }, + "zeek.cip_identity.socket_address_geo.location": { "type": "geo_point" }, + "zeek.cip_identity.socket_address_geo.longitude": { "type": "float" }, + "zeek.cip_identity.socket_address_geo.postal_code": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.region_code": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.region_name": { "type": "keyword" }, + "zeek.cip_identity.socket_address_geo.timezone": { "type": "keyword" }, + "zeek.cip_identity.socket_port": { "type": "integer" }, + "zeek.cip_identity.vendor_id": { "type": "integer" }, + "zeek.cip_identity.vendor_name": { "type": "keyword" }, + "zeek.cip_io.connection_id": { "type": "keyword" }, + "zeek.cip_io.data_length": { "type": "integer" }, + "zeek.cip_io.io_data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.cip_io.sequence_number": { "type": "integer" }, + "zeek.conn.conn_state": { "type": "keyword" }, + "zeek.conn.conn_state_description": { "type": "keyword" }, + "zeek.conn.duration": { "type": "float" }, + "zeek.conn.history": { "type": "keyword" }, + "zeek.conn.inner_vlan": { "type": "integer" }, + "zeek.conn.local_orig": { "type": "keyword" }, + "zeek.conn.local_resp": { "type": "keyword" }, + "zeek.conn.missed_bytes": { "type": "long" }, + "zeek.conn.orig_bytes": { "type": "long" }, + "zeek.conn.orig_ip_bytes": { "type": "long" }, + "zeek.conn.orig_pkts": { "type": "integer" }, + "zeek.conn.resp_bytes": { "type": "long" }, + "zeek.conn.resp_ip_bytes": { "type": "long" }, + "zeek.conn.resp_pkts": { "type": "integer" }, + "zeek.conn.tunnel_parents": { "type": "keyword" }, + "zeek.conn.vlan": { "type": "integer" }, + "zeek.dce_rpc.endpoint": { "type": "keyword" }, + "zeek.dce_rpc.named_pipe": { "type": "keyword" }, + "zeek.dce_rpc.operation": { "type": "keyword" }, + "zeek.dce_rpc.rtt": { "type": "float" }, + "zeek.dhcp.assigned_ip": { "type": "ip" }, + "zeek.dhcp.client_fqdn": { "type": "keyword" }, + "zeek.dhcp.client_message": { "type": "keyword" }, + "zeek.dhcp.client_software": { "type": "keyword" }, + "zeek.dhcp.domain": { "type": "keyword" }, + "zeek.dhcp.duration": { "type": "float" }, + "zeek.dhcp.host_name": { "type": "keyword" }, + "zeek.dhcp.lease_time": { "type": "float" }, + "zeek.dhcp.mac": { "type": "keyword" }, + "zeek.dhcp.msg_types": { "type": "keyword" }, + "zeek.dhcp.requested_ip": { "type": "ip" }, + "zeek.dhcp.server_message": { "type": "keyword" }, + "zeek.dhcp.server_software": { "type": "keyword" }, + "zeek.dhcp.trans_id": { "type": "keyword" }, + "zeek.dnp3.fc_reply": { "type": "keyword" }, + "zeek.dnp3.fc_request": { "type": "keyword" }, + "zeek.dnp3.iin": { "type": "keyword" }, + "zeek.dnp3.iin_flags": { "type": "keyword" }, + "zeek.dnp3_control.block_type": { "type": "keyword" }, + "zeek.dnp3_control.execute_count": { "type": "integer" }, + "zeek.dnp3_control.function_code": { "type": "keyword" }, + "zeek.dnp3_control.index_number": { "type": "integer" }, + "zeek.dnp3_control.off_time": { "type": "integer" }, + "zeek.dnp3_control.on_time": { "type": "integer" }, + "zeek.dnp3_control.operation_type": { "type": "keyword" }, + "zeek.dnp3_control.status_code": { "type": "keyword" }, + "zeek.dnp3_control.trip_control_code": { "type": "keyword" }, + "zeek.dnp3_objects.function_code": { "type": "keyword" }, + "zeek.dnp3_objects.object_count": { "type": "integer" }, + "zeek.dnp3_objects.object_type": { "type": "keyword" }, + "zeek.dnp3_objects.range_high": { "type": "integer" }, + "zeek.dnp3_objects.range_low": { "type": "integer" }, + "zeek.dns.AA": { "type": "keyword" }, + "zeek.dns.answers": { "type": "keyword" }, + "zeek.dns.qclass": { "type": "keyword" }, + "zeek.dns.qclass_name": { "type": "keyword" }, + "zeek.dns.qtype": { "type": "keyword" }, + "zeek.dns.qtype_name": { "type": "keyword" }, + "zeek.dns.query": { "type": "keyword" }, + "zeek.dns.RA": { "type": "keyword" }, + "zeek.dns.rcode": { "type": "short" }, + "zeek.dns.rcode_name": { "type": "keyword" }, + "zeek.dns.RD": { "type": "keyword" }, + "zeek.dns.rejected": { "type": "keyword" }, + "zeek.dns.rtt": { "type": "float" }, + "zeek.dns.TC": { "type": "keyword" }, + "zeek.dns.trans_id": { "type": "keyword" }, + "zeek.dns.TTLs": { "type": "float" }, + "zeek.dns.Z": { "type": "keyword" }, + "zeek.dpd.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.dpd.service": { "type": "keyword" }, + "zeek.ecat_aoe_info.command": { "type": "keyword" }, + "zeek.ecat_aoe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ecat_aoe_info.orig_port": { "type": "keyword" }, + "zeek.ecat_aoe_info.resp_port": { "type": "keyword" }, + "zeek.ecat_aoe_info.state": { "type": "keyword" }, + "zeek.ecat_arp_info.arp_type": { "type": "keyword" }, + "zeek.ecat_arp_info.orig_hw_addr": { "type": "keyword" }, + "zeek.ecat_arp_info.orig_proto_addr": { "type": "keyword" }, + "zeek.ecat_arp_info.resp_hw_addr": { "type": "keyword" }, + "zeek.ecat_arp_info.resp_proto_addr": { "type": "keyword" }, + "zeek.ecat_coe_info.dataoffset": { "type": "keyword" }, + "zeek.ecat_coe_info.index": { "type": "keyword" }, + "zeek.ecat_coe_info.number": { "type": "keyword" }, + "zeek.ecat_coe_info.req_resp": { "type": "keyword" }, + "zeek.ecat_coe_info.subindex": { "type": "keyword" }, + "zeek.ecat_coe_info.type": { "type": "keyword" }, + "zeek.ecat_dev_info.build": { "type": "keyword" }, + "zeek.ecat_dev_info.dev_type": { "type": "keyword" }, + "zeek.ecat_dev_info.dpram": { "type": "keyword" }, + "zeek.ecat_dev_info.features": { "type": "keyword" }, + "zeek.ecat_dev_info.fmmucnt": { "type": "keyword" }, + "zeek.ecat_dev_info.ports": { "type": "keyword" }, + "zeek.ecat_dev_info.revision": { "type": "keyword" }, + "zeek.ecat_dev_info.server_id": { "type": "keyword" }, + "zeek.ecat_dev_info.smcount": { "type": "keyword" }, + "zeek.ecat_foe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ecat_foe_info.error_code": { "type": "keyword" }, + "zeek.ecat_foe_info.filename": { "type": "keyword" }, + "zeek.ecat_foe_info.opcode": { "type": "keyword" }, + "zeek.ecat_foe_info.packet_num": { "type": "keyword" }, + "zeek.ecat_foe_info.reserved": { "type": "keyword" }, + "zeek.ecat_log_address.command": { "type": "keyword" }, + "zeek.ecat_log_address.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ecat_log_address.length": { "type": "integer" }, + "zeek.ecat_log_address.log_addr": { "type": "keyword" }, + "zeek.ecat_registers.command": { "type": "keyword" }, + "zeek.ecat_registers.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ecat_registers.register_addr": { "type": "keyword" }, + "zeek.ecat_registers.register_type": { "type": "keyword" }, + "zeek.ecat_registers.server_addr": { "type": "keyword" }, + "zeek.ecat_soe_info.drive_num": { "type": "keyword" }, + "zeek.ecat_soe_info.element": { "type": "keyword" }, + "zeek.ecat_soe_info.error": { "type": "keyword" }, + "zeek.ecat_soe_info.incomplete": { "type": "keyword" }, + "zeek.ecat_soe_info.index": { "type": "keyword" }, + "zeek.ecat_soe_info.opcode": { "type": "keyword" }, + "zeek.enip.enip_command": { "type": "keyword" }, + "zeek.enip.enip_status": { "type": "keyword" }, + "zeek.enip.length": { "type": "integer" }, + "zeek.enip.options": { "type": "keyword" }, + "zeek.enip.sender_context": { "type": "keyword" }, + "zeek.enip.session_handle": { "type": "keyword" }, + "zeek.files.analyzers": { "type": "keyword" }, + "zeek.files.conn_uids": { "type": "keyword" }, + "zeek.files.depth": { "type": "integer" }, + "zeek.files.duration": { "type": "float" }, + "zeek.files.extracted": { "type": "keyword" }, + "zeek.files.extracted_cutoff": { "type": "keyword" }, + "zeek.files.extracted_size": { "type": "integer" }, + "zeek.files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.files.is_orig": { "type": "keyword" }, + "zeek.files.local_orig": { "type": "keyword" }, + "zeek.files.md5": { "type": "keyword" }, + "zeek.files.mime_type": { "type": "keyword" }, + "zeek.files.missing_bytes": { "type": "long" }, + "zeek.files.overflow_bytes": { "type": "long" }, + "zeek.files.parent_fuid": { "type": "keyword" }, + "zeek.files.rx_hosts": { "type": "ip" }, + "zeek.files.seen_bytes": { "type": "long" }, + "zeek.files.sha1": { "type": "keyword" }, + "zeek.files.sha256": { "type": "keyword" }, + "zeek.files.source": { "type": "keyword" }, + "zeek.files.timedout": { "type": "keyword" }, + "zeek.files.total_bytes": { "type": "long" }, + "zeek.files.tx_hosts": { "type": "ip" }, + "zeek.ftp.arg": { "type": "keyword" }, + "zeek.ftp.command": { "type": "keyword" }, + "zeek.ftp.data_channel_orig_h": { "type": "ip" }, + "zeek.ftp.data_channel_passive": { "type": "keyword" }, + "zeek.ftp.data_channel_resp_h": { "type": "ip" }, + "zeek.ftp.data_channel_resp_p": { "type": "integer" }, + "zeek.ftp.file_size": { "type": "long" }, + "zeek.ftp.mime_type": { "type": "keyword" }, + "zeek.ftp.reply_code": { "type": "short" }, + "zeek.ftp.reply_msg": { "type": "keyword" }, + "zeek.fuid": { "type": "keyword" }, + "zeek.gquic.cyu": { "type": "keyword" }, + "zeek.gquic.cyutags": { "type": "keyword" }, + "zeek.gquic.server_name": { "type": "keyword" }, + "zeek.gquic.tag_count": { "type": "integer" }, + "zeek.gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.gquic.version": { "type": "keyword" }, + "zeek.http.host": { "type": "keyword" }, + "zeek.http.info_code": { "type": "short" }, + "zeek.http.info_msg": { "type": "keyword" }, + "zeek.http.method": { "type": "keyword" }, + "zeek.http.orig_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.http.orig_fuids": { "type": "keyword" }, + "zeek.http.orig_mime_types": { "type": "keyword" }, + "zeek.http.origin": { "type": "keyword" }, + "zeek.http.post_password_plain": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.http.post_username": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.http.proxied": { "type": "keyword" }, + "zeek.http.referrer": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.http.request_body_len": { "type": "long" }, + "zeek.http.resp_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.http.resp_fuids": { "type": "keyword" }, + "zeek.http.resp_mime_types": { "type": "keyword" }, + "zeek.http.response_body_len": { "type": "long" }, + "zeek.http.status_code": { "type": "short" }, + "zeek.http.status_msg": { "type": "keyword", "ignore_above": 1024 }, + "zeek.http.tags": { "type": "keyword" }, + "zeek.http.trans_depth": { "type": "integer" }, + "zeek.http.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.http.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.http.version": { "type": "keyword" }, + "zeek.intel.file_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.intel.file_mime_type": { "type": "keyword" }, + "zeek.intel.indicator": { "type": "keyword" }, + "zeek.intel.indicator_type": { "type": "keyword" }, + "zeek.intel.matched": { "type": "keyword" }, + "zeek.intel.seen_node": { "type": "keyword" }, + "zeek.intel.seen_where": { "type": "keyword" }, + "zeek.intel.sources": { "type": "keyword" }, + "zeek.ipsec.certificates": { "type": "keyword" }, + "zeek.ipsec.exchange_type": { "type": "integer" }, + "zeek.ipsec.flag_a": { "type": "keyword" }, + "zeek.ipsec.flag_c": { "type": "keyword" }, + "zeek.ipsec.flag_e": { "type": "keyword" }, + "zeek.ipsec.flag_i": { "type": "keyword" }, + "zeek.ipsec.flag_r": { "type": "keyword" }, + "zeek.ipsec.flag_v": { "type": "keyword" }, + "zeek.ipsec.flags": { "type": "keyword" }, + "zeek.ipsec.hash": { "type": "keyword" }, + "zeek.ipsec.initiator_spi": { "type": "keyword" }, + "zeek.ipsec.is_orig": { "type": "keyword" }, + "zeek.ipsec.ke_dh_groups": { "type": "integer" }, + "zeek.ipsec.length": { "type": "integer" }, + "zeek.ipsec.maj_ver": { "type": "integer" }, + "zeek.ipsec.message_id": { "type": "keyword" }, + "zeek.ipsec.min_ver": { "type": "integer" }, + "zeek.ipsec.notify_messages": { "type": "keyword" }, + "zeek.ipsec.proposals": { "type": "integer" }, + "zeek.ipsec.responder_spi": { "type": "keyword" }, + "zeek.ipsec.transform_attributes": { "type": "keyword" }, + "zeek.ipsec.transforms": { "type": "keyword" }, + "zeek.ipsec.vendor_ids": { "type": "keyword" }, + "zeek.irc.addl": { "type": "keyword" }, + "zeek.irc.command": { "type": "keyword" }, + "zeek.irc.dcc_file_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.irc.dcc_file_size": { "type": "long" }, + "zeek.irc.dcc_mime_type": { "type": "keyword" }, + "zeek.irc.nick": { "type": "keyword" }, + "zeek.irc.value": { "type": "keyword" }, + "zeek.iso_cotp.pdu_type": { "type": "keyword" }, + "zeek.kerberos.cipher": { "type": "keyword" }, + "zeek.kerberos.client_cert_fuid": { "type": "keyword" }, + "zeek.kerberos.client_cert_subject": { "type": "keyword" }, + "zeek.kerberos.cname": { "type": "keyword" }, + "zeek.kerberos.error_msg": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.kerberos.forwardable": { "type": "keyword" }, + "zeek.kerberos.from": { "type": "date" }, + "zeek.kerberos.renewable": { "type": "keyword" }, + "zeek.kerberos.request_type": { "type": "keyword" }, + "zeek.kerberos.server_cert_fuid": { "type": "keyword" }, + "zeek.kerberos.server_cert_subject": { "type": "keyword" }, + "zeek.kerberos.sname": { "type": "keyword" }, + "zeek.kerberos.success": { "type": "keyword" }, + "zeek.kerberos.till": { "type": "date" }, + "zeek.known_certs.issuer_subject": { "type": "keyword" }, + "zeek.known_certs.serial": { "type": "keyword" }, + "zeek.known_certs.subject": { "type": "keyword" }, + "zeek.known_modbus.device_type": { "type": "keyword" }, + "zeek.ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ldap.message_id": { "type": "keyword" }, + "zeek.ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ldap.operation": { "type": "keyword" }, + "zeek.ldap.result_code": { "type": "keyword" }, + "zeek.ldap.result_message": { "type": "keyword" }, + "zeek.ldap.version": { "type": "integer" }, + "zeek.ldap_search.attributes": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ldap_search.base_object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ldap_search.deref": { "type": "keyword" }, + "zeek.ldap_search.filter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.ldap_search.message_id": { "type": "keyword" }, + "zeek.ldap_search.result_code": { "type": "keyword" }, + "zeek.ldap_search.result_count": { "type": "integer" }, + "zeek.ldap_search.result_message": { "type": "keyword" }, + "zeek.ldap_search.scope": { "type": "keyword" }, + "zeek.login.client_user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.login.confused": { "type": "keyword" }, + "zeek.login.success": { "type": "keyword" }, + "zeek.modbus.exception": { "type": "keyword" }, + "zeek.modbus.func": { "type": "keyword" }, + "zeek.modbus_detailed.address": { "type": "integer" }, + "zeek.modbus_detailed.func": { "type": "keyword" }, + "zeek.modbus_detailed.network_direction": { "type": "keyword" }, + "zeek.modbus_detailed.quantity": { "type": "integer" }, + "zeek.modbus_detailed.unit_id": { "type": "integer" }, + "zeek.modbus_detailed.values": { "type": "keyword" }, + "zeek.modbus_mask_write_register.address": { "type": "integer" }, + "zeek.modbus_mask_write_register.and_mask": { "type": "integer" }, + "zeek.modbus_mask_write_register.func": { "type": "keyword" }, + "zeek.modbus_mask_write_register.network_direction": { "type": "keyword" }, + "zeek.modbus_mask_write_register.or_mask": { "type": "integer" }, + "zeek.modbus_mask_write_register.unit_id": { "type": "integer" }, + "zeek.modbus_read_write_multiple_registers.func": { "type": "keyword" }, + "zeek.modbus_read_write_multiple_registers.network_direction": { "type": "keyword" }, + "zeek.modbus_read_write_multiple_registers.read_quantity": { "type": "integer" }, + "zeek.modbus_read_write_multiple_registers.read_registers": { "type": "keyword" }, + "zeek.modbus_read_write_multiple_registers.read_start_address": { "type": "integer" }, + "zeek.modbus_read_write_multiple_registers.unit_id": { "type": "integer" }, + "zeek.modbus_read_write_multiple_registers.write_registers": { "type": "keyword" }, + "zeek.modbus_read_write_multiple_registers.write_start_address": { "type": "integer" }, + "zeek.mqtt_connect.client_id": { "type": "keyword" }, + "zeek.mqtt_connect.connect_status": { "type": "keyword" }, + "zeek.mqtt_connect.proto_name": { "type": "keyword" }, + "zeek.mqtt_connect.proto_version": { "type": "keyword" }, + "zeek.mqtt_connect.will_payload": { "type": "keyword" }, + "zeek.mqtt_connect.will_topic": { "type": "keyword" }, + "zeek.mqtt_publish.from_client": { "type": "keyword" }, + "zeek.mqtt_publish.payload": { "type": "keyword" }, + "zeek.mqtt_publish.payload_dict.messageType": { "type": "keyword" }, + "zeek.mqtt_publish.payload_len": { "type": "integer" }, + "zeek.mqtt_publish.qos": { "type": "keyword" }, + "zeek.mqtt_publish.retain": { "type": "keyword" }, + "zeek.mqtt_publish.status": { "type": "keyword" }, + "zeek.mqtt_publish.topic": { "type": "keyword" }, + "zeek.mqtt_subscribe.ack": { "type": "keyword" }, + "zeek.mqtt_subscribe.action": { "type": "keyword" }, + "zeek.mqtt_subscribe.granted_qos_level": { "type": "integer" }, + "zeek.mqtt_subscribe.qos_levels": { "type": "integer" }, + "zeek.mqtt_subscribe.topics": { "type": "keyword" }, + "zeek.mysql.arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.mysql.cmd": { "type": "keyword" }, + "zeek.mysql.response": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.mysql.rows": { "type": "integer" }, + "zeek.mysql.success": { "type": "keyword" }, + "zeek.noise.enc_cookie": { "type": "keyword" }, + "zeek.noise.enc_nothing": { "type": "keyword" }, + "zeek.noise.enc_payload": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.noise.enc_payload_len": { "type": "integer" }, + "zeek.noise.enc_static": { "type": "keyword" }, + "zeek.noise.enc_timestamp": { "type": "keyword" }, + "zeek.noise.mac1": { "type": "keyword" }, + "zeek.noise.mac2": { "type": "keyword" }, + "zeek.noise.msg_type": { "type": "keyword" }, + "zeek.noise.nonce": { "type": "keyword" }, + "zeek.noise.receiver": { "type": "keyword" }, + "zeek.noise.sender": { "type": "keyword" }, + "zeek.noise.unenc_ephemeral": { "type": "keyword" }, + "zeek.notice.actions": { "type": "keyword" }, + "zeek.notice.category": { "type": "keyword" }, + "zeek.notice.dropped": { "type": "keyword" }, + "zeek.notice.dst": { "type": "ip" }, + "zeek.notice.file_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.notice.file_mime_type": { "type": "keyword" }, + "zeek.notice.msg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.notice.n": { "type": "integer" }, + "zeek.notice.note": { "type": "keyword" }, + "zeek.notice.p": { "type": "integer" }, + "zeek.notice.peer_descr": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.notice.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.notice.remote_location_country_code": { "type": "keyword" }, + "zeek.notice.remote_location_latitude": { "type": "float" }, + "zeek.notice.remote_location_longitude": { "type": "float" }, + "zeek.notice.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.notice.src": { "type": "ip" }, + "zeek.notice.sub": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.notice.sub_category": { "type": "keyword" }, + "zeek.notice.suppress_for": { "type": "float" }, + "zeek.ntlm.domain": { "type": "keyword" }, + "zeek.ntlm.host": { "type": "keyword" }, + "zeek.ntlm.server_dns_computer": { "type": "keyword" }, + "zeek.ntlm.server_nb_computer": { "type": "keyword" }, + "zeek.ntlm.server_tree": { "type": "keyword" }, + "zeek.ntlm.status": { "type": "keyword" }, + "zeek.ntlm.success": { "type": "keyword" }, + "zeek.ntp.mode": { "type": "keyword" }, + "zeek.ntp.mode_str": { "type": "keyword" }, + "zeek.ntp.num_exts": { "type": "integer" }, + "zeek.ntp.org_time": { "type": "date" }, + "zeek.ntp.poll": { "type": "float" }, + "zeek.ntp.precision": { "type": "float" }, + "zeek.ntp.rec_time": { "type": "date" }, + "zeek.ntp.ref_id": { "type": "keyword" }, + "zeek.ntp.ref_time": { "type": "date" }, + "zeek.ntp.root_delay": { "type": "float" }, + "zeek.ntp.root_disp": { "type": "float" }, + "zeek.ntp.stratum": { "type": "keyword" }, + "zeek.ntp.version": { "type": "integer" }, + "zeek.ntp.xmt_time": { "type": "date" }, + "zeek.ocsp.certStatus": { "type": "keyword" }, + "zeek.ocsp.hashAlgorithm": { "type": "keyword" }, + "zeek.ocsp.issuerKeyHash": { "type": "keyword" }, + "zeek.ocsp.issuerNameHash": { "type": "keyword" }, + "zeek.ocsp.nextUpdate": { "type": "date" }, + "zeek.ocsp.revokereason": { "type": "keyword" }, + "zeek.ocsp.revoketime": { "type": "date" }, + "zeek.ocsp.serialNumber": { "type": "keyword" }, + "zeek.ocsp.thisUpdate": { "type": "date" }, + "zeek.pe.compile_ts": { "type": "date" }, + "zeek.pe.has_cert_table": { "type": "keyword" }, + "zeek.pe.has_debug_data": { "type": "keyword" }, + "zeek.pe.has_export_table": { "type": "keyword" }, + "zeek.pe.has_import_table": { "type": "keyword" }, + "zeek.pe.is_64bit": { "type": "keyword" }, + "zeek.pe.is_exe": { "type": "keyword" }, + "zeek.pe.machine": { "type": "keyword" }, + "zeek.pe.os": { "type": "keyword" }, + "zeek.pe.section_names": { "type": "keyword" }, + "zeek.pe.subsystem": { "type": "keyword" }, + "zeek.pe.uses_aslr": { "type": "keyword" }, + "zeek.pe.uses_code_integrity": { "type": "keyword" }, + "zeek.pe.uses_dep": { "type": "keyword" }, + "zeek.pe.uses_seh": { "type": "keyword" }, + "zeek.profinet.block_version": { "type": "keyword" }, + "zeek.profinet.index": { "type": "keyword" }, + "zeek.profinet.operation_type": { "type": "keyword" }, + "zeek.profinet.slot_number": { "type": "integer" }, + "zeek.profinet.subslot_number": { "type": "integer" }, + "zeek.profinet_dce_rpc.activity_uuid": { "type": "keyword" }, + "zeek.profinet_dce_rpc.interface_uuid": { "type": "keyword" }, + "zeek.profinet_dce_rpc.object_uuid": { "type": "keyword" }, + "zeek.profinet_dce_rpc.operation": { "type": "keyword" }, + "zeek.profinet_dce_rpc.packet_type": { "type": "keyword" }, + "zeek.profinet_dce_rpc.server_boot_time": { "type": "integer" }, + "zeek.profinet_dce_rpc.version": { "type": "integer" }, + "zeek.radius.connect_info": { "type": "keyword" }, + "zeek.radius.framed_addr": { "type": "ip" }, + "zeek.radius.mac": { "type": "keyword" }, + "zeek.radius.reply_msg": { "type": "keyword" }, + "zeek.radius.result": { "type": "keyword" }, + "zeek.radius.ttl": { "type": "float" }, + "zeek.radius.tunnel_client": { "type": "keyword" }, + "zeek.rdp.cert_count": { "type": "integer" }, + "zeek.rdp.cert_permanent": { "type": "keyword" }, + "zeek.rdp.cert_type": { "type": "keyword" }, + "zeek.rdp.client_build": { "type": "keyword" }, + "zeek.rdp.client_channels": { "type": "keyword" }, + "zeek.rdp.client_dig_product_id": { "type": "keyword" }, + "zeek.rdp.client_name": { "type": "keyword" }, + "zeek.rdp.cookie": { "type": "keyword" }, + "zeek.rdp.desktop_height": { "type": "integer" }, + "zeek.rdp.desktop_width": { "type": "integer" }, + "zeek.rdp.encryption_level": { "type": "keyword" }, + "zeek.rdp.encryption_method": { "type": "keyword" }, + "zeek.rdp.keyboard_layout": { "type": "keyword" }, + "zeek.rdp.requested_color_depth": { "type": "keyword" }, + "zeek.rdp.result": { "type": "keyword" }, + "zeek.rdp.security_protocol": { "type": "keyword" }, + "zeek.rfb.auth": { "type": "keyword" }, + "zeek.rfb.authentication_method": { "type": "keyword" }, + "zeek.rfb.client_major_version": { "type": "keyword" }, + "zeek.rfb.client_minor_version": { "type": "keyword" }, + "zeek.rfb.desktop_name": { "type": "keyword" }, + "zeek.rfb.height": { "type": "integer" }, + "zeek.rfb.server_major_version": { "type": "keyword" }, + "zeek.rfb.server_minor_version": { "type": "keyword" }, + "zeek.rfb.share_flag": { "type": "keyword" }, + "zeek.rfb.width": { "type": "integer" }, + "zeek.s7comm.data_info": { "type": "keyword" }, + "zeek.s7comm.item_count": { "type": "integer" }, + "zeek.s7comm.parameter": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.s7comm.parameters.class": { "type": "keyword" }, + "zeek.s7comm.parameters.code": { "type": "keyword" }, + "zeek.s7comm.parameters.group": { "type": "keyword" }, + "zeek.s7comm.parameters.mode": { "type": "keyword" }, + "zeek.s7comm.parameters.sub": { "type": "keyword" }, + "zeek.s7comm.parameters.type": { "type": "keyword" }, + "zeek.s7comm.rosctr": { "type": "keyword" }, + "zeek.signatures.engine": { "type": "keyword" }, + "zeek.signatures.event_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.signatures.hits": { "type": "nested" }, + "zeek.signatures.host_count": { "type": "integer" }, + "zeek.signatures.note": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.signatures.signature_count": { "type": "integer" }, + "zeek.signatures.signature_id": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.signatures.sub_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.sip.call_id": { "type": "keyword" }, + "zeek.sip.content_type": { "type": "keyword" }, + "zeek.sip.date": { "type": "keyword" }, + "zeek.sip.method": { "type": "keyword" }, + "zeek.sip.reply_to": { "type": "keyword" }, + "zeek.sip.request_body_len": { "type": "integer" }, + "zeek.sip.request_from": { "type": "keyword" }, + "zeek.sip.request_path": { "type": "keyword" }, + "zeek.sip.request_to": { "type": "keyword" }, + "zeek.sip.response_body_len": { "type": "integer" }, + "zeek.sip.response_from": { "type": "keyword" }, + "zeek.sip.response_path": { "type": "keyword" }, + "zeek.sip.response_to": { "type": "keyword" }, + "zeek.sip.seq": { "type": "keyword" }, + "zeek.sip.status_code": { "type": "short" }, + "zeek.sip.status_msg": { "type": "keyword" }, + "zeek.sip.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.sip.trans_depth": { "type": "integer" }, + "zeek.sip.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.sip.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.sip.version": { "type": "keyword" }, + "zeek.sip.warning": { "type": "keyword" }, + "zeek.smb_cmd.argument": { "type": "keyword" }, + "zeek.smb_cmd.command": { "type": "keyword" }, + "zeek.smb_cmd.rtt": { "type": "float" }, + "zeek.smb_cmd.status": { "type": "keyword" }, + "zeek.smb_cmd.sub_command": { "type": "keyword" }, + "zeek.smb_cmd.tree": { "type": "keyword" }, + "zeek.smb_cmd.tree_service": { "type": "keyword" }, + "zeek.smb_cmd.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.smb_cmd.version": { "type": "keyword" }, + "zeek.smb_files.action": { "type": "keyword" }, + "zeek.smb_files.data_len_req": { "type": "long" }, + "zeek.smb_files.data_len_rsp": { "type": "long" }, + "zeek.smb_files.data_offset_req": { "type": "long" }, + "zeek.smb_files.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smb_files.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smb_files.prev_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smb_files.size": { "type": "long" }, + "zeek.smb_files.times_accessed": { "type": "date" }, + "zeek.smb_files.times_changed": { "type": "date" }, + "zeek.smb_files.times_created": { "type": "date" }, + "zeek.smb_files.times_modified": { "type": "date" }, + "zeek.smb_files.ts": { "type": "date" }, + "zeek.smb_mapping.native_file_system": { "type": "keyword" }, + "zeek.smb_mapping.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smb_mapping.resource_type": { "type": "keyword" }, + "zeek.smb_mapping.share_type": { "type": "keyword" }, + "zeek.smtp.cc": { "type": "keyword" }, + "zeek.smtp.date": { "type": "keyword" }, + "zeek.smtp.first_received": { "type": "keyword" }, + "zeek.smtp.from": { "type": "keyword" }, + "zeek.smtp.helo": { "type": "keyword" }, + "zeek.smtp.in_reply_to": { "type": "keyword" }, + "zeek.smtp.is_webmail": { "type": "keyword" }, + "zeek.smtp.last_reply": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smtp.last_reply_code": { "type": "keyword" }, + "zeek.smtp.last_reply_msg": { "type": "keyword" }, + "zeek.smtp.mailfrom": { "type": "keyword" }, + "zeek.smtp.msg_id": { "type": "keyword" }, + "zeek.smtp.path": { "type": "ip" }, + "zeek.smtp.rcptto": { "type": "keyword" }, + "zeek.smtp.reply_to": { "type": "keyword" }, + "zeek.smtp.second_received": { "type": "keyword" }, + "zeek.smtp.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.smtp.tls": { "type": "keyword" }, + "zeek.smtp.to": { "type": "keyword" }, + "zeek.smtp.trans_depth": { "type": "integer" }, + "zeek.smtp.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.smtp.x_originating_ip": { "type": "ip" }, + "zeek.snmp.community": { "type": "keyword" }, + "zeek.snmp.display_string": { "type": "keyword" }, + "zeek.snmp.duration": { "type": "float" }, + "zeek.snmp.get_bulk_requests": { "type": "integer" }, + "zeek.snmp.get_requests": { "type": "integer" }, + "zeek.snmp.get_responses": { "type": "integer" }, + "zeek.snmp.set_requests": { "type": "integer" }, + "zeek.snmp.up_since": { "type": "date" }, + "zeek.snmp.version": { "type": "keyword" }, + "zeek.socks.bound_host": { "type": "ip" }, + "zeek.socks.bound_name": { "type": "keyword" }, + "zeek.socks.bound_port": { "type": "integer" }, + "zeek.socks.request_host": { "type": "ip" }, + "zeek.socks.request_name": { "type": "keyword" }, + "zeek.socks.request_port": { "type": "integer" }, + "zeek.socks.server_status": { "type": "keyword" }, + "zeek.socks.version": { "type": "integer" }, + "zeek.software.name": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.software.software_type": { "type": "keyword" }, + "zeek.software.unparsed_version": { "type": "keyword", "ignore_above": 1024 }, + "zeek.software.version_addl": { "type": "keyword", "ignore_above": 1024 }, + "zeek.software.version_major": { "type": "integer" }, + "zeek.software.version_minor": { "type": "integer" }, + "zeek.software.version_minor2": { "type": "integer" }, + "zeek.software.version_minor3": { "type": "integer" }, + "zeek.ssh.auth_attempts": { "type": "integer" }, + "zeek.ssh.auth_success": { "type": "keyword" }, + "zeek.ssh.cipher_alg": { "type": "keyword" }, + "zeek.ssh.client": { "type": "keyword" }, + "zeek.ssh.compression_alg": { "type": "keyword" }, + "zeek.ssh.cshka": { "type": "keyword" }, + "zeek.ssh.direction": { "type": "keyword" }, + "zeek.ssh.hassh": { "type": "keyword" }, + "zeek.ssh.hasshAlgorithms": { "type": "keyword" }, + "zeek.ssh.hasshServer": { "type": "keyword" }, + "zeek.ssh.hasshServerAlgorithms": { "type": "keyword" }, + "zeek.ssh.hasshVersion": { "type": "keyword" }, + "zeek.ssh.host_key": { "type": "keyword" }, + "zeek.ssh.host_key_alg": { "type": "keyword" }, + "zeek.ssh.kex_alg": { "type": "keyword" }, + "zeek.ssh.mac_alg": { "type": "keyword" }, + "zeek.ssh.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.ssh.remote_location_country_code": { "type": "keyword" }, + "zeek.ssh.remote_location_latitude": { "type": "float" }, + "zeek.ssh.remote_location_longitude": { "type": "float" }, + "zeek.ssh.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, + "zeek.ssh.server": { "type": "keyword" }, + "zeek.ssh.sshka": { "type": "keyword" }, + "zeek.ssh.version": { "type": "integer" }, + "zeek.ssl.cert_chain_fps": { "type": "keyword" }, + "zeek.ssl.cert_chain_fuids": { "type": "keyword" }, + "zeek.ssl.cipher": { "type": "keyword" }, + "zeek.ssl.client_cert_chain_fps": { "type": "keyword" }, + "zeek.ssl.client_cert_chain_fuids": { "type": "keyword" }, + "zeek.ssl.client_issuer.C": { "type": "keyword" }, + "zeek.ssl.client_issuer.CN": { "type": "keyword" }, + "zeek.ssl.client_issuer.DC": { "type": "keyword" }, + "zeek.ssl.client_issuer.emailAddress": { "type": "keyword" }, + "zeek.ssl.client_issuer.GN": { "type": "keyword" }, + "zeek.ssl.client_issuer.initials": { "type": "keyword" }, + "zeek.ssl.client_issuer.L": { "type": "keyword" }, + "zeek.ssl.client_issuer.O": { "type": "keyword" }, + "zeek.ssl.client_issuer.OU": { "type": "keyword" }, + "zeek.ssl.client_issuer.pseudonym": { "type": "keyword" }, + "zeek.ssl.client_issuer.serialNumber": { "type": "keyword" }, + "zeek.ssl.client_issuer.SN": { "type": "keyword" }, + "zeek.ssl.client_issuer.ST": { "type": "keyword" }, + "zeek.ssl.client_issuer.title": { "type": "keyword" }, + "zeek.ssl.client_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ssl.client_subject.C": { "type": "keyword" }, + "zeek.ssl.client_subject.CN": { "type": "keyword" }, + "zeek.ssl.client_subject.emailAddress": { "type": "keyword" }, + "zeek.ssl.client_subject.GN": { "type": "keyword" }, + "zeek.ssl.client_subject.initials": { "type": "keyword" }, + "zeek.ssl.client_subject.L": { "type": "keyword" }, + "zeek.ssl.client_subject.O": { "type": "keyword" }, + "zeek.ssl.client_subject.OU": { "type": "keyword" }, + "zeek.ssl.client_subject.pseudonym": { "type": "keyword" }, + "zeek.ssl.client_subject.serialNumber": { "type": "keyword" }, + "zeek.ssl.client_subject.SN": { "type": "keyword" }, + "zeek.ssl.client_subject.ST": { "type": "keyword" }, + "zeek.ssl.client_subject.title": { "type": "keyword" }, + "zeek.ssl.client_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ssl.curve": { "type": "keyword" }, + "zeek.ssl.established": { "type": "keyword" }, + "zeek.ssl.issuer.C": { "type": "keyword" }, + "zeek.ssl.issuer.CN": { "type": "keyword" }, + "zeek.ssl.issuer.DC": { "type": "keyword" }, + "zeek.ssl.issuer.emailAddress": { "type": "keyword" }, + "zeek.ssl.issuer.GN": { "type": "keyword" }, + "zeek.ssl.issuer.initials": { "type": "keyword" }, + "zeek.ssl.issuer.L": { "type": "keyword" }, + "zeek.ssl.issuer.O": { "type": "keyword" }, + "zeek.ssl.issuer.OU": { "type": "keyword" }, + "zeek.ssl.issuer.pseudonym": { "type": "keyword" }, + "zeek.ssl.issuer.serialNumber": { "type": "keyword" }, + "zeek.ssl.issuer.SN": { "type": "keyword" }, + "zeek.ssl.issuer.ST": { "type": "keyword" }, + "zeek.ssl.issuer.title": { "type": "keyword" }, + "zeek.ssl.issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ssl.ja3": { "type": "keyword" }, + "zeek.ssl.ja3s": { "type": "keyword" }, + "zeek.ssl.last_alert": { "type": "keyword" }, + "zeek.ssl.next_protocol": { "type": "keyword" }, + "zeek.ssl.resumed": { "type": "keyword" }, + "zeek.ssl.server_name": { "type": "keyword" }, + "zeek.ssl.sni_matches_cert": { "type": "keyword" }, + "zeek.ssl.ssl_history": { "type": "keyword" }, + "zeek.ssl.ssl_version": { "type": "keyword" }, + "zeek.ssl.subject.C": { "type": "keyword" }, + "zeek.ssl.subject.CN": { "type": "keyword" }, + "zeek.ssl.subject.description": { "type": "keyword" }, + "zeek.ssl.subject.emailAddress": { "type": "keyword" }, + "zeek.ssl.subject.GN": { "type": "keyword" }, + "zeek.ssl.subject.initials": { "type": "keyword" }, + "zeek.ssl.subject.L": { "type": "keyword" }, + "zeek.ssl.subject.O": { "type": "keyword" }, + "zeek.ssl.subject.OU": { "type": "keyword" }, + "zeek.ssl.subject.postalCode": { "type": "keyword" }, + "zeek.ssl.subject.pseudonym": { "type": "keyword" }, + "zeek.ssl.subject.serialNumber": { "type": "keyword" }, + "zeek.ssl.subject.SN": { "type": "keyword" }, + "zeek.ssl.subject.ST": { "type": "keyword" }, + "zeek.ssl.subject.street": { "type": "keyword" }, + "zeek.ssl.subject.title": { "type": "keyword" }, + "zeek.ssl.subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.ssl.validation_status": { "type": "keyword" }, + "zeek.stun.attr_type": { "type": "keyword" }, + "zeek.stun.attr_val": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.stun.class": { "type": "keyword" }, + "zeek.stun.is_orig": { "type": "keyword" }, + "zeek.stun.method": { "type": "keyword" }, + "zeek.stun.trans_id": { "type": "keyword" }, + "zeek.stun_nat.is_orig": { "type": "keyword" }, + "zeek.stun_nat.lan_addr": { "type": "keyword" }, + "zeek.stun_nat.wan_addr": { "type": "ip" }, + "zeek.stun_nat.wan_port": { "type": "integer" }, + "zeek.syslog.facility": { "type": "keyword" }, + "zeek.syslog.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.syslog.severity": { "type": "keyword" }, + "zeek.tds.command": { "type": "keyword" }, + "zeek.tds_rpc.parameter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.tds_rpc.parameters": { "type": "nested" }, + "zeek.tds_rpc.procedure_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.tds_sql_batch.header_type": { "type": "keyword" }, + "zeek.tds_sql_batch.query": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.tftp.block_acked": { "type": "integer" }, + "zeek.tftp.block_sent": { "type": "integer" }, + "zeek.tftp.error_code": { "type": "integer" }, + "zeek.tftp.error_msg": { "type": "keyword" }, + "zeek.tftp.fname": { "type": "keyword" }, + "zeek.tftp.mode": { "type": "keyword" }, + "zeek.tftp.size": { "type": "integer" }, + "zeek.tftp.uid_data": { "type": "keyword" }, + "zeek.tftp.wrq": { "type": "keyword" }, + "zeek.ts": { "type": "date" }, + "zeek.tunnel.action": { "type": "keyword" }, + "zeek.tunnel.tunnel_type": { "type": "keyword" }, + "zeek.uid": { "type": "keyword" }, + "zeek.weird.addl": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, + "zeek.weird.name": { "type": "keyword" }, + "zeek.weird.notice": { "type": "keyword" }, + "zeek.weird.peer": { "type": "keyword" }, + "zeek.wireguard.established": { "type": "keyword" }, + "zeek.wireguard.initiations": { "type": "integer" }, + "zeek.wireguard.receiver_index": { "type": "keyword" }, + "zeek.wireguard.responses": { "type": "integer" }, + "zeek.wireguard.sender_index": { "type": "keyword" }, + "zeek.x509.basic_constraints_ca": { "type": "keyword" }, + "zeek.x509.basic_constraints_path_len": { "type": "integer" }, + "zeek.x509.certificate_curve": { "type": "keyword" }, + "zeek.x509.certificate_exponent": { "type": "keyword" }, + "zeek.x509.certificate_issuer.C": { "type": "keyword" }, + "zeek.x509.certificate_issuer.CN": { "type": "keyword" }, + "zeek.x509.certificate_issuer.DC": { "type": "keyword" }, + "zeek.x509.certificate_issuer.emailAddress": { "type": "keyword" }, + "zeek.x509.certificate_issuer.GN": { "type": "keyword" }, + "zeek.x509.certificate_issuer.initials": { "type": "keyword" }, + "zeek.x509.certificate_issuer.L": { "type": "keyword" }, + "zeek.x509.certificate_issuer.O": { "type": "keyword" }, + "zeek.x509.certificate_issuer.OU": { "type": "keyword" }, + "zeek.x509.certificate_issuer.pseudonym": { "type": "keyword" }, + "zeek.x509.certificate_issuer.serialNumber": { "type": "keyword" }, + "zeek.x509.certificate_issuer.SN": { "type": "keyword" }, + "zeek.x509.certificate_issuer.ST": { "type": "keyword" }, + "zeek.x509.certificate_issuer.title": { "type": "keyword" }, + "zeek.x509.certificate_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.x509.certificate_key_alg": { "type": "keyword" }, + "zeek.x509.certificate_key_length": { "type": "integer" }, + "zeek.x509.certificate_key_type": { "type": "keyword" }, + "zeek.x509.certificate_not_valid_after": { "type": "date" }, + "zeek.x509.certificate_not_valid_before": { "type": "date" }, + "zeek.x509.certificate_serial": { "type": "keyword" }, + "zeek.x509.certificate_sig_alg": { "type": "keyword" }, + "zeek.x509.certificate_subject.C": { "type": "keyword" }, + "zeek.x509.certificate_subject.CN": { "type": "keyword" }, + "zeek.x509.certificate_subject.DC": { "type": "keyword" }, + "zeek.x509.certificate_subject.description": { "type": "keyword" }, + "zeek.x509.certificate_subject.emailAddress": { "type": "keyword" }, + "zeek.x509.certificate_subject.GN": { "type": "keyword" }, + "zeek.x509.certificate_subject.initials": { "type": "keyword" }, + "zeek.x509.certificate_subject.L": { "type": "keyword" }, + "zeek.x509.certificate_subject.O": { "type": "keyword" }, + "zeek.x509.certificate_subject.OU": { "type": "keyword" }, + "zeek.x509.certificate_subject.postalCode": { "type": "keyword" }, + "zeek.x509.certificate_subject.pseudonym": { "type": "keyword" }, + "zeek.x509.certificate_subject.serialNumber": { "type": "keyword" }, + "zeek.x509.certificate_subject.SN": { "type": "keyword" }, + "zeek.x509.certificate_subject.ST": { "type": "keyword" }, + "zeek.x509.certificate_subject.street": { "type": "keyword" }, + "zeek.x509.certificate_subject.title": { "type": "keyword" }, + "zeek.x509.certificate_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.x509.certificate_version": { "type": "integer" }, + "zeek.x509.client_cert": { "type": "keyword" }, + "zeek.x509.fingerprint": { "type": "keyword" }, + "zeek.x509.host_cert": { "type": "keyword" }, + "zeek.x509.san_dns": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "zeek.x509.san_email": { "type": "keyword" }, + "zeek.x509.san_ip": { "type": "ip" }, + "zeek.x509.san_uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } } + } + } + } +} diff --git a/kibana/scripts/kibana-create-arkime-sessions-index.sh b/kibana/scripts/kibana-create-arkime-sessions-index.sh index ec78dc00b..df9b153ef 100755 --- a/kibana/scripts/kibana-create-arkime-sessions-index.sh +++ b/kibana/scripts/kibana-create-arkime-sessions-index.sh @@ -27,8 +27,8 @@ INDEX_TIME_FIELD=${ARKIME_INDEX_TIME_FIELD:-"firstPacket"} INDEX_POLICY_FILE="/data/init/index-management-policy.json" INDEX_POLICY_FILE_HOST="/data/index-management-policy.json" -ZEEK_TEMPLATE_FILE="/data/init/zeek_template.json" -ZEEK_TEMPLATE_FILE_ORIG="/data/zeek_template.json" +MALCOLM_TEMPLATE_FILE="/data/init/malcolm_template.json" +MALCOLM_TEMPLATE_FILE_ORIG="/data/malcolm_template.json" INDEX_POLICY_NAME=${ISM_POLICY_NAME:-"session_index_policy"} # is the argument to automatically create this index enabled? @@ -48,7 +48,7 @@ if [[ "$CREATE_ES_ARKIME_SESSION_INDEX" = "true" ]] ; then # register the repo location for elasticsearch snapshots /data/register-elasticsearch-snapshot-repo.sh - # tweak the sessions template (arkime_sessions3-* zeek template file) to use the index management policy + # tweak the sessions template (arkime_sessions3-* template file) to use the index management policy if [[ -f "$INDEX_POLICY_FILE_HOST" ]] && (( $(jq length "$INDEX_POLICY_FILE_HOST") > 0 )); then # user has provided a file for index management, use it cp "$INDEX_POLICY_FILE_HOST" "$INDEX_POLICY_FILE" @@ -72,22 +72,22 @@ if [[ "$CREATE_ES_ARKIME_SESSION_INDEX" = "true" ]] ; then # https://opendistro.github.io/for-elasticsearch-docs/docs/ism/api/#create-policy curl -w "\n" -L --silent --output /dev/null --show-error -XPUT -H "Content-Type: application/json" "$ES_URL/_opendistro/_ism/policies/$INDEX_POLICY_NAME" -d "@$INDEX_POLICY_FILE" - if [[ -f "$ZEEK_TEMPLATE_FILE_ORIG" ]]; then + if [[ -f "$MALCOLM_TEMPLATE_FILE_ORIG" ]]; then # insert opendistro.index_state_management.policy_id into index template settings: will be # imported by kibana-create-arkime-sessions-index.sh - cat "$ZEEK_TEMPLATE_FILE_ORIG" | jq ".settings += {\"opendistro.index_state_management.policy_id\": \"$INDEX_POLICY_NAME\"}" > "$ZEEK_TEMPLATE_FILE" + cat "$MALCOLM_TEMPLATE_FILE_ORIG" | jq ".settings += {\"opendistro.index_state_management.policy_id\": \"$INDEX_POLICY_NAME\"}" > "$MALCOLM_TEMPLATE_FILE" fi fi - echo "Importing zeek_template..." + echo "Importing malcolm_template..." - if [[ -f "$ZEEK_TEMPLATE_FILE_ORIG" ]] && [[ ! -f "$ZEEK_TEMPLATE_FILE" ]]; then - cp "$ZEEK_TEMPLATE_FILE_ORIG" "$ZEEK_TEMPLATE_FILE" + if [[ -f "$MALCOLM_TEMPLATE_FILE_ORIG" ]] && [[ ! -f "$MALCOLM_TEMPLATE_FILE" ]]; then + cp "$MALCOLM_TEMPLATE_FILE_ORIG" "$MALCOLM_TEMPLATE_FILE" fi - # load zeek_template containing zeek field type mappings (merged from /data/zeek_template.json to /data/init/zeek_template.json in kibana_helpers.sh on startup) + # load malcolm_template containing malcolm data source field type mappings (merged from /data/malcolm_template.json to /data/init/malcolm_template.json in kibana_helpers.sh on startup) curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" \ - "$ES_URL/_template/zeek_template?include_type_name=true" -d "@$ZEEK_TEMPLATE_FILE" 2>&1 + "$ES_URL/_template/malcolm_template?include_type_name=true" -d "@$MALCOLM_TEMPLATE_FILE" 2>&1 echo "Importing index pattern..." diff --git a/kibana/scripts/kibana_index_refresh.py b/kibana/scripts/kibana_index_refresh.py index af15c0f98..64c86881f 100755 --- a/kibana/scripts/kibana_index_refresh.py +++ b/kibana/scripts/kibana_index_refresh.py @@ -155,7 +155,7 @@ def main(): # # fieldFormatMap is # { - # "zeek.orig_h": { + # "source.ip": { # "id": "drilldown", # "params": { # "parsedUrl": { @@ -166,8 +166,8 @@ def main(): # "urlTemplates": [ # null, # { - # "url": "/idkib2ark/zeek.orig_h == {{value}}", - # "label": "Arkime: zeek.orig_h == {{value}}" + # "url": "/idkib2ark/source.ip == {{value}}", + # "label": "Arkime: source.ip == {{value}}" # } # ] # } @@ -214,14 +214,14 @@ def main(): drilldownInfoParamsUrlTemplateValues['label'] = 'Port Registry: {{value}}' drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues) - elif re.search(r'^(zeek\.service|protocol?|network\.protocol)$', field['name'], re.IGNORECASE) is not None: + elif re.search(r'^(protocol?|network\.protocol)$', field['name'], re.IGNORECASE) is not None: # add drilldown for searching IANA for services drilldownInfoParamsUrlTemplateValues = {} drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search={{value}}' drilldownInfoParamsUrlTemplateValues['label'] = 'Service Registry: {{value}}' drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues) - elif re.search(r'^(network\.transport|zeek\.proto|ipProtocol)$', field['name'], re.IGNORECASE) is not None: + elif re.search(r'^(network\.transport|ipProtocol)$', field['name'], re.IGNORECASE) is not None: # add URL link for assigned transport protocol numbers drilldownInfoParamsUrlTemplateValues = {} drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml' @@ -235,7 +235,7 @@ def main(): drilldownInfoParamsUrlTemplateValues['label'] = 'ARIN ASN: {{value}}' drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues) - elif re.search(r'(^zeek\.filetype$|mime[_\.-]?type)', field['name'], re.IGNORECASE) is not None: + elif re.search(r'mime[_\.-]?type', field['name'], re.IGNORECASE) is not None: # add drilldown for searching mime/media/content types # TODO: '/' in URL is getting messed up somehow, maybe we need to url encode it manually? not sure... drilldownInfoParamsUrlTemplateValues = {} @@ -243,7 +243,7 @@ def main(): drilldownInfoParamsUrlTemplateValues['label'] = 'Media Type Registry: {{value}}' drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues) - elif re.search(r'(^zeek_files\.extracted$)', field['name'], re.IGNORECASE) is not None: + elif re.search(r'(^zeek\.files\.extracted$)', field['name'], re.IGNORECASE) is not None: # add download for extracted/quarantined zeek files drilldownInfoParamsUrlTemplateValues = {} drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/quarantine/{{value}}' diff --git a/kibana/supervisord.conf b/kibana/supervisord.conf index 3f6a1edc2..319973c19 100644 --- a/kibana/supervisord.conf +++ b/kibana/supervisord.conf @@ -17,7 +17,7 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface serverurl=unix:///tmp/supervisor.sock [program:idxinit] -command=bash -c "sleep 180 && /data/elastic_search_status.sh -w && /data/kibana_index_refresh.py -v --kibana \"%(ENV_KIBANA_URL)s\" --elastic \"%(ENV_ELASTICSEARCH_URL)s\" --template zeek_template" +command=bash -c "sleep 180 && /data/elastic_search_status.sh -w && /data/kibana_index_refresh.py -v --kibana \"%(ENV_KIBANA_URL)s\" --elastic \"%(ENV_ELASTICSEARCH_URL)s\" --template malcolm_template" autostart=true autorestart=false startsecs=0 diff --git a/kibana/zeek_template.json b/kibana/zeek_template.json deleted file mode 100644 index 4d1fa9b5b..000000000 --- a/kibana/zeek_template.json +++ /dev/null @@ -1,939 +0,0 @@ -{ - "index_patterns" : ["arkime_sessions3-*"], - "order" : 0, - "settings" : { - "index" : { - "mapping.total_fields.limit" : "2000" - } - }, - "mappings": { - "session": { - "properties": { - - "dns.answers": { "type": "nested" }, - "dns.header_flags": { "type": "keyword" }, - "dns.id": { "type": "keyword" }, - "dns.op_code": { "type": "keyword" }, - "dns.question.class": { "type": "keyword" }, - "dns.question.name": { "type": "keyword" }, - "dns.question.type": { "type": "keyword" }, - "dns.resolved_ip": { "type": "ip" }, - "dns.response_code": { "type": "keyword" }, - "dns.type": { "type": "keyword" }, - "event.severity_tags": { "type": "keyword" }, - "http.request.body.bytes": { "type": "long" }, - "http.request.method": { "type": "keyword" }, - "http.request.referrer": { "type": "keyword" }, - "http.response.body.bytes": { "type": "long" }, - "http.response.status_cocde": { "type": "short" }, - "http.version": { "type": "keyword" }, - "tls.cipher": { "type": "keyword" }, - "tls.client.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "tls.client.ja3": { "type": "keyword" }, - "tls.client.server_name": { "type": "keyword" }, - "tls.client.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "tls.curve": { "type": "keyword" }, - "tls.established": { "type": "keyword" }, - "tls.next_protocol": { "type": "keyword" }, - "tls.resumed": { "type": "keyword" }, - "tls.server.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "tls.server.ja3s": { "type": "keyword" }, - "tls.server.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "tls.version": { "type": "keyword" }, - "tls.version_protocol": { "type": "keyword" }, - - "zeekLogDocId": { "type": "keyword" }, - "zeek.action": { "type": "keyword" }, - "zeek.community_id": { "type": "keyword" }, - "zeek.destination_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek.destination_geo.continent_code": { "type": "keyword" }, - "zeek.destination_geo.country_code2": { "type": "keyword" }, - "zeek.destination_geo.country_code3": { "type": "keyword" }, - "zeek.destination_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek.destination_geo.dma_code": { "type": "short" }, - "zeek.destination_geo.ip": { "type": "ip" }, - "zeek.destination_geo.latitude": { "type": "float" }, - "zeek.destination_geo.location": { "type": "geo_point" }, - "zeek.destination_geo.longitude": { "type": "float" }, - "zeek.destination_geo.postal_code": { "type": "keyword" }, - "zeek.destination_geo.region_code": { "type": "keyword" }, - "zeek.destination_geo.region_name": { "type": "keyword" }, - "zeek.destination_geo.timezone": { "type": "keyword" }, - "zeek.destination_ip_reverse_dns": { "type": "keyword" }, - "zeek.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek.filetype": { "type": "keyword" }, - "zeek.freq_score_v1": { "type": "float" }, - "zeek.freq_score_v2": { "type": "float" }, - "zeek.fuid": { "type": "keyword" }, - "zeek.logType": { "type": "keyword" }, - "zeek.orig_h": { "type": "ip" }, - "zeek.orig_hostname": { "type": "keyword" }, - "zeek.orig_l2_addr": { "type": "keyword" }, - "zeek.orig_l2_oui": { "type": "keyword" }, - "zeek.orig_p": { "type": "integer" }, - "zeek.orig_segment": { "type": "keyword" }, - "zeek.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek.proto": { "type": "keyword" }, - "zeek.resp_h": { "type": "ip" }, - "zeek.resp_hostname": { "type": "keyword" }, - "zeek.resp_l2_addr": { "type": "keyword" }, - "zeek.resp_l2_oui": { "type": "keyword" }, - "zeek.resp_p": { "type": "integer" }, - "zeek.resp_segment": { "type": "keyword" }, - "zeek.result": { "type": "keyword" }, - "zeek.service": { "type": "keyword" }, - "zeek.service_version": { "type": "keyword" }, - "zeek.source_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek.source_geo.continent_code": { "type": "keyword" }, - "zeek.source_geo.country_code2": { "type": "keyword" }, - "zeek.source_geo.country_code3": { "type": "keyword" }, - "zeek.source_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek.source_geo.dma_code": { "type": "short" }, - "zeek.source_geo.ip": { "type": "ip" }, - "zeek.source_geo.latitude": { "type": "float" }, - "zeek.source_geo.location": { "type": "geo_point" }, - "zeek.source_geo.longitude": { "type": "float" }, - "zeek.source_geo.postal_code": { "type": "keyword" }, - "zeek.source_geo.region_code": { "type": "keyword" }, - "zeek.source_geo.region_name": { "type": "keyword" }, - "zeek.source_geo.timezone": { "type": "keyword" }, - "zeek.source_ip_reverse_dns": { "type": "keyword" }, - "zeek.ts": { "type": "date" }, - "zeek.uid": { "type": "keyword" }, - "zeek.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_bacnet.bvlc_function": { "type": "keyword" }, - "zeek_bacnet.pdu_type": { "type": "keyword" }, - "zeek_bacnet.pdu_service": { "type": "keyword" }, - "zeek_bacnet.invoke_id": { "type": "integer" }, - "zeek_bacnet.result_code": { "type": "keyword" }, - "zeek_bacnet_discovery.pdu_service": { "type": "keyword" }, - "zeek_bacnet_discovery.object_type": { "type": "keyword" }, - "zeek_bacnet_discovery.instance_number": { "type": "integer" }, - "zeek_bacnet_discovery.vendor": { "type": "keyword" }, - "zeek_bacnet_discovery.range": { "type": "keyword" }, - "zeek_bacnet_discovery.range_low": { "type": "integer" }, - "zeek_bacnet_discovery.range_high": { "type": "integer" }, - "zeek_bacnet_discovery.object_name": { "type": "keyword" }, - "zeek_bacnet_property.pdu_service": { "type": "keyword" }, - "zeek_bacnet_property.object_type": { "type": "keyword" }, - "zeek_bacnet_property.instance_number": { "type": "integer" }, - "zeek_bacnet_property.property": { "type": "keyword" }, - "zeek_bacnet_property.array_index": { "type": "integer" }, - "zeek_bacnet_property.value": { "type": "keyword" }, - "zeek_bestguess.name": { "type": "keyword" }, - "zeek_bestguess.category": { "type": "keyword" }, - "zeek_bsap_ip_header.num_msg": { "type": "keyword" }, - "zeek_bsap_ip_header.type_name": { "type": "integer" }, - "zeek_bsap_ip_rdb.app_func_code": { "type": "keyword" }, - "zeek_bsap_ip_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_bsap_ip_rdb.data_len": { "type": "integer" }, - "zeek_bsap_ip_rdb.func_code": { "type": "keyword" }, - "zeek_bsap_ip_rdb.header_size": { "type": "integer" }, - "zeek_bsap_ip_rdb.mes_seq": { "type": "integer" }, - "zeek_bsap_ip_rdb.node_status": { "type": "integer" }, - "zeek_bsap_ip_rdb.res_seq": { "type": "integer" }, - "zeek_bsap_ip_rdb.sequence": { "type": "integer" }, - "zeek_bsap_ip_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_bsap_serial_header.ctl": { "type": "integer" }, - "zeek_bsap_serial_header.dadd": { "type": "integer" }, - "zeek_bsap_serial_header.dfun": { "type": "keyword" }, - "zeek_bsap_serial_header.nsb": { "type": "integer" }, - "zeek_bsap_serial_header.sadd": { "type": "integer" }, - "zeek_bsap_serial_header.seq": { "type": "integer" }, - "zeek_bsap_serial_header.ser": { "type": "keyword" }, - "zeek_bsap_serial_header.sfun": { "type": "keyword" }, - "zeek_bsap_serial_header.type_name": { "type": "keyword" }, - "zeek_bsap_serial_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_bsap_serial_rdb.func_code": { "type": "keyword" }, - "zeek_bsap_serial_rdb_ext.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_bsap_serial_rdb_ext.dfun": { "type": "keyword" }, - "zeek_bsap_serial_rdb_ext.extfun": { "type": "keyword" }, - "zeek_bsap_serial_rdb_ext.nsb": { "type": "integer" }, - "zeek_bsap_serial_rdb_ext.seq": { "type": "integer" }, - "zeek_bsap_serial_rdb_ext.sfun": { "type": "keyword" }, - "zeek_bsap_serial_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_cip.cip_sequence_count": { "type": "integer" }, - "zeek_cip.direction": { "type": "keyword" }, - "zeek_cip.cip_service": { "type": "keyword" }, - "zeek_cip.cip_status": { "type": "keyword" }, - "zeek_cip.class_id": { "type": "keyword" }, - "zeek_cip.class_name": { "type": "keyword" }, - "zeek_cip.instance_id": { "type": "keyword" }, - "zeek_cip.attribute_id": { "type": "keyword" }, - "zeek_cip.data_id": { "type": "keyword" }, - "zeek_cip.other_id": { "type": "keyword" }, - "zeek_cip_identity.encapsulation_version": { "type": "integer" }, - "zeek_cip_identity.socket_address": { "type": "ip" }, - "zeek_cip_identity.socket_address_asn": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_cip_identity.socket_address_geo.continent_code": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.country_code2": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.country_code3": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_cip_identity.socket_address_geo.dma_code": { "type": "short" }, - "zeek_cip_identity.socket_address_geo.ip": { "type": "ip" }, - "zeek_cip_identity.socket_address_geo.latitude": { "type": "float" }, - "zeek_cip_identity.socket_address_geo.location": { "type": "geo_point" }, - "zeek_cip_identity.socket_address_geo.longitude": { "type": "float" }, - "zeek_cip_identity.socket_address_geo.postal_code": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.region_code": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.region_name": { "type": "keyword" }, - "zeek_cip_identity.socket_address_geo.timezone": { "type": "keyword" }, - "zeek_cip_identity.socket_port": { "type": "integer" }, - "zeek_cip_identity.vendor_id": { "type": "integer" }, - "zeek_cip_identity.vendor_name": { "type": "keyword" }, - "zeek_cip_identity.device_type_id": { "type": "integer" }, - "zeek_cip_identity.device_type_name": { "type": "keyword" }, - "zeek_cip_identity.product_code": { "type": "integer" }, - "zeek_cip_identity.revision": { "type": "keyword" }, - "zeek_cip_identity.device_status": { "type": "keyword" }, - "zeek_cip_identity.serial_number": { "type": "keyword" }, - "zeek_cip_identity.product_name": { "type": "keyword" }, - "zeek_cip_identity.device_state": { "type": "keyword" }, - "zeek_cip_io.connection_id": { "type": "keyword" }, - "zeek_cip_io.sequence_number": { "type": "integer" }, - "zeek_cip_io.data_length": { "type": "integer" }, - "zeek_cip_io.io_data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_conn.conn_state": { "type": "keyword" }, - "zeek_conn.conn_state_description": { "type": "keyword" }, - "zeek_conn.duration": { "type": "float" }, - "zeek_conn.history": { "type": "keyword" }, - "zeek_conn.inner_vlan": { "type": "integer" }, - "zeek_conn.local_orig": { "type": "keyword" }, - "zeek_conn.local_resp": { "type": "keyword" }, - "zeek_conn.missed_bytes": { "type": "long" }, - "zeek_conn.orig_bytes": { "type": "long" }, - "zeek_conn.orig_ip_bytes": { "type": "long" }, - "zeek_conn.orig_pkts": { "type": "integer" }, - "zeek_conn.resp_bytes": { "type": "long" }, - "zeek_conn.resp_ip_bytes": { "type": "long" }, - "zeek_conn.resp_pkts": { "type": "integer" }, - "zeek_conn.tunnel_parents": { "type": "keyword" }, - "zeek_conn.vlan": { "type": "integer" }, - "zeek_dce_rpc.endpoint": { "type": "keyword" }, - "zeek_dce_rpc.named_pipe": { "type": "keyword" }, - "zeek_dce_rpc.operation": { "type": "keyword" }, - "zeek_dce_rpc.rtt": { "type": "float" }, - "zeek_dhcp.assigned_ip": { "type": "ip" }, - "zeek_dhcp.client_fqdn": { "type": "keyword" }, - "zeek_dhcp.client_message": { "type": "keyword" }, - "zeek_dhcp.client_software": { "type": "keyword" }, - "zeek_dhcp.domain": { "type": "keyword" }, - "zeek_dhcp.duration": { "type": "float" }, - "zeek_dhcp.host_name": { "type": "keyword" }, - "zeek_dhcp.lease_time": { "type": "float" }, - "zeek_dhcp.mac": { "type": "keyword" }, - "zeek_dhcp.msg_types": { "type": "keyword" }, - "zeek_dhcp.requested_ip": { "type": "ip" }, - "zeek_dhcp.server_message": { "type": "keyword" }, - "zeek_dhcp.server_software": { "type": "keyword" }, - "zeek_dhcp.trans_id": { "type": "keyword" }, - "zeek_dnp3.fc_reply": { "type": "keyword" }, - "zeek_dnp3.fc_request": { "type": "keyword" }, - "zeek_dnp3.iin": { "type": "keyword" }, - "zeek_dnp3.iin_flags": { "type": "keyword" }, - "zeek_dnp3_control.block_type": { "type": "keyword" }, - "zeek_dnp3_control.function_code": { "type": "keyword" }, - "zeek_dnp3_control.index_number": { "type": "integer" }, - "zeek_dnp3_control.trip_control_code": { "type": "keyword" }, - "zeek_dnp3_control.operation_type": { "type": "keyword" }, - "zeek_dnp3_control.execute_count": { "type": "integer" }, - "zeek_dnp3_control.on_time": { "type": "integer" }, - "zeek_dnp3_control.off_time": { "type": "integer" }, - "zeek_dnp3_control.status_code": { "type": "keyword" }, - "zeek_dnp3_objects.function_code": { "type": "keyword" }, - "zeek_dnp3_objects.object_type": { "type": "keyword" }, - "zeek_dnp3_objects.object_count": { "type": "integer" }, - "zeek_dnp3_objects.range_low": { "type": "integer" }, - "zeek_dnp3_objects.range_high": { "type": "integer" }, - "zeek_dns.AA": { "type": "keyword" }, - "zeek_dns.answers": { "type": "keyword" }, - "zeek_dns.qclass": { "type": "keyword" }, - "zeek_dns.qclass_name": { "type": "keyword" }, - "zeek_dns.qtype": { "type": "keyword" }, - "zeek_dns.qtype_name": { "type": "keyword" }, - "zeek_dns.query": { "type": "keyword" }, - "zeek_dns.RA": { "type": "keyword" }, - "zeek_dns.rcode": { "type": "short" }, - "zeek_dns.rcode_name": { "type": "keyword" }, - "zeek_dns.RD": { "type": "keyword" }, - "zeek_dns.rejected": { "type": "keyword" }, - "zeek_dns.rtt": { "type": "float" }, - "zeek_dns.TC": { "type": "keyword" }, - "zeek_dns.trans_id": { "type": "keyword" }, - "zeek_dns.TTLs": { "type": "float" }, - "zeek_dns.Z": { "type": "keyword" }, - "zeek_dpd.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_dpd.service": { "type": "keyword" }, - "zeek_ecat_aoe_info.command": { "type": "keyword" }, - "zeek_ecat_aoe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ecat_aoe_info.orig_port": { "type": "keyword" }, - "zeek_ecat_aoe_info.resp_port": { "type": "keyword" }, - "zeek_ecat_aoe_info.state": { "type": "keyword" }, - "zeek_ecat_arp_info.arp_type": { "type": "keyword" }, - "zeek_ecat_arp_info.orig_hw_addr": { "type": "keyword" }, - "zeek_ecat_arp_info.orig_proto_addr": { "type": "keyword" }, - "zeek_ecat_arp_info.resp_hw_addr": { "type": "keyword" }, - "zeek_ecat_arp_info.resp_proto_addr": { "type": "keyword" }, - "zeek_ecat_coe_info.dataoffset": { "type": "keyword" }, - "zeek_ecat_coe_info.index": { "type": "keyword" }, - "zeek_ecat_coe_info.number": { "type": "keyword" }, - "zeek_ecat_coe_info.req_resp": { "type": "keyword" }, - "zeek_ecat_coe_info.subindex": { "type": "keyword" }, - "zeek_ecat_coe_info.type": { "type": "keyword" }, - "zeek_ecat_dev_info.build": { "type": "keyword" }, - "zeek_ecat_dev_info.dev_type": { "type": "keyword" }, - "zeek_ecat_dev_info.dpram": { "type": "keyword" }, - "zeek_ecat_dev_info.features": { "type": "keyword" }, - "zeek_ecat_dev_info.fmmucnt": { "type": "keyword" }, - "zeek_ecat_dev_info.ports": { "type": "keyword" }, - "zeek_ecat_dev_info.revision": { "type": "keyword" }, - "zeek_ecat_dev_info.server_id": { "type": "keyword" }, - "zeek_ecat_dev_info.smcount": { "type": "keyword" }, - "zeek_ecat_foe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ecat_foe_info.error_code": { "type": "keyword" }, - "zeek_ecat_foe_info.filename": { "type": "keyword" }, - "zeek_ecat_foe_info.opcode": { "type": "keyword" }, - "zeek_ecat_foe_info.packet_num": { "type": "keyword" }, - "zeek_ecat_foe_info.reserved": { "type": "keyword" }, - "zeek_ecat_log_address.command": { "type": "keyword" }, - "zeek_ecat_log_address.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ecat_log_address.length": { "type": "integer" }, - "zeek_ecat_log_address.log_addr": { "type": "keyword" }, - "zeek_ecat_registers.command": { "type": "keyword" }, - "zeek_ecat_registers.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ecat_registers.register_addr": { "type": "keyword" }, - "zeek_ecat_registers.register_type": { "type": "keyword" }, - "zeek_ecat_registers.server_addr": { "type": "keyword" }, - "zeek_ecat_soe_info.drive_num": { "type": "keyword" }, - "zeek_ecat_soe_info.element": { "type": "keyword" }, - "zeek_ecat_soe_info.error": { "type": "keyword" }, - "zeek_ecat_soe_info.incomplete": { "type": "keyword" }, - "zeek_ecat_soe_info.index": { "type": "keyword" }, - "zeek_ecat_soe_info.opcode": { "type": "keyword" }, - "zeek_enip.enip_command": { "type": "keyword" }, - "zeek_enip.length": { "type": "integer" }, - "zeek_enip.session_handle": { "type": "keyword" }, - "zeek_enip.enip_status": { "type": "keyword" }, - "zeek_enip.sender_context": { "type": "keyword" }, - "zeek_enip.options": { "type": "keyword" }, - "zeek_files.analyzers": { "type": "keyword" }, - "zeek_files.conn_uids": { "type": "keyword" }, - "zeek_files.depth": { "type": "integer" }, - "zeek_files.duration": { "type": "float" }, - "zeek_files.extracted": { "type": "keyword" }, - "zeek_files.extracted_cutoff": { "type": "keyword" }, - "zeek_files.extracted_size": { "type": "integer" }, - "zeek_files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_files.is_orig": { "type": "keyword" }, - "zeek_files.local_orig": { "type": "keyword" }, - "zeek_files.md5": { "type": "keyword" }, - "zeek_files.mime_type": { "type": "keyword" }, - "zeek_files.missing_bytes": { "type": "long" }, - "zeek_files.overflow_bytes": { "type": "long" }, - "zeek_files.parent_fuid": { "type": "keyword" }, - "zeek_files.rx_hosts": { "type": "ip" }, - "zeek_files.seen_bytes": { "type": "long" }, - "zeek_files.sha1": { "type": "keyword" }, - "zeek_files.sha256": { "type": "keyword" }, - "zeek_files.source": { "type": "keyword" }, - "zeek_files.timedout": { "type": "keyword" }, - "zeek_files.total_bytes": { "type": "long" }, - "zeek_files.tx_hosts": { "type": "ip" }, - "zeek_ftp.arg": { "type": "keyword" }, - "zeek_ftp.command": { "type": "keyword" }, - "zeek_ftp.data_channel_orig_h": { "type": "ip" }, - "zeek_ftp.data_channel_passive": { "type": "keyword" }, - "zeek_ftp.data_channel_resp_h": { "type": "ip" }, - "zeek_ftp.data_channel_resp_p": { "type": "integer" }, - "zeek_ftp.file_size": { "type": "long" }, - "zeek_ftp.mime_type": { "type": "keyword" }, - "zeek_ftp.reply_code": { "type": "short" }, - "zeek_ftp.reply_msg": { "type": "keyword" }, - "zeek_gquic.cyu": { "type": "keyword" }, - "zeek_gquic.cyutags": { "type": "keyword" }, - "zeek_gquic.server_name": { "type": "keyword" }, - "zeek_gquic.tag_count": { "type": "integer" }, - "zeek_gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_gquic.version": { "type": "keyword" }, - "zeek_http.host": { "type": "keyword" }, - "zeek_http.info_code": { "type": "short" }, - "zeek_http.info_msg": { "type": "keyword" }, - "zeek_http.method": { "type": "keyword" }, - "zeek_http.orig_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_http.orig_fuids": { "type": "keyword" }, - "zeek_http.orig_mime_types": { "type": "keyword" }, - "zeek_http.origin": { "type": "keyword" }, - "zeek_http.post_password_plain": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_http.post_username": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_http.proxied": { "type": "keyword" }, - "zeek_http.referrer": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_http.request_body_len": { "type": "long" }, - "zeek_http.resp_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_http.resp_fuids": { "type": "keyword" }, - "zeek_http.resp_mime_types": { "type": "keyword" }, - "zeek_http.response_body_len": { "type": "long" }, - "zeek_http.status_code": { "type": "short" }, - "zeek_http.status_msg": { "type": "keyword", "ignore_above": 1024 }, - "zeek_http.tags": { "type": "keyword" }, - "zeek_http.trans_depth": { "type": "integer" }, - "zeek_http.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_http.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_http.version": { "type": "keyword" }, - "zeek_intel.file_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_intel.file_mime_type": { "type": "keyword" }, - "zeek_intel.indicator": { "type": "keyword" }, - "zeek_intel.indicator_type": { "type": "keyword" }, - "zeek_intel.matched": { "type": "keyword" }, - "zeek_intel.seen_node": { "type": "keyword" }, - "zeek_intel.seen_where": { "type": "keyword" }, - "zeek_intel.sources": { "type": "keyword" }, - "zeek_ipsec.is_orig": { "type": "keyword" }, - "zeek_ipsec.initiator_spi": { "type": "keyword" }, - "zeek_ipsec.responder_spi": { "type": "keyword" }, - "zeek_ipsec.maj_ver": { "type": "integer" }, - "zeek_ipsec.min_ver": { "type": "integer" }, - "zeek_ipsec.exchange_type": { "type": "integer" }, - "zeek_ipsec.flag_e": { "type": "keyword" }, - "zeek_ipsec.flag_c": { "type": "keyword" }, - "zeek_ipsec.flag_a": { "type": "keyword" }, - "zeek_ipsec.flag_i": { "type": "keyword" }, - "zeek_ipsec.flag_v": { "type": "keyword" }, - "zeek_ipsec.flag_r": { "type": "keyword" }, - "zeek_ipsec.flags": { "type": "keyword" }, - "zeek_ipsec.message_id": { "type": "keyword" }, - "zeek_ipsec.vendor_ids": { "type": "keyword" }, - "zeek_ipsec.notify_messages": { "type": "keyword" }, - "zeek_ipsec.transforms": { "type": "keyword" }, - "zeek_ipsec.ke_dh_groups": { "type": "integer" }, - "zeek_ipsec.proposals": { "type": "integer" }, - "zeek_ipsec.certificates": { "type": "keyword" }, - "zeek_ipsec.transform_attributes": { "type": "keyword" }, - "zeek_ipsec.length": { "type": "integer" }, - "zeek_ipsec.hash": { "type": "keyword" }, - "zeek_irc.addl": { "type": "keyword" }, - "zeek_irc.command": { "type": "keyword" }, - "zeek_irc.dcc_file_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_irc.dcc_file_size": { "type": "long" }, - "zeek_irc.dcc_mime_type": { "type": "keyword" }, - "zeek_irc.nick": { "type": "keyword" }, - "zeek_irc.value": { "type": "keyword" }, - "zeek_iso_cotp.pdu_type": { "type": "keyword" }, - "zeek_kerberos.cipher": { "type": "keyword" }, - "zeek_kerberos.client_cert_fuid": { "type": "keyword" }, - "zeek_kerberos.client_cert_subject": { "type": "keyword" }, - "zeek_kerberos.cname": { "type": "keyword" }, - "zeek_kerberos.error_msg": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_kerberos.forwardable": { "type": "keyword" }, - "zeek_kerberos.from": { "type": "date" }, - "zeek_kerberos.renewable": { "type": "keyword" }, - "zeek_kerberos.request_type": { "type": "keyword" }, - "zeek_kerberos.server_cert_fuid": { "type": "keyword" }, - "zeek_kerberos.server_cert_subject": { "type": "keyword" }, - "zeek_kerberos.sname": { "type": "keyword" }, - "zeek_kerberos.success": { "type": "keyword" }, - "zeek_kerberos.till": { "type": "date" }, - "zeek_known_certs.issuer_subject": { "type": "keyword" }, - "zeek_known_certs.serial": { "type": "keyword" }, - "zeek_known_certs.subject": { "type": "keyword" }, - "zeek_known_modbus.device_type": { "type": "keyword" }, - "zeek_ldap.message_id": { "type": "keyword" }, - "zeek_ldap.version": { "type": "integer" }, - "zeek_ldap.operation": { "type": "keyword" }, - "zeek_ldap.result_code": { "type": "keyword" }, - "zeek_ldap.result_message": { "type": "keyword" }, - "zeek_ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ldap_search.message_id": { "type": "keyword" }, - "zeek_ldap_search.scope": { "type": "keyword" }, - "zeek_ldap_search.deref": { "type": "keyword" }, - "zeek_ldap_search.base_object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ldap_search.result_count": { "type": "integer" }, - "zeek_ldap_search.result_code": { "type": "keyword" }, - "zeek_ldap_search.result_message": { "type": "keyword" }, - "zeek_login.client_user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_login.confused": { "type": "keyword" }, - "zeek_login.success": { "type": "keyword" }, - "zeek_modbus.exception": { "type": "keyword" }, - "zeek_modbus.func": { "type": "keyword" }, - "zeek_modbus_detailed.unit_id": { "type": "integer" }, - "zeek_modbus_detailed.func": { "type": "keyword" }, - "zeek_modbus_detailed.network_direction": { "type": "keyword" }, - "zeek_modbus_detailed.address": { "type": "integer" }, - "zeek_modbus_detailed.quantity": { "type": "integer" }, - "zeek_modbus_detailed.values": { "type": "keyword" }, - "zeek_modbus_mask_write_register.unit_id": { "type": "integer" }, - "zeek_modbus_mask_write_register.func": { "type": "keyword" }, - "zeek_modbus_mask_write_register.network_direction": { "type": "keyword" }, - "zeek_modbus_mask_write_register.address": { "type": "integer" }, - "zeek_modbus_mask_write_register.and_mask": { "type": "integer" }, - "zeek_modbus_mask_write_register.or_mask": { "type": "integer" }, - "zeek_modbus_read_write_multiple_registers.unit_id": { "type": "integer" }, - "zeek_modbus_read_write_multiple_registers.func": { "type": "keyword" }, - "zeek_modbus_read_write_multiple_registers.network_direction": { "type": "keyword" }, - "zeek_modbus_read_write_multiple_registers.write_start_address": { "type": "integer" }, - "zeek_modbus_read_write_multiple_registers.write_registers": { "type": "keyword" }, - "zeek_modbus_read_write_multiple_registers.read_start_address": { "type": "integer" }, - "zeek_modbus_read_write_multiple_registers.read_quantity": { "type": "integer" }, - "zeek_modbus_read_write_multiple_registers.read_registers": { "type": "keyword" }, - "zeek_modbus_register_change.delta": { "type": "float" }, - "zeek_modbus_register_change.new_val": { "type": "integer" }, - "zeek_modbus_register_change.old_val": { "type": "integer" }, - "zeek_modbus_register_change.register": { "type": "integer" }, - "zeek_mqtt_connect.client_id": { "type": "keyword" }, - "zeek_mqtt_connect.connect_status": { "type": "keyword" }, - "zeek_mqtt_connect.proto_name": { "type": "keyword" }, - "zeek_mqtt_connect.proto_version": { "type": "keyword" }, - "zeek_mqtt_connect.will_payload": { "type": "keyword" }, - "zeek_mqtt_connect.will_topic": { "type": "keyword" }, - "zeek_mqtt_publish.from_client": { "type": "keyword" }, - "zeek_mqtt_publish.payload": { "type": "keyword" }, - "zeek_mqtt_publish.payload_len": { "type": "integer" }, - "zeek_mqtt_publish.qos": { "type": "keyword" }, - "zeek_mqtt_publish.retain": { "type": "keyword" }, - "zeek_mqtt_publish.status": { "type": "keyword" }, - "zeek_mqtt_publish.topic": { "type": "keyword" }, - "zeek_mqtt_subscribe.ack": { "type": "keyword" }, - "zeek_mqtt_subscribe.action": { "type": "keyword" }, - "zeek_mqtt_subscribe.granted_qos_level": { "type": "integer" }, - "zeek_mqtt_subscribe.qos_levels": { "type": "integer" }, - "zeek_mqtt_subscribe.topics": { "type": "keyword" }, - "zeek_mysql.arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_mysql.cmd": { "type": "keyword" }, - "zeek_mysql.response": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_mysql.rows": { "type": "integer" }, - "zeek_mysql.success": { "type": "keyword" }, - "zeek_noise.msg_type": { "type": "keyword" }, - "zeek_noise.sender": { "type": "keyword" }, - "zeek_noise.receiver": { "type": "keyword" }, - "zeek_noise.unenc_ephemeral": { "type": "keyword" }, - "zeek_noise.enc_static": { "type": "keyword" }, - "zeek_noise.enc_timestamp": { "type": "keyword" }, - "zeek_noise.enc_nothing": { "type": "keyword" }, - "zeek_noise.nonce": { "type": "keyword" }, - "zeek_noise.enc_cookie": { "type": "keyword" }, - "zeek_noise.mac1": { "type": "keyword" }, - "zeek_noise.mac2": { "type": "keyword" }, - "zeek_noise.enc_payload_len": { "type": "integer" }, - "zeek_noise.enc_payload": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_notice.actions": { "type": "keyword" }, - "zeek_notice.category": { "type": "keyword" }, - "zeek_notice.dropped": { "type": "keyword" }, - "zeek_notice.dst": { "type": "ip" }, - "zeek_notice.file_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_notice.file_mime_type": { "type": "keyword" }, - "zeek_notice.msg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_notice.n": { "type": "integer" }, - "zeek_notice.note": { "type": "keyword" }, - "zeek_notice.p": { "type": "integer" }, - "zeek_notice.peer_descr": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_notice.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_notice.remote_location_country_code": { "type": "keyword" }, - "zeek_notice.remote_location_latitude": { "type": "float" }, - "zeek_notice.remote_location_longitude": { "type": "float" }, - "zeek_notice.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_notice.src": { "type": "ip" }, - "zeek_notice.sub": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_notice.sub_category": { "type": "keyword" }, - "zeek_notice.suppress_for": { "type": "float" }, - "zeek_ntlm.domain": { "type": "keyword" }, - "zeek_ntlm.host": { "type": "keyword" }, - "zeek_ntlm.server_dns_computer": { "type": "keyword" }, - "zeek_ntlm.server_nb_computer": { "type": "keyword" }, - "zeek_ntlm.server_tree": { "type": "keyword" }, - "zeek_ntlm.status": { "type": "keyword" }, - "zeek_ntlm.success": { "type": "keyword" }, - "zeek_ntp.mode": { "type": "keyword" }, - "zeek_ntp.mode_str": { "type": "keyword" }, - "zeek_ntp.num_exts": { "type": "integer" }, - "zeek_ntp.org_time": { "type": "date" }, - "zeek_ntp.poll": { "type": "float" }, - "zeek_ntp.precision": { "type": "float" }, - "zeek_ntp.rec_time": { "type": "date" }, - "zeek_ntp.ref_id": { "type": "keyword" }, - "zeek_ntp.ref_time": { "type": "date" }, - "zeek_ntp.root_delay": { "type": "float" }, - "zeek_ntp.root_disp": { "type": "float" }, - "zeek_ntp.stratum": { "type": "keyword" }, - "zeek_ntp.version": { "type": "integer" }, - "zeek_ntp.xmt_time": { "type": "date" }, - "zeek_ocsp.hashAlgorithm": { "type": "keyword" }, - "zeek_ocsp.issuerNameHash": { "type": "keyword" }, - "zeek_ocsp.issuerKeyHash": { "type": "keyword" }, - "zeek_ocsp.serialNumber": { "type": "keyword" }, - "zeek_ocsp.certStatus": { "type": "keyword" }, - "zeek_ocsp.revoketime": { "type": "date" }, - "zeek_ocsp.revokereason": { "type": "keyword" }, - "zeek_ocsp.thisUpdate": { "type": "date" }, - "zeek_ocsp.nextUpdate": { "type": "date" }, - "zeek_pe.compile_ts": { "type": "date" }, - "zeek_pe.has_cert_table": { "type": "keyword" }, - "zeek_pe.has_debug_data": { "type": "keyword" }, - "zeek_pe.has_export_table": { "type": "keyword" }, - "zeek_pe.has_import_table": { "type": "keyword" }, - "zeek_pe.is_64bit": { "type": "keyword" }, - "zeek_pe.is_exe": { "type": "keyword" }, - "zeek_pe.machine": { "type": "keyword" }, - "zeek_pe.os": { "type": "keyword" }, - "zeek_pe.section_names": { "type": "keyword" }, - "zeek_pe.subsystem": { "type": "keyword" }, - "zeek_pe.uses_aslr": { "type": "keyword" }, - "zeek_pe.uses_code_integrity": { "type": "keyword" }, - "zeek_pe.uses_dep": { "type": "keyword" }, - "zeek_pe.uses_seh": { "type": "keyword" }, - "zeek_profinet.block_version": { "type": "keyword" }, - "zeek_profinet.index": { "type": "keyword" }, - "zeek_profinet.operation_type": { "type": "keyword" }, - "zeek_profinet.slot_number": { "type": "integer" }, - "zeek_profinet.subslot_number": { "type": "integer" }, - "zeek_profinet_dce_rpc.activity_uuid": { "type": "keyword" }, - "zeek_profinet_dce_rpc.interface_uuid": { "type": "keyword" }, - "zeek_profinet_dce_rpc.object_uuid": { "type": "keyword" }, - "zeek_profinet_dce_rpc.operation": { "type": "keyword" }, - "zeek_profinet_dce_rpc.packet_type": { "type": "keyword" }, - "zeek_profinet_dce_rpc.server_boot_time": { "type": "integer" }, - "zeek_profinet_dce_rpc.version": { "type": "integer" }, - "zeek_radius.connect_info": { "type": "keyword" }, - "zeek_radius.framed_addr": { "type": "ip" }, - "zeek_radius.mac": { "type": "keyword" }, - "zeek_radius.reply_msg": { "type": "keyword" }, - "zeek_radius.result": { "type": "keyword" }, - "zeek_radius.ttl": { "type": "float" }, - "zeek_radius.tunnel_client": { "type": "keyword" }, - "zeek_rdp.cert_count": { "type": "integer" }, - "zeek_rdp.cert_permanent": { "type": "keyword" }, - "zeek_rdp.cert_type": { "type": "keyword" }, - "zeek_rdp.client_build": { "type": "keyword" }, - "zeek_rdp.client_channels": { "type": "keyword" }, - "zeek_rdp.client_dig_product_id": { "type": "keyword" }, - "zeek_rdp.client_name": { "type": "keyword" }, - "zeek_rdp.cookie": { "type": "keyword" }, - "zeek_rdp.desktop_height": { "type": "integer" }, - "zeek_rdp.desktop_width": { "type": "integer" }, - "zeek_rdp.encryption_level": { "type": "keyword" }, - "zeek_rdp.encryption_method": { "type": "keyword" }, - "zeek_rdp.keyboard_layout": { "type": "keyword" }, - "zeek_rdp.requested_color_depth": { "type": "keyword" }, - "zeek_rdp.result": { "type": "keyword" }, - "zeek_rdp.security_protocol": { "type": "keyword" }, - "zeek_rfb.auth": { "type": "keyword" }, - "zeek_rfb.authentication_method": { "type": "keyword" }, - "zeek_rfb.client_major_version": { "type": "keyword" }, - "zeek_rfb.client_minor_version": { "type": "keyword" }, - "zeek_rfb.desktop_name": { "type": "keyword" }, - "zeek_rfb.height": { "type": "integer" }, - "zeek_rfb.server_major_version": { "type": "keyword" }, - "zeek_rfb.server_minor_version": { "type": "keyword" }, - "zeek_rfb.share_flag": { "type": "keyword" }, - "zeek_rfb.width": { "type": "integer" }, - "zeek_s7comm.data_info": { "type": "keyword" }, - "zeek_s7comm.item_count": { "type": "integer" }, - "zeek_s7comm.parameter": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_s7comm.parameters.class": { "type": "keyword" }, - "zeek_s7comm.parameters.code": { "type": "keyword" }, - "zeek_s7comm.parameters.group": { "type": "keyword" }, - "zeek_s7comm.parameters.mode": { "type": "keyword" }, - "zeek_s7comm.parameters.sub": { "type": "keyword" }, - "zeek_s7comm.parameters.type": { "type": "keyword" }, - "zeek_s7comm.rosctr": { "type": "keyword" }, - "zeek_signatures.engine": { "type": "keyword" }, - "zeek_signatures.event_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_signatures.hits": { "type": "nested" }, - "zeek_signatures.host_count": { "type": "integer" }, - "zeek_signatures.note": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_signatures.signature_count": { "type": "integer" }, - "zeek_signatures.signature_id": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_signatures.sub_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_sip.call_id": { "type": "keyword" }, - "zeek_sip.content_type": { "type": "keyword" }, - "zeek_sip.date": { "type": "keyword" }, - "zeek_sip.method": { "type": "keyword" }, - "zeek_sip.reply_to": { "type": "keyword" }, - "zeek_sip.request_body_len": { "type": "integer" }, - "zeek_sip.request_from": { "type": "keyword" }, - "zeek_sip.request_path": { "type": "keyword" }, - "zeek_sip.request_to": { "type": "keyword" }, - "zeek_sip.response_body_len": { "type": "integer" }, - "zeek_sip.response_from": { "type": "keyword" }, - "zeek_sip.response_path": { "type": "keyword" }, - "zeek_sip.response_to": { "type": "keyword" }, - "zeek_sip.seq": { "type": "keyword" }, - "zeek_sip.status_code": { "type": "short" }, - "zeek_sip.status_msg": { "type": "keyword" }, - "zeek_sip.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_sip.trans_depth": { "type": "integer" }, - "zeek_sip.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_sip.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_sip.version": { "type": "keyword" }, - "zeek_sip.warning": { "type": "keyword" }, - "zeek_smb_cmd.argument": { "type": "keyword" }, - "zeek_smb_cmd.command": { "type": "keyword" }, - "zeek_smb_cmd.rtt": { "type": "float" }, - "zeek_smb_cmd.status": { "type": "keyword" }, - "zeek_smb_cmd.sub_command": { "type": "keyword" }, - "zeek_smb_cmd.tree": { "type": "keyword" }, - "zeek_smb_cmd.tree_service": { "type": "keyword" }, - "zeek_smb_cmd.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_smb_cmd.version": { "type": "keyword" }, - "zeek_smb_files.action": { "type": "keyword" }, - "zeek_smb_files.data_len_req": { "type": "long" }, - "zeek_smb_files.data_len_rsp": { "type": "long" }, - "zeek_smb_files.data_offset_req": { "type": "long" }, - "zeek_smb_files.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smb_files.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smb_files.prev_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smb_files.size": { "type": "long" }, - "zeek_smb_files.times_accessed": { "type": "date" }, - "zeek_smb_files.times_changed": { "type": "date" }, - "zeek_smb_files.times_created": { "type": "date" }, - "zeek_smb_files.times_modified": { "type": "date" }, - "zeek_smb_files.ts": { "type": "date" }, - "zeek_smb_mapping.native_file_system": { "type": "keyword" }, - "zeek_smb_mapping.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smb_mapping.resource_type": { "type": "keyword" }, - "zeek_smb_mapping.share_type": { "type": "keyword" }, - "zeek_smtp.cc": { "type": "keyword" }, - "zeek_smtp.date": { "type": "keyword" }, - "zeek_smtp.first_received": { "type": "keyword" }, - "zeek_smtp.from": { "type": "keyword" }, - "zeek_smtp.helo": { "type": "keyword" }, - "zeek_smtp.in_reply_to": { "type": "keyword" }, - "zeek_smtp.is_webmail": { "type": "keyword" }, - "zeek_smtp.last_reply": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smtp.last_reply_code": { "type": "keyword" }, - "zeek_smtp.last_reply_msg": { "type": "keyword" }, - "zeek_smtp.mailfrom": { "type": "keyword" }, - "zeek_smtp.msg_id": { "type": "keyword" }, - "zeek_smtp.path": { "type": "ip" }, - "zeek_smtp.rcptto": { "type": "keyword" }, - "zeek_smtp.reply_to": { "type": "keyword" }, - "zeek_smtp.second_received": { "type": "keyword" }, - "zeek_smtp.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_smtp.tls": { "type": "keyword" }, - "zeek_smtp.to": { "type": "keyword" }, - "zeek_smtp.trans_depth": { "type": "integer" }, - "zeek_smtp.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_smtp.x_originating_ip": { "type": "ip" }, - "zeek_snmp.community": { "type": "keyword" }, - "zeek_snmp.display_string": { "type": "keyword" }, - "zeek_snmp.duration": { "type": "float" }, - "zeek_snmp.get_bulk_requests": { "type": "integer" }, - "zeek_snmp.get_requests": { "type": "integer" }, - "zeek_snmp.get_responses": { "type": "integer" }, - "zeek_snmp.set_requests": { "type": "integer" }, - "zeek_snmp.up_since": { "type": "date" }, - "zeek_snmp.version": { "type": "keyword" }, - "zeek_socks.bound_host": { "type": "ip" }, - "zeek_socks.bound_name": { "type": "keyword" }, - "zeek_socks.bound_port": { "type": "integer" }, - "zeek_socks.request_host": { "type": "ip" }, - "zeek_socks.request_name": { "type": "keyword" }, - "zeek_socks.request_port": { "type": "integer" }, - "zeek_socks.server_status": { "type": "keyword" }, - "zeek_socks.version": { "type": "integer" }, - "zeek_software.name": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, - "zeek_software.software_type": { "type": "keyword" }, - "zeek_software.unparsed_version": { "type": "keyword", "ignore_above": 1024 }, - "zeek_software.version_addl": { "type": "keyword", "ignore_above": 1024 }, - "zeek_software.version_major": { "type": "integer" }, - "zeek_software.version_minor": { "type": "integer" }, - "zeek_software.version_minor2": { "type": "integer" }, - "zeek_software.version_minor3": { "type": "integer" }, - "zeek_ssh.auth_attempts": { "type": "integer" }, - "zeek_ssh.auth_success": { "type": "keyword" }, - "zeek_ssh.cipher_alg": { "type": "keyword" }, - "zeek_ssh.client": { "type": "keyword" }, - "zeek_ssh.compression_alg": { "type": "keyword" }, - "zeek_ssh.cshka": { "type": "keyword" }, - "zeek_ssh.direction": { "type": "keyword" }, - "zeek_ssh.hassh": { "type": "keyword" }, - "zeek_ssh.hasshAlgorithms": { "type": "keyword" }, - "zeek_ssh.hasshServer": { "type": "keyword" }, - "zeek_ssh.hasshServerAlgorithms": { "type": "keyword" }, - "zeek_ssh.hasshVersion": { "type": "keyword" }, - "zeek_ssh.host_key": { "type": "keyword" }, - "zeek_ssh.host_key_alg": { "type": "keyword" }, - "zeek_ssh.kex_alg": { "type": "keyword" }, - "zeek_ssh.mac_alg": { "type": "keyword" }, - "zeek_ssh.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ssh.remote_location_country_code": { "type": "keyword" }, - "zeek_ssh.remote_location_latitude": { "type": "float" }, - "zeek_ssh.remote_location_longitude": { "type": "float" }, - "zeek_ssh.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_ssh.server": { "type": "keyword" }, - "zeek_ssh.sshka": { "type": "keyword" }, - "zeek_ssh.version": { "type": "integer" }, - "zeek_ssl.cert_chain_fps": { "type": "keyword" }, - "zeek_ssl.cert_chain_fuids": { "type": "keyword" }, - "zeek_ssl.cipher": { "type": "keyword" }, - "zeek_ssl.client_cert_chain_fps": { "type": "keyword" }, - "zeek_ssl.client_cert_chain_fuids": { "type": "keyword" }, - "zeek_ssl.client_issuer.C": { "type": "keyword" }, - "zeek_ssl.client_issuer.CN": { "type": "keyword" }, - "zeek_ssl.client_issuer.DC": { "type": "keyword" }, - "zeek_ssl.client_issuer.emailAddress": { "type": "keyword" }, - "zeek_ssl.client_issuer.GN": { "type": "keyword" }, - "zeek_ssl.client_issuer.initials": { "type": "keyword" }, - "zeek_ssl.client_issuer.L": { "type": "keyword" }, - "zeek_ssl.client_issuer.O": { "type": "keyword" }, - "zeek_ssl.client_issuer.OU": { "type": "keyword" }, - "zeek_ssl.client_issuer.pseudonym": { "type": "keyword" }, - "zeek_ssl.client_issuer.serialNumber": { "type": "keyword" }, - "zeek_ssl.client_issuer.SN": { "type": "keyword" }, - "zeek_ssl.client_issuer.ST": { "type": "keyword" }, - "zeek_ssl.client_issuer.title": { "type": "keyword" }, - "zeek_ssl.client_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.client_subject.C": { "type": "keyword" }, - "zeek_ssl.client_subject.CN": { "type": "keyword" }, - "zeek_ssl.client_subject.emailAddress": { "type": "keyword" }, - "zeek_ssl.client_subject.GN": { "type": "keyword" }, - "zeek_ssl.client_subject.initials": { "type": "keyword" }, - "zeek_ssl.client_subject.L": { "type": "keyword" }, - "zeek_ssl.client_subject.O": { "type": "keyword" }, - "zeek_ssl.client_subject.OU": { "type": "keyword" }, - "zeek_ssl.client_subject.pseudonym": { "type": "keyword" }, - "zeek_ssl.client_subject.serialNumber": { "type": "keyword" }, - "zeek_ssl.client_subject.SN": { "type": "keyword" }, - "zeek_ssl.client_subject.ST": { "type": "keyword" }, - "zeek_ssl.client_subject.title": { "type": "keyword" }, - "zeek_ssl.client_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.curve": { "type": "keyword" }, - "zeek_ssl.established": { "type": "keyword" }, - "zeek_ssl.issuer.C": { "type": "keyword" }, - "zeek_ssl.issuer.CN": { "type": "keyword" }, - "zeek_ssl.issuer.DC": { "type": "keyword" }, - "zeek_ssl.issuer.emailAddress": { "type": "keyword" }, - "zeek_ssl.issuer.GN": { "type": "keyword" }, - "zeek_ssl.issuer.initials": { "type": "keyword" }, - "zeek_ssl.issuer.L": { "type": "keyword" }, - "zeek_ssl.issuer.O": { "type": "keyword" }, - "zeek_ssl.issuer.OU": { "type": "keyword" }, - "zeek_ssl.issuer.pseudonym": { "type": "keyword" }, - "zeek_ssl.issuer.serialNumber": { "type": "keyword" }, - "zeek_ssl.issuer.SN": { "type": "keyword" }, - "zeek_ssl.issuer.ST": { "type": "keyword" }, - "zeek_ssl.issuer.title": { "type": "keyword" }, - "zeek_ssl.issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.ja3": { "type": "keyword" }, - "zeek_ssl.ja3_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.ja3s": { "type": "keyword" }, - "zeek_ssl.ja3s_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.last_alert": { "type": "keyword" }, - "zeek_ssl.next_protocol": { "type": "keyword" }, - "zeek_ssl.resumed": { "type": "keyword" }, - "zeek_ssl.server_name": { "type": "keyword" }, - "zeek_ssl.sni_matches_cert": { "type": "keyword" }, - "zeek_ssl.ssl_history": { "type": "keyword" }, - "zeek_ssl.ssl_version": { "type": "keyword" }, - "zeek_ssl.subject.C": { "type": "keyword" }, - "zeek_ssl.subject.CN": { "type": "keyword" }, - "zeek_ssl.subject.description": { "type": "keyword" }, - "zeek_ssl.subject.emailAddress": { "type": "keyword" }, - "zeek_ssl.subject.GN": { "type": "keyword" }, - "zeek_ssl.subject.initials": { "type": "keyword" }, - "zeek_ssl.subject.L": { "type": "keyword" }, - "zeek_ssl.subject.O": { "type": "keyword" }, - "zeek_ssl.subject.OU": { "type": "keyword" }, - "zeek_ssl.subject.postalCode": { "type": "keyword" }, - "zeek_ssl.subject.pseudonym": { "type": "keyword" }, - "zeek_ssl.subject.serialNumber": { "type": "keyword" }, - "zeek_ssl.subject.SN": { "type": "keyword" }, - "zeek_ssl.subject.ST": { "type": "keyword" }, - "zeek_ssl.subject.street": { "type": "keyword" }, - "zeek_ssl.subject.title": { "type": "keyword" }, - "zeek_ssl.subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_ssl.validation_status": { "type": "keyword" }, - "zeek_stun.is_orig": { "type": "keyword" }, - "zeek_stun.trans_id": { "type": "keyword" }, - "zeek_stun.method": { "type": "keyword" }, - "zeek_stun.class": { "type": "keyword" }, - "zeek_stun.attr_type": { "type": "keyword" }, - "zeek_stun.attr_val": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } }, - "zeek_stun_nat.is_orig": { "type": "keyword" }, - "zeek_stun_nat.wan_addr": { "type": "ip" }, - "zeek_stun_nat.wan_port": { "type": "integer" }, - "zeek_stun_nat.lan_addr": { "type": "keyword" }, - "zeek_syslog.facility": { "type": "keyword" }, - "zeek_syslog.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_syslog.severity": { "type": "keyword" }, - "zeek_tds.command": { "type": "keyword" }, - "zeek_tds_rpc.parameter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_tds_rpc.parameters": { "type": "nested" }, - "zeek_tds_rpc.procedure_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_tds_sql_batch.header_type": { "type": "keyword" }, - "zeek_tds_sql_batch.query": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_tftp.wrq": { "type": "keyword" }, - "zeek_tftp.fname": { "type": "keyword" }, - "zeek_tftp.mode": { "type": "keyword" }, - "zeek_tftp.uid_data": { "type": "keyword" }, - "zeek_tftp.size": { "type": "integer" }, - "zeek_tftp.block_sent": { "type": "integer" }, - "zeek_tftp.block_acked": { "type": "integer" }, - "zeek_tftp.error_code": { "type": "integer" }, - "zeek_tftp.error_msg": { "type": "keyword" }, - "zeek_tunnel.action": { "type": "keyword" }, - "zeek_tunnel.tunnel_type": { "type": "keyword" }, - "zeek_weird.addl": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, - "zeek_weird.name": { "type": "keyword" }, - "zeek_weird.notice": { "type": "keyword" }, - "zeek_weird.peer": { "type": "keyword" }, - "zeek_wireguard.established": { "type": "keyword" }, - "zeek_wireguard.initiations": { "type": "integer" }, - "zeek_wireguard.responses": { "type": "integer" }, - "zeek_x509.basic_constraints_ca": { "type": "keyword" }, - "zeek_x509.basic_constraints_path_len": { "type": "integer" }, - "zeek_x509.certificate_curve": { "type": "keyword" }, - "zeek_x509.certificate_exponent": { "type": "keyword" }, - "zeek_x509.certificate_issuer.C": { "type": "keyword" }, - "zeek_x509.certificate_issuer.CN": { "type": "keyword" }, - "zeek_x509.certificate_issuer.DC": { "type": "keyword" }, - "zeek_x509.certificate_issuer.emailAddress": { "type": "keyword" }, - "zeek_x509.certificate_issuer.GN": { "type": "keyword" }, - "zeek_x509.certificate_issuer.initials": { "type": "keyword" }, - "zeek_x509.certificate_issuer.L": { "type": "keyword" }, - "zeek_x509.certificate_issuer.O": { "type": "keyword" }, - "zeek_x509.certificate_issuer.OU": { "type": "keyword" }, - "zeek_x509.certificate_issuer.pseudonym": { "type": "keyword" }, - "zeek_x509.certificate_issuer.serialNumber": { "type": "keyword" }, - "zeek_x509.certificate_issuer.SN": { "type": "keyword" }, - "zeek_x509.certificate_issuer.ST": { "type": "keyword" }, - "zeek_x509.certificate_issuer.title": { "type": "keyword" }, - "zeek_x509.certificate_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_x509.certificate_key_alg": { "type": "keyword" }, - "zeek_x509.certificate_key_length": { "type": "integer" }, - "zeek_x509.certificate_key_type": { "type": "keyword" }, - "zeek_x509.certificate_not_valid_after": { "type": "date" }, - "zeek_x509.certificate_not_valid_before": { "type": "date" }, - "zeek_x509.certificate_serial": { "type": "keyword" }, - "zeek_x509.certificate_sig_alg": { "type": "keyword" }, - "zeek_x509.certificate_subject.C": { "type": "keyword" }, - "zeek_x509.certificate_subject.CN": { "type": "keyword" }, - "zeek_x509.certificate_subject.DC": { "type": "keyword" }, - "zeek_x509.certificate_subject.description": { "type": "keyword" }, - "zeek_x509.certificate_subject.emailAddress": { "type": "keyword" }, - "zeek_x509.certificate_subject.GN": { "type": "keyword" }, - "zeek_x509.certificate_subject.initials": { "type": "keyword" }, - "zeek_x509.certificate_subject.L": { "type": "keyword" }, - "zeek_x509.certificate_subject.O": { "type": "keyword" }, - "zeek_x509.certificate_subject.OU": { "type": "keyword" }, - "zeek_x509.certificate_subject.postalCode": { "type": "keyword" }, - "zeek_x509.certificate_subject.pseudonym": { "type": "keyword" }, - "zeek_x509.certificate_subject.serialNumber": { "type": "keyword" }, - "zeek_x509.certificate_subject.SN": { "type": "keyword" }, - "zeek_x509.certificate_subject.ST": { "type": "keyword" }, - "zeek_x509.certificate_subject.street": { "type": "keyword" }, - "zeek_x509.certificate_subject.title": { "type": "keyword" }, - "zeek_x509.certificate_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_x509.certificate_version": { "type": "integer" }, - "zeek_x509.client_cert": { "type": "keyword" }, - "zeek_x509.host_cert": { "type": "keyword" }, - "zeek_x509.fingerprint": { "type": "keyword" }, - "zeek_x509.san_dns": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, - "zeek_x509.san_email": { "type": "keyword" }, - "zeek_x509.san_ip": { "type": "ip" }, - "zeek_x509.san_uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } } - } - } - } -} diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index 5371448ad..0911eab4d 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -48,7 +48,6 @@ "modbus_detailed": ["ot", "network"] "modbus_mask_write_register": ["ot", "network"] "modbus_read_write_multiple_registers": ["ot", "network"] -"modbus_register_change": ["ot", "network"] "mqtt_connect": ["network"] "mqtt_publish": ["network"] "mqtt_subscribe": ["network"] diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf index 31e24f5fc..58a054315 100644 --- a/logstash/pipelines/enrichment/11_lookups.conf +++ b/logstash/pipelines/enrichment/11_lookups.conf @@ -1,9 +1,5 @@ filter { - # todo: make added fields not zeek-specific? (see ECS topic branch) - # all the lookups are done here, but some of them are still zeek-specific which - # IMO isn't the cleanest. could be refactored/split. - ######## MAC address OUI (manufacturer) lookup ################################################# # if OUI lookup is requested, enable it @@ -15,23 +11,25 @@ filter { # source.mac/destination.mac are arrays at this point, as Arkime expects them to be - if ([source][mac]) and ([source][mac][0]) { + if ([source][mac]) { # attempt lookup of source.mac oui - ieee_oui { - id => "ieee_oui_srcMac" - source => "[source][mac][0]" - target => "[zeek][orig_l2_oui]" - ouifile => "/usr/share/logstash/config/oui-logstash.txt" - refresh_interval => 0 + ruby { + id => "mac_lookup_src" + path => "/usr/share/logstash/malcolm-ruby/mac_lookup.rb" + script_params => { + "source" => "[source][mac]" + "map_path" => "/etc/vendor_macs.yaml" + "target" => "[source][oui]" + } } # also look up mac in ICS vendors list ruby { id => "ics_mac_lookup_src" - path => "/usr/share/logstash/malcolm-ruby/ics_mac_lookup.rb" + path => "/usr/share/logstash/malcolm-ruby/mac_lookup.rb" script_params => { - "source" => "[source][mac][0]" + "source" => "[source][mac]" "map_path" => "/etc/ics_macs.yaml" "target" => "[@metadata][ics_guess_oui_src]" } @@ -41,27 +39,33 @@ filter { mutate { id => "mutate_add_tag_ics_best_guess_from_oui_src" add_tag => [ "ics_best_guess" ] } } - if (![zeek_bestguess][category]) { + if (![zeek][bestguess][category]) { mutate { id => "mutate_add_fields_zeek_bestguess_category_from_ics_guess_oui_src" - add_field => { "[zeek_bestguess][category]" => "%{[@metadata][ics_guess_oui_src]}" } + add_field => { "[zeek][bestguess][category]" => "%{[@metadata][ics_guess_oui_src]}" } } } - if (![zeek][orig_l2_oui]) { + if (![source][oui]) { mutate { - id => "mutate_add_fields_orig_l2_oui_from_ics_guess_oui_src" - add_field => { "[zeek][orig_l2_oui]" => "%{[@metadata][ics_guess_oui_src]}" } + id => "mutate_add_fields_source_oui_from_ics_guess_oui_src" + add_field => { "[source][oui]" => "%{[@metadata][ics_guess_oui_src]}" } } } } - if ([zeek][orig_l2_oui]) { + if ([source][oui]) { - # merge orig_l2_oui into srcOui array (with a count of 1) + # merge source.oui into srcOui array (with a count field) mutate { id => "mutate_merge_field_srcOui" - merge => { "[srcOui]" => "[zeek][orig_l2_oui]" } } - mutate { id => "mutate_add_field_srcOuiCnt" - add_field => { "[srcOuiCnt]" => "1" } } + merge => { "[srcOui]" => "[source][oui]" } } + ruby { + id => "ruby_enrich_src_oui_cnt" + path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" + script_params => { + "source" => "[srcOui]" + "target" => "[srcOuiCnt]" + } + } # if this is a DHCP log type, copy srcOui to dhcp.oui if ([dhcp][mac]) { @@ -78,23 +82,25 @@ filter { } # end if [source][mac] - if ([destination][mac]) and ([destination][mac][0]) { + if ([destination][mac]) { # attempt lookup of destination.mac oui - ieee_oui { - id => "ieee_oui_dstMac" - source => "[destination][mac][0]" - target => "[zeek][resp_l2_oui]" - ouifile => "/usr/share/logstash/config/oui-logstash.txt" - refresh_interval => 0 + ruby { + id => "mac_lookup_dst" + path => "/usr/share/logstash/malcolm-ruby/mac_lookup.rb" + script_params => { + "source" => "[destination][mac]" + "map_path" => "/etc/vendor_macs.yaml" + "target" => "[destination][oui]" + } } # also look up mac in ICS vendors list ruby { id => "ics_mac_lookup_dst" - path => "/usr/share/logstash/malcolm-ruby/ics_mac_lookup.rb" + path => "/usr/share/logstash/malcolm-ruby/mac_lookup.rb" script_params => { - "source" => "[destination][mac][0]" + "source" => "[destination][mac]" "map_path" => "/etc/ics_macs.yaml" "target" => "[@metadata][ics_guess_oui_dst]" } @@ -104,27 +110,33 @@ filter { mutate { id => "mutate_add_tag_ics_best_guess_from_oui_dst" add_tag => [ "ics_best_guess" ] } } - if (![zeek_bestguess][category]) { + if (![zeek][bestguess][category]) { mutate { id => "mutate_add_fields_zeek_bestguess_category_from_ics_guess_oui_dst" - add_field => { "[zeek_bestguess][category]" => "%{[@metadata][ics_guess_oui_dst]}" } + add_field => { "[zeek][bestguess][category]" => "%{[@metadata][ics_guess_oui_dst]}" } } } - if (![zeek][orig_l2_oui]) { + if (![destination][oui]) { mutate { - id => "mutate_add_fields_resp_l2_oui_from_ics_guess_oui_dst" - add_field => { "[zeek][resp_l2_oui]" => "%{[@metadata][ics_guess_oui_dst]}" } + id => "mutate_add_fields_destination_oui_from_ics_guess_oui_dst" + add_field => { "[destination][oui]" => "%{[@metadata][ics_guess_oui_dst]}" } } } } - if ([zeek][resp_l2_oui]) { + if ([destination][oui]) { - # merge resp_l2_oui into dstOui array (with a count of 1) + # merge destination.oui into dstOui array (with a count of 1) mutate { id => "mutate_merge_field_dstOui" - merge => { "[dstOui]" => "[zeek][resp_l2_oui]" } } - mutate { id => "mutate_add_field_dstOuiCnt" - add_field => { "[dstOuiCnt]" => "1" } } + merge => { "[dstOui]" => "[destination][oui]" } } + ruby { + id => "ruby_enrich_dst_oui_cnt" + path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" + script_params => { + "source" => "[dstOui]" + "target" => "[dstOuiCnt]" + } + } } } # end if [destination][mac] @@ -149,7 +161,7 @@ filter { geoip { id => "geoip_srcIp_geo" source => "[source][ip]" - target => "[zeek][source_geo]" + target => "[source][geo]" } geoip { id => "geoip_srcIp_asn" @@ -157,9 +169,9 @@ filter { source => "[source][ip]" target => "[@metadata][orig_asn]" } - if ([zeek][source_geo] and [zeek][source_geo][country_code2]) { + if ([source][geo] and [source][geo][country_code2]) { mutate { id => "mutate_add_field_srcGEO" - add_field => { "[source][geo][country_iso_code]" => "%{[zeek][source_geo][country_code2]}" } } + add_field => { "[source][geo][country_iso_code]" => "%{[source][geo][country_code2]}" } } } if ([@metadata][orig_asn] and [@metadata][orig_asn][as_org] and [@metadata][orig_asn][asn]) { mutate { id => "mutate_add_field_srcASN" @@ -174,22 +186,22 @@ filter { mutate { id => "mutate_add_field_srcip_for_dns" add_field => { - "[zeek][source_ip_reverse_dns]" => "%{[source][ip]}" + "[source][ip_reverse_dns]" => "%{[source][ip]}" } } dns { id => "dns_source_ip_reverse_dns" - reverse => [ "[zeek][source_ip_reverse_dns]" ] + reverse => [ "[source][ip_reverse_dns]" ] action => "replace" hit_cache_size => 8000 hit_cache_ttl => 300 failed_cache_size => 8000 failed_cache_ttl => 60 } - if ([source][ip] == [zeek][source_ip_reverse_dns]) { + if ([source][ip] == [source][ip_reverse_dns]) { mutate { id => "mutate_remove_field_source_ip_reverse_dns" - remove_field => [ "[zeek][source_ip_reverse_dns]" ] + remove_field => [ "[source][ip_reverse_dns]" ] } } } @@ -222,7 +234,7 @@ filter { geoip { id => "geoip_dstIp_geo" source => "[destination][ip]" - target => "[zeek][destination_geo]" + target => "[destination][geo]" } geoip { id => "geoip_dstIp_asn" @@ -230,9 +242,9 @@ filter { source => "[destination][ip]" target => "[@metadata][resp_asn]" } - if ([zeek][destination_geo] and [zeek][destination_geo][country_code2]) { + if ([destination][geo] and [destination][geo][country_code2]) { mutate { id => "mutate_add_field_dstGEO" - add_field => { "[destination][geo][country_iso_code]" => "%{[zeek][destination_geo][country_code2]}" } } + add_field => { "[destination][geo][country_iso_code]" => "%{[destination][geo][country_code2]}" } } } if ([@metadata][resp_asn] and [@metadata][resp_asn][as_org] and [@metadata][resp_asn][asn]) { mutate { id => "mutate_add_field_dstASN" @@ -249,22 +261,22 @@ filter { mutate { id => "mutate_add_field_dstip_for_dns" add_field => { - "[zeek][destination_ip_reverse_dns]" => "%{[destination][ip]}" + "[destination][ip_reverse_dns]" => "%{[destination][ip]}" } } dns { id => "dns_destination_ip_reverse_dns" - reverse => [ "[zeek][destination_ip_reverse_dns]" ] + reverse => [ "[destination][ip_reverse_dns]" ] action => "replace" hit_cache_size => 8000 hit_cache_ttl => 300 failed_cache_size => 8000 failed_cache_ttl => 60 } - if ([destination][ip] == [zeek][destination_ip_reverse_dns]) { + if ([destination][ip] == [destination][ip_reverse_dns]) { mutate { id => "mutate_remove_field_destination_ip_reverse_dns" - remove_field => [ "[zeek][destination_ip_reverse_dns]" ] + remove_field => [ "[destination][ip_reverse_dns]" ] } } } @@ -313,8 +325,8 @@ filter { rescue Exception => e event.set('ruby_exception', 'ruby_dns_freq_lookup: ' + e.message) end - event.set('[zeek][freq_score_v1]', scoresv1) unless (scoresv1.length == 0) - event.set('[zeek][freq_score_v2]', scoresv2) unless (scoresv2.length == 0) + event.set('[event][freq_score_v1]', scoresv1) unless (scoresv1.length == 0) + event.set('[event][freq_score_v2]', scoresv2) unless (scoresv2.length == 0) end" } } # end if dns.ip @@ -402,49 +414,25 @@ filter { } # end if radius - if ([zeek_cip_identity][socket_address]) { - - # if this is a zeek_cip_identity record with socket_address, ASN/GeoIP it as well - geoip { - id => "geoip_zeek_cip_identity_socket_address" - default_database_type => "ASN" - source => "[zeek_cip_identity][socket_address]" - target => "[@metadata][zeek_cip_identity_asn]" - } - if ([@metadata][zeek_cip_identity_asn] and [@metadata][zeek_cip_identity_asn][as_org] and [@metadata][zeek_cip_identity_asn][asn]) { - # this is stupid, the %{} doesn't seem to be liked by mutate.merge - mutate { id => "mutate_add_field_zeek_cip_identity_asn" - add_field => { "[@metadata][cip_asn_str]" => "AS%{[@metadata][zeek_cip_identity_asn][asn]} %{[@metadata][zeek_cip_identity_asn][as_org]}" } } - mutate { id => "mutate_merge_zeek_cip_identity_asn" - merge => { "[zeek_cip_identity][socket_address_asn]" => "[@metadata][cip_asn_str]" } } - } - geoip { - id => "geoip_zeek_cip_identity_socket_address_geo" - source => "[zeek_cip_identity][socket_address]" - target => "[zeek_cip_identity][socket_address_geo]" - } - - } # end if zeek_cip_identity.socket_address - - if ([zeek_ssl][server_name]) { + if ([tls][client][server_name]) { mutate { add_field => { "[@metadata][ENV_FREQ_LOOKUP]" => "${FREQ_LOOKUP:false}" } } if ([@metadata][ENV_FREQ_LOOKUP] == "true") { - # if requested, look up zeek_ssl.server_name queries using freq_server.py to get entropy scores + # if requested, look up [tls][client][server_name] queries using freq_server.py to get entropy scores http { - id => "rest_zeek_ssl_server_name_freq_lookup" - url => "http://freq:10004/measure/%{[zeek_ssl][server_name]}" - target_body => "[@metadata][zeek_ssl_server_name_freq]" + id => "rest_ssl_server_name_freq_lookup" + url => "http://freq:10004/measure/%{[tls][client][server_name]}" + target_body => "[@metadata][tls_server_name_freq]" } - if ([@metadata][zeek_ssl_server_name_freq]) { + if ([@metadata][tls_server_name_freq]) { grok { - id => "grok_zeek_ssl_server_name_freq_parse" - match => { "[@metadata][zeek_ssl_server_name_freq]" => [ "^\(%{NUMBER:[zeek][freq_score_v1]}, %{NUMBER:[zeek][freq_score_v2]}\)$" ] } + id => "grok_tls_server_name_freq_parse" + match => { "[@metadata][tls_server_name_freq]" => [ "^\(%{NUMBER:[event][freq_score_v1]}, %{NUMBER:[event][freq_score_v2]}\)$" ] } } } } - } # end if zeek_ssl.server_name + } # end if tls.client.server_name ################################################################################################ @@ -455,7 +443,7 @@ filter { translate { id => "translate_ssl_ja3" field => "[tls][ja3][0]" - destination => "[zeek_ssl][ja3_desc]" + destination => "[tls][client][ja3_description]" dictionary_path => "/etc/ja3.yaml" } } @@ -464,7 +452,7 @@ filter { translate { id => "translate_ssl_ja3s" field => "[tls][ja3s][0]" - destination => "[zeek_ssl][ja3s_desc]" + destination => "[tls][server][ja3s_description]" dictionary_path => "/etc/ja3.yaml" } } @@ -482,7 +470,7 @@ filter { if ([log][file][path]) { # trim path portion of log.file.path - mutate { id => "mutate_gsub_field_zeek_log_file_path" + mutate { id => "mutate_gsub_field_log_file_path" gsub => [ "[log][file][path]", "^.*/", "" ] } } diff --git a/logstash/pipelines/enrichment/12_type_conv.conf b/logstash/pipelines/enrichment/12_type_conv.conf index c47c9aa4c..71d48afdb 100644 --- a/logstash/pipelines/enrichment/12_type_conv.conf +++ b/logstash/pipelines/enrichment/12_type_conv.conf @@ -6,6 +6,11 @@ filter { id => "mutate_convert_misc" convert => { "[certCnt]" => "integer" + "[client][bytes]" => "integer" + "[destination][bytes]" => "integer" + "[destination][mac-cnt]" => "integer" + "[destination][packets]" => "integer" + "[destination][port]" => "integer" "[dhcp][hostCnt]" => "integer" "[dhcp][idCnt]" => "integer" "[dhcp][macCnt]" => "integer" @@ -15,18 +20,15 @@ filter { "[dns][opcodeCnt]" => "integer" "[dns][qcCnt]" => "integer" "[dns][qtCnt]" => "integer" - "[destination][bytes]" => "integer" - "[server][bytes]" => "integer" - "[destination][mac-cnt]" => "integer" "[dstOuiCnt]" => "integer" - "[destination][packets]" => "integer" - "[destination][port]" => "integer" "[email][dstCnt]" => "integer" "[email][idCnt]" => "integer" + "[email][smtpHelloCnt]" => "integer" "[email][srcCnt]" => "integer" "[email][subjectCnt]" => "integer" "[email][useragentCnt]" => "integer" - "[email][smtpHelloCnt]" => "integer" + "[event][freq_score_v1]" => "float" + "[event][freq_score_v2]" => "float" "[firstPacket]" => "integer" "[http][bodyMagicCnt]" => "integer" "[http][clientVersionCnt]" => "integer" @@ -42,6 +44,10 @@ filter { "[krb5][snameCnt]" => "integer" "[lastPacket]" => "integer" "[length]" => "integer" + "[network][bytes]" => "integer" + "[network][packets]" => "integer" + "[network][vlan][id-cnt]" => "integer" + "[network][vlan][id]" => "integer" "[protocolCnt]" => "integer" "[quic][hostCnt]" => "integer" "[quic][useragentCnt]" => "integer" @@ -50,12 +56,12 @@ filter { "[radius][framedIpCnt]" => "integer" "[radius][macCnt]" => "integer" "[segmentCnt]" => "integer" + "[server][bytes]" => "integer" "[source][bytes]" => "integer" - "[client][bytes]" => "integer" "[source][mac-cnt]" => "integer" - "[srcOuiCnt]" => "integer" "[source][packets]" => "integer" "[source][port]" => "integer" + "[srcOuiCnt]" => "integer" "[ssh][hasshCnt]" => "integer" "[ssh][hasshServerCnt]" => "integer" "[ssh][keyCnt]" => "integer" @@ -65,14 +71,8 @@ filter { "[tls][ja3Cnt]" => "integer" "[tls][ja3sCnt]" => "integer" "[tls][versionCnt]" => "integer" - "[network][bytes]" => "integer" "[totDataBytes]" => "integer" - "[network][packets]" => "integer" "[userCnt]" => "integer" - "[network][vlan][id]" => "integer" - "[network][vlan][id-cnt]" => "integer" - "[zeek][freq_score_v1]" => "float" - "[zeek][freq_score_v2]" => "float" } } diff --git a/logstash/pipelines/enrichment/17_segment_comparison.conf b/logstash/pipelines/enrichment/17_segment_comparison.conf index 83df0d039..c0c1c0de1 100644 --- a/logstash/pipelines/enrichment/17_segment_comparison.conf +++ b/logstash/pipelines/enrichment/17_segment_comparison.conf @@ -1,7 +1,7 @@ filter { - if ([zeek][resp_segment] and [zeek][orig_segment]) and - ([zeek][resp_segment] != [zeek][orig_segment]) { + if ([destination][segment] and [source][segment]) and + ([destination][segment] != [source][segment]) { mutate { id => "mutate_add_tag_cross_segment" add_tag => [ "cross_segment" ] diff --git a/logstash/pipelines/enrichment/18_tags_finalize.conf b/logstash/pipelines/enrichment/18_tags_finalize.conf index 1bad6459d..57878f555 100644 --- a/logstash/pipelines/enrichment/18_tags_finalize.conf +++ b/logstash/pipelines/enrichment/18_tags_finalize.conf @@ -11,26 +11,5 @@ filter { "_ouilookupfailure", "_geoip_lookup_failure" ] } - # deduplicate and count tags - ruby { - id => "ruby_zeek_tags_deduplicate" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "tags" - } - } - ruby { - id => "ruby_enrichment_tagsCnt" - path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" - script_params => { - "source" => "[tags]" - "target" => "[tagsCnt]" - } - } - mutate { - id => "mutate_convert_enrichment_tagsCnt" - convert => { "[tagsCnt]" => "integer" } - } - } # filter diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf index 1d775eb6e..a5c601149 100644 --- a/logstash/pipelines/enrichment/19_severity.conf +++ b/logstash/pipelines/enrichment/19_severity.conf @@ -5,10 +5,10 @@ filter { # see malcolm_severity.yaml for mappings to severity scores mutate { - id => "mutate_add_field_env_logstash_severity_scoring" - add_field => { "[@metadata][ENV_LOGSTASH_SEVERITY_SCORING]" => "${LOGSTASH_SEVERITY_SCORING:false}" } + id => "mutate_add_field_env_logstash_severity_scoring_enrich" + add_field => { "[@metadata][ENV_LOGSTASH_SEVERITY_SCORING_ENRICH]" => "${LOGSTASH_SEVERITY_SCORING:false}" } } - if ([@metadata][ENV_LOGSTASH_SEVERITY_SCORING] == "true") { + if ([@metadata][ENV_LOGSTASH_SEVERITY_SCORING_ENRICH] == "true") { # identify cross-segment traffic based on previously-populated tag if ("cross_segment" in [tags]) { @@ -16,30 +16,9 @@ filter { add_field => { "[event][severity_tags]" => "Cross-segment traffic" } } } - # connection states of interest (see conn_states.yaml) - # https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info - # https://docs.zeek.org/en/master/logs/conn.html - if ([zeek_conn][conn_state]) { - if ([zeek_conn][conn_state] == "S0") { - mutate { id => "mutate_add_field_severity_item_conn_s0" - add_field => { "[event][severity_tags]" => "Connection attempt, no reply" } } - } else if ([zeek_conn][conn_state] == "REJ") { - mutate { id => "mutate_add_field_severity_item_conn_rej" - add_field => { "[event][severity_tags]" => "Connection attempt rejected" } } - } else if ([zeek_conn][conn_state] == "RSTO") { - mutate { id => "mutate_add_field_severity_item_conn_rsto" - add_field => { "[event][severity_tags]" => "Connection aborted (originator)" } } - } else if ([zeek_conn][conn_state] == "RSTR") { - mutate { id => "mutate_add_field_severity_item_conn_rstr" - add_field => { "[event][severity_tags]" => "Connection aborted (responder)" } } - } - } - - # inbound/outbound/internal/external connection based on previously-populated tag - if ([zeek][logType] != "files") { - # files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate - # the direction of the connection itself + if ([event][provider] != "zeek") or ([event][dataset] != "files") { + # files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate the direction of the connection itself if ("internal_source" in [tags]) and ("internal_destination" in [tags]) { mutate { id => "mutate_add_field_severity_item_internal" add_field => { "[event][severity_tags]" => "Internal traffic" } } @@ -81,123 +60,119 @@ filter { } # tunneled/VPN traffic - if ([zeek][logType] == "tunnel") { - mutate { id => "mutate_add_field_severity_item_tunnel" - add_field => { "[event][severity_tags]" => "Tunneled traffic" } } - } - if (("ipsec" in [zeek][service]) or - ("openvpn" in [zeek][service]) or - ("wireguard" in [zeek][service]) or - ("l2tp" in [zeek][service]) or - ("sstp" in [zeek][service])) { + if (("ipsec" in [network][protocol]) or + ("openvpn" in [network][protocol]) or + ("wireguard" in [network][protocol]) or + ("l2tp" in [network][protocol]) or + ("sstp" in [network][protocol])) { mutate { id => "mutate_add_field_severity_item_vpn" add_field => { "[event][severity_tags]" => "VPN traffic" } } } # these (high/medium) file types pulled from extractor_override.interesting.zeek # and probably ought to be modified if that file is modified - if ([zeek][filetype]) { + if ([file][mime_type]) { # "high" severity files are executables and scripts (?) - if (("application/PowerShell" in [zeek][filetype]) or - ("application/vnd.microsoft.portable-executable" in [zeek][filetype]) or - ("application/x-csh" in [zeek][filetype]) or - ("application/x-dosexec" in [zeek][filetype]) or - ("application/x-elf" in [zeek][filetype]) or - ("application/x-executable" in [zeek][filetype]) or - ("application/x-ms-application" in [zeek][filetype]) or - ("application/x-msdos-program" in [zeek][filetype]) or - ("application/x-pe-app-32bit-i386" in [zeek][filetype]) or - ("application/x-perl" in [zeek][filetype]) or - ("application/x-python" in [zeek][filetype]) or - ("application/x-sh" in [zeek][filetype]) or - ("text/vbscript" in [zeek][filetype])) { + if (("application/PowerShell" in [file][mime_type]) or + ("application/vnd.microsoft.portable-executable" in [file][mime_type]) or + ("application/x-csh" in [file][mime_type]) or + ("application/x-dosexec" in [file][mime_type]) or + ("application/x-elf" in [file][mime_type]) or + ("application/x-executable" in [file][mime_type]) or + ("application/x-ms-application" in [file][mime_type]) or + ("application/x-msdos-program" in [file][mime_type]) or + ("application/x-pe-app-32bit-i386" in [file][mime_type]) or + ("application/x-perl" in [file][mime_type]) or + ("application/x-python" in [file][mime_type]) or + ("application/x-sh" in [file][mime_type]) or + ("text/vbscript" in [file][mime_type])) { mutate { id => "mutate_add_field_severity_file_type_high" add_field => { "[event][severity_tags]" => "File transfer (high concern)" } } # "medium" severity files are everything else in the "interesting" list - } else if (("application/binary" in [zeek][filetype]) or - ("application/ecmascript" in [zeek][filetype]) or - ("application/hta" in [zeek][filetype]) or - ("application/java-archive" in [zeek][filetype]) or - ("application/java-serialized-object" in [zeek][filetype]) or - ("application/java-vm" in [zeek][filetype]) or - ("application/javascript" in [zeek][filetype]) or - ("application/ms-vsi" in [zeek][filetype]) or - ("application/msaccess" in [zeek][filetype]) or - ("application/msaccess.addin" in [zeek][filetype]) or - ("application/msaccess.cab" in [zeek][filetype]) or - ("application/msaccess.ftemplate" in [zeek][filetype]) or - ("application/msaccess.runtime" in [zeek][filetype]) or - ("application/msaccess.webapplication" in [zeek][filetype]) or - ("application/msexcel" in [zeek][filetype]) or - ("application/mspowerpoint" in [zeek][filetype]) or - ("application/msword" in [zeek][filetype]) or - ("application/octet-stream" in [zeek][filetype]) or - ("application/pdf" in [zeek][filetype]) or - ("application/rtf" in [zeek][filetype]) or - ("application/vnd.apple.installer+xml" in [zeek][filetype]) or - ("application/vnd.ms-cab-compressed" in [zeek][filetype]) or - ("application/vnd.ms-excel" in [zeek][filetype]) or - ("application/vnd.ms-excel.addin.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.addin.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.sheet.binary.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.sheet.binary.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.sheet.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.sheet.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.template.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-excel.template.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-office.calx" in [zeek][filetype]) or - ("application/vnd.ms-officetheme" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.addin.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.addin.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.presentation.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.presentation.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.slide.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.slide.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.slideshow.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.slideshow.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.template.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-powerpoint.template.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-word.document.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-word.document.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.ms-word.template.macroEnabled.12" in [zeek][filetype]) or - ("application/vnd.ms-word.template.macroenabled.12" in [zeek][filetype]) or - ("application/vnd.openofficeorg.extension" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.presentationml.presentation" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.presentationml.slide" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.presentationml.slideshow" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.presentationml.template" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.spreadsheetml.template" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.wordprocessingml.document" in [zeek][filetype]) or - ("application/vnd.openxmlformats-officedocument.wordprocessingml.template" in [zeek][filetype]) or - ("application/windows-library+xml" in [zeek][filetype]) or - ("application/x-7z-compressed" in [zeek][filetype]) or - ("application/x-ace-compressed" in [zeek][filetype]) or - ("application/x-apple-diskimage" in [zeek][filetype]) or - ("application/x-bzip" in [zeek][filetype]) or - ("application/x-bzip2" in [zeek][filetype]) or - ("application/x-cfs-compressed" in [zeek][filetype]) or - ("application/x-compress" in [zeek][filetype]) or - ("application/x-compressed" in [zeek][filetype]) or - ("application/x-cpio" in [zeek][filetype]) or - ("application/x-dgc-compressed" in [zeek][filetype]) or - ("application/x-gca-compressed" in [zeek][filetype]) or - ("application/x-gtar" in [zeek][filetype]) or - ("application/x-gzip" in [zeek][filetype]) or - ("application/x-install-instructions" in [zeek][filetype]) or - ("application/x-lzh-compressed" in [zeek][filetype]) or - ("application/x-ms-installer" in [zeek][filetype]) or - ("application/x-ms-shortcut" in [zeek][filetype]) or - ("application/x-msdownload" in [zeek][filetype]) or - ("application/x-rar-compressed" in [zeek][filetype]) or - ("application/x-shockwave-flash" in [zeek][filetype]) or - ("application/x-zip-compressed" in [zeek][filetype]) or - ("application/zip" in [zeek][filetype]) or - ("text/jscript" in [zeek][filetype]) or - ("text/rtf" in [zeek][filetype])) { + } else if (("application/binary" in [file][mime_type]) or + ("application/ecmascript" in [file][mime_type]) or + ("application/hta" in [file][mime_type]) or + ("application/java-archive" in [file][mime_type]) or + ("application/java-serialized-object" in [file][mime_type]) or + ("application/java-vm" in [file][mime_type]) or + ("application/javascript" in [file][mime_type]) or + ("application/ms-vsi" in [file][mime_type]) or + ("application/msaccess" in [file][mime_type]) or + ("application/msaccess.addin" in [file][mime_type]) or + ("application/msaccess.cab" in [file][mime_type]) or + ("application/msaccess.ftemplate" in [file][mime_type]) or + ("application/msaccess.runtime" in [file][mime_type]) or + ("application/msaccess.webapplication" in [file][mime_type]) or + ("application/msexcel" in [file][mime_type]) or + ("application/mspowerpoint" in [file][mime_type]) or + ("application/msword" in [file][mime_type]) or + ("application/octet-stream" in [file][mime_type]) or + ("application/pdf" in [file][mime_type]) or + ("application/rtf" in [file][mime_type]) or + ("application/vnd.apple.installer+xml" in [file][mime_type]) or + ("application/vnd.ms-cab-compressed" in [file][mime_type]) or + ("application/vnd.ms-excel" in [file][mime_type]) or + ("application/vnd.ms-excel.addin.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.addin.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.sheet.binary.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.sheet.binary.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.sheet.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.sheet.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.template.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-excel.template.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-office.calx" in [file][mime_type]) or + ("application/vnd.ms-officetheme" in [file][mime_type]) or + ("application/vnd.ms-powerpoint" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.addin.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.addin.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.presentation.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.presentation.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.slide.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.slide.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.slideshow.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.slideshow.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.template.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-powerpoint.template.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-word.document.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-word.document.macroenabled.12" in [file][mime_type]) or + ("application/vnd.ms-word.template.macroEnabled.12" in [file][mime_type]) or + ("application/vnd.ms-word.template.macroenabled.12" in [file][mime_type]) or + ("application/vnd.openofficeorg.extension" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.presentationml.presentation" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.presentationml.slide" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.presentationml.slideshow" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.presentationml.template" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.spreadsheetml.template" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.wordprocessingml.document" in [file][mime_type]) or + ("application/vnd.openxmlformats-officedocument.wordprocessingml.template" in [file][mime_type]) or + ("application/windows-library+xml" in [file][mime_type]) or + ("application/x-7z-compressed" in [file][mime_type]) or + ("application/x-ace-compressed" in [file][mime_type]) or + ("application/x-apple-diskimage" in [file][mime_type]) or + ("application/x-bzip" in [file][mime_type]) or + ("application/x-bzip2" in [file][mime_type]) or + ("application/x-cfs-compressed" in [file][mime_type]) or + ("application/x-compress" in [file][mime_type]) or + ("application/x-compressed" in [file][mime_type]) or + ("application/x-cpio" in [file][mime_type]) or + ("application/x-dgc-compressed" in [file][mime_type]) or + ("application/x-gca-compressed" in [file][mime_type]) or + ("application/x-gtar" in [file][mime_type]) or + ("application/x-gzip" in [file][mime_type]) or + ("application/x-install-instructions" in [file][mime_type]) or + ("application/x-lzh-compressed" in [file][mime_type]) or + ("application/x-ms-installer" in [file][mime_type]) or + ("application/x-ms-shortcut" in [file][mime_type]) or + ("application/x-msdownload" in [file][mime_type]) or + ("application/x-rar-compressed" in [file][mime_type]) or + ("application/x-shockwave-flash" in [file][mime_type]) or + ("application/x-zip-compressed" in [file][mime_type]) or + ("application/zip" in [file][mime_type]) or + ("text/jscript" in [file][mime_type]) or + ("text/rtf" in [file][mime_type])) { mutate { id => "mutate_add_field_severity_file_type_medium" add_field => { "[event][severity_tags]" => "File transfer (medium concern)" } } @@ -208,52 +183,20 @@ filter { } } - # assign severity to notice based on category - if ([zeek_notice]) { - if ([zeek_notice][category] == "ATTACK") { - mutate { id => "mutate_add_field_severity_notice_mitre_attack" - add_field => { "[event][severity_tags]" => "MITRE ATT&CK framework technique" } } - } else if ([zeek_notice][category] == "Scan") { - mutate { id => "mutate_add_field_severity_notice_scan" - add_field => { "[event][severity_tags]" => "Notice (scan)" } } - } else if (([zeek_notice][category] == "FTP") or - ([zeek_notice][category] == "HTTP") or - ([zeek_notice][category] == "HTTPATTACKS") or - ([zeek_notice][category] == "SSL")) { - mutate { id => "mutate_add_field_severity_notice_protocol" - add_field => { "[event][severity_tags]" => "Notice (protocol)" } } - } else if (([zeek_notice][category] =~ /^CVE/) or - ([zeek_notice][category] == "EternalSafety") or - ([zeek_notice][category] == "Ripple20") or - ([zeek_notice][category] == "Zerologon")) { - mutate { id => "mutate_add_field_severity_notice_vuln" - add_field => { "[event][severity_tags]" => "Notice (vulnerability)" } } - } else { - mutate { id => "mutate_add_field_severity_notice_other" - add_field => { "[event][severity_tags]" => "Notice (other)" } } - } - } - - # weird logs get one score at the moment - if ([zeek_weird]) { - mutate { id => "mutate_add_field_severity_weird_other" - add_field => { "[event][severity_tags]" => "Weird" } } - } - - # if zeek.password exists, it's assumed to be in cleartext - if ([zeek][password]) { + # if related.password exists, it's assumed to be in cleartext + if ([related][password]) { mutate { id => "mutate_add_field_severity_password_exists" add_field => { "[event][severity_tags]" => "Cleartext password" } } } # check for high-entropy domain names for non-internal connections - if ([zeek][freq_score_v1]) or ([zeek][freq_score_v2]) { + if ([event][freq_score_v1]) or ([event][freq_score_v2]) { ruby { id => "ruby_add_field_severity_domain_entropy" init => "$freqSeverityThreshold = ENV['FREQ_SEVERITY_THRESHOLD'] || '3.0'" code => " - freqs1 = event.get('[zeek][freq_score_v1]') - freqs2 = event.get('[zeek][freq_score_v2]') + freqs1 = event.get('[event][freq_score_v1]') + freqs2 = event.get('[event][freq_score_v2]') lowestFreqScore = [freqs1.nil? ? 100 : (freqs1.kind_of?(Array) ? freqs1.min : freqs1), freqs2.nil? ? 100 : (freqs2.kind_of?(Array) ? freqs2.min : freqs2)].min if (lowestFreqScore < Float($freqSeverityThreshold)) then @@ -311,30 +254,13 @@ filter { } } - # assign score to signatures based on engine - if ([zeek_signatures]) { - if ('Capa' in [zeek_signatures][engine]) { - mutate { id => "mutate_add_field_severity_signatures_capa" - add_field => { "[event][severity_tags]" => "Signature (capa)" } } - } else if ('ClamAV' in [zeek_signatures][engine]) { - mutate { id => "mutate_add_field_severity_signatures_clamav" - add_field => { "[event][severity_tags]" => "Signature (ClamAV)" } } - } else if ('Yara' in [zeek_signatures][engine]) { - mutate { id => "mutate_add_field_severity_signatures_yara" - add_field => { "[event][severity_tags]" => "Signature (YARA)" } } - } else { - mutate { id => "mutate_add_field_severity_signatures_other" - add_field => { "[event][severity_tags]" => "Signature" } } - } - } - # insecure/outdated protocols requires a little bit more code than logstash can do # so we'll do it in Ruby. at the moment these are mirroring what's in the # Security Overview (95479950-41f2-11ea-88fa-7151df485405) dashboard, so they # probably should be kept up-to-date with that. # # in addition to insecure/outdated protocols, append PROTOCOL_XXX to the - # severity_tags list, where XXX is the uppercased value of zeek.service, + # severity_tags list, where XXX is the uppercased value of network.protocol, # so that if the user wants to add PROTOCOL_SSH or whatever to their mapping # for a custom severity value it will just work. if it's not in their # mapping file, it'll return with a nil value and will be removed @@ -342,14 +268,14 @@ filter { # # since we're loading the services here, we'll also take care of "services # running on a non-standard port" as well - if (!([zeek][logType] =~ /^known/)) { + if ([event][provider] != "zeek") or (!([event][dataset] =~ /^known/)) { ruby { id => "ruby_add_field_severity_insecure_protocols" init => " require 'yaml'; $servicePortMap = YAML.load(File.read('/etc/service_ports.yaml')) " code => " - if (service = event.get('[zeek][service]')) then + if (service = event.get('[network][protocol]')) then foundInsec = 0 foundOddPort = 0 if !service.kind_of?(Array) then @@ -357,7 +283,7 @@ filter { newsrv.push(service) service = newsrv end - version = event.get('[zeek][service_version]') + version = event.get('[network][protocol_version]') if !version.nil? and !version.kind_of?(Array) then newver = Array.new newver.push(version) @@ -449,6 +375,9 @@ filter { end" } + # TODO: ECS has some severity scoring stuff in https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html, which we could look at using, + # but I'm not sure it's always applicable since not everything here is a "vulnerability" + } # LOGSTASH_SEVERITY_SCORING env check } # filter diff --git a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf index 73011567c..84cf9821c 100644 --- a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf +++ b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf @@ -3,69 +3,70 @@ filter { # Map enriched fields to ECS where possible (see https://github.com/idaholab/Malcolm/issues/16) - # For now I will add fields rather than rename them. This will preserve backwards compatibility - # but the records will be somewhat bigger. I'll have to address what (if anything) to do with upgrades. - # for now don't do anything unles an env explicitly enables it - mutate { - id => "mutate_add_field_env_logstash_enriched_to_ecs" - add_field => { "[@metadata][ENV_LOGSTASH_ENRICHED_TO_ECS]" => "${LOGSTASH_TO_ECS:false}" } + # hostnames + if ([source][hostname]) { mutate { id => "mutate_add_field_ecs_client_domain_source_hostname" + add_field => { "[client][domain]" => "%{[source][hostname]}" } } } + if ([destination][hostname]) { mutate { id => "mutate_add_field_ecs_server_domain_destination_hostname" + add_field => { "[server][domain]" => "%{[destination][hostname]}" } } } + # network.direction (from tags assigned during 11_lookups.conf) + if ("internal_source" in [tags]) and ("internal_destination" in [tags]) { + mutate { id => "mutate_add_field_metadata_network_direction_internal" + add_field => { "[@metadata][network_direction]" => "internal" } } + } else if ("external_source" in [tags]) and ("external_destination" in [tags]) { + mutate { id => "mutate_add_field_metadata_network_direction_external" + add_field => { "[@metadata][network_direction]" => "external" } } + } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) { + mutate { id => "mutate_add_field_metadata_network_direction_outbound" + add_field => { "[@metadata][network_direction]" => "outbound" } } + } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) { + mutate { id => "mutate_add_field_metadata_network_direction_inbound" + add_field => { "[@metadata][network_direction]" => "inbound" } } + } + if ([@metadata][network_direction]) { + mutate { id => "mutate_add_field_ecs_network_direction" + add_field => { "[network][direction]" => "%{[@metadata][network_direction]}" } } } - if ([@metadata][ENV_LOGSTASH_ENRICHED_TO_ECS] == "true") { - - # πŸ—Ή Network - Fields describing the communication path over which the event happened. - https://www.elastic.co/guide/en/ecs/current/ecs-network.html - # network.direction (from tags assigned during 11_lookups.conf) - if ("internal_source" in [tags]) and ("internal_destination" in [tags]) { - mutate { id => "mutate_add_field_metadata_network_direction_internal" - add_field => { "[@metadata][network_direction]" => "internal" } } - } else if ("external_source" in [tags]) and ("external_destination" in [tags]) { - mutate { id => "mutate_add_field_metadata_network_direction_external" - add_field => { "[@metadata][network_direction]" => "external" } } - } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) { - mutate { id => "mutate_add_field_metadata_network_direction_outbound" - add_field => { "[@metadata][network_direction]" => "outbound" } } - } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) { - mutate { id => "mutate_add_field_metadata_network_direction_inbound" - add_field => { "[@metadata][network_direction]" => "inbound" } } - } - if ([@metadata][network_direction]) { - mutate { id => "mutate_add_field_ecs_network_direction" - add_field => { "[network][direction]" => "%{[@metadata][network_direction]}" } } - } + # network.name (based on info from [destination][segment] and [source][segment]) + if ([destination][segment]) { mutate { id => "mutate_add_field_ecs_network_name_resp" + merge => { "[network][name]" => "[destination][segment]" } } } + if ([source][segment]) { mutate { id => "mutate_add_field_ecs_network_name_orig" + merge => { "[network][name]" => "[source][segment]" } } } - # network.name (based on info from [zeek][resp_segment] and [zeek][orig_segment]) - if ([zeek][resp_segment]) { mutate { id => "mutate_add_field_ecs_network_name_resp" - merge => { "[network][name]" => "[zeek][resp_segment]" } } } - if ([zeek][orig_segment]) { mutate { id => "mutate_add_field_ecs_network_name_orig" - merge => { "[network][name]" => "[zeek][orig_segment]" } } } - # Autonomous System and Geo are handled after enrichment in 20_enriched_to_ecs.conf - # ☐ Autonomous System - Fields describing an Autonomous System (Internet routing prefix). - https://www.elastic.co/guide/en/ecs/current/ecs-as.html - # ☐ Geo - Fields describing a location. - https://www.elastic.co/guide/en/ecs/current/ecs-geo.html + # ECS - various -> related.ip (all IP-type fields get rolled up into related.ip) + if ([source][ip]) { mutate { id => "mutate_merge_field_related_ip_source_ip" + merge => { "[related][ip]" => "[source][ip]" } } } + if ([destination][ip]) { mutate { id => "mutate_merge_field_related_ip_destination_ip" + merge => { "[related][ip]" => "[destination][ip]" } } } + if ([destination][geo][ip]) { mutate { id => "mutate_merge_field_related_ip_destination_geo_ip" + merge => { "[related][ip]" => "[destination][geo][ip]" } } } + if ([source][geo][ip]) { mutate { id => "mutate_merge_field_related_ip_source_geo_ip" + merge => { "[related][ip]" => "[source][geo][ip]" } } } + if ([source][nat][ip]) { mutate { id => "mutate_merge_field_related_ip_source_nat_ip" + merge => { "[related][ip]" => "[source][nat][ip]" } } } - # ecs.version is required in all events - https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html - if (![ecs][version]) { mutate { id => "mutate_add_field_ecs_version" - add_field => { "[ecs][version]" => "1.5.0" } } } + # ecs.version is required in all events - https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html + if (![ecs][version]) { mutate { id => "mutate_add_field_ecs_version" + add_field => { "[ecs][version]" => "1.6.0" } } } - # event.ingested - if (![event][ingested]) { - ruby { - id => "ruby_event_ingested_now_zeek" - init => "require 'time'" - code => "event.set('[event][ingested]', Time.now.to_f)" - } - date { - id => "date_event_ingested_conv" - match => [ "[event][ingested]", "UNIX" ] - target => "[event][ingested]" - } + # event.ingested + if (![event][ingested]) { + ruby { + id => "ruby_event_ingested_now" + init => "require 'time'" + code => "event.set('[event][ingested]', Time.now.to_f)" } + date { + id => "date_event_ingested_conv" + match => [ "[event][ingested]", "UNIX" ] + target => "[event][ingested]" + } + } - # event.provider - if (![event][provider]) { mutate { id => "mutate_add_field_event_provider_enrichment" - add_field => { "[event][provider]" => "malcolm" } } } - - } # end if ENV_LOGSTASH_ENRICHED_TO_ECS + # event.provider + if (![event][provider]) { mutate { id => "mutate_add_field_event_provider_enrichment" + add_field => { "[event][provider]" => "malcolm" } } } } diff --git a/logstash/pipelines/enrichment/98_make_unique.conf b/logstash/pipelines/enrichment/98_make_unique.conf new file mode 100644 index 000000000..586adf0b4 --- /dev/null +++ b/logstash/pipelines/enrichment/98_make_unique.conf @@ -0,0 +1,102 @@ +# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. + +filter { + + # all IP addresses ########################################################## + if ([related][ip]) { + ruby { + id => "ruby_related_ip_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[related][ip]" + } + } + } + + # network protocol (service) version ######################################## + if ([network][protocol_version]) { + ruby { + id => "ruby_network_protocol_version_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[network][protocol_version]" + } + } + } + + # action and result ######################################################### + if ([event][action]) { + ruby { + id => "ruby_event_action_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[event][action]" + } + } + } + + if ([event][result]) { + ruby { + id => "ruby_zeek_result_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[event][result]" + } + } + } + + # event ID(s) ############################################################### + if ([event][id]) { + ruby { + id => "ruby_event_id_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[event][id]" + } + } + } + + # file mime type ############################################################ + if ([file][mime_type]) { + ruby { + id => "ruby_file_mime_type_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[file][mime_type]" + } + } + } + + # file path ################################################################# + if ([file][path]) { + ruby { + id => "ruby_zeek_filename_uniq" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "[file][path]" + } + } + } + + # deduplicate and count tags ################################################ + ruby { + id => "ruby_tags_deduplicate" + path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" + script_params => { + "field" => "tags" + } + } + ruby { + id => "ruby_enrichment_tagsCnt" + path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" + script_params => { + "source" => "[tags]" + "target" => "[tagsCnt]" + } + } + mutate { + id => "mutate_convert_enrichment_tagsCnt" + convert => { "[tagsCnt]" => "integer" } + } + +} diff --git a/logstash/pipelines/external/99_elastic_output.conf b/logstash/pipelines/external/99_elastic_output.conf index 40eff4f53..3f98ccfd0 100644 --- a/logstash/pipelines/external/99_elastic_output.conf +++ b/logstash/pipelines/external/99_elastic_output.conf @@ -8,6 +8,6 @@ output { password => "${ES_EXTERNAL_PASSWORD:}" manage_template => false index => "arkime_sessions3-%{+YYMMdd}" - document_id => "%{+YYMMdd}-%{zeekLogDocId}" + document_id => "%{+YYMMdd}-%{malcolmDocId}" } } diff --git a/logstash/pipelines/output/99_elastic_output.conf b/logstash/pipelines/output/99_elastic_output.conf index 4be4c0d83..bf8ff7773 100644 --- a/logstash/pipelines/output/99_elastic_output.conf +++ b/logstash/pipelines/output/99_elastic_output.conf @@ -4,6 +4,6 @@ output { hosts => "${ES_HOSTS:elasticsearch:9200}" manage_template => false index => "arkime_sessions3-%{+YYMMdd}" - document_id => "%{+YYMMdd}-%{zeekLogDocId}" + document_id => "%{+YYMMdd}-%{malcolmDocId}" } } diff --git a/logstash/pipelines/zeek/11_zeek_logs.conf b/logstash/pipelines/zeek/11_zeek_logs.conf index ef3d8da46..e72db9131 100644 --- a/logstash/pipelines/zeek/11_zeek_logs.conf +++ b/logstash/pipelines/zeek/11_zeek_logs.conf @@ -225,7 +225,7 @@ filter { } ruby { id => "ruby_zip_zeek_conn" - init => "$zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'network.vlan.id', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id' ]" + init => "$zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id' ]" code => "event.set('[zeek_cols]', $zeek_conn_field_names.zip(event.get('[message]')).to_h)" } } @@ -1550,6 +1550,7 @@ filter { add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } } } + } else if ([log_source] == "ftp") { ############################################################################################################################# # ftp.log @@ -2024,7 +2025,7 @@ filter { } ruby { id => "ruby_zip_zeek_ldap" - init => "$zeek_ldap_field_names = [ 'ts', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" + init => "$zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" code => "event.set('[zeek_cols]', $zeek_ldap_field_names.zip(event.get('[message]')).to_h)" } } @@ -2043,7 +2044,7 @@ filter { id => "dissect_zeek_ldap_search" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}" } } if ("_dissectfailure" in [tags]) { @@ -2054,7 +2055,7 @@ filter { } ruby { id => "ruby_zip_zeek_ldap_search" - init => "$zeek_ldap_search_field_names = [ 'ts', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message' ]" + init => "$zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]" code => "event.set('[zeek_cols]', $zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)" } } @@ -2073,7 +2074,7 @@ filter { id => "dissect_zeek_login" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" } } if ("_dissectfailure" in [tags]) { @@ -2084,16 +2085,11 @@ filter { } ruby { id => "ruby_zip_zeek_login" - init => "$zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'success', 'confused', 'user', 'client_user', 'password' ]" + init => "$zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]" code => "event.set('[zeek_cols]', $zeek_login_field_names.zip(event.get('[message]')).to_h)" } } - if ([zeek_cols][proto]) and ([zeek_cols][proto] != '-') and ([zeek_cols][proto] != '(empty)') and ([zeek_cols][proto] != '') { - mutate { id => "mutate_add_field_zeek_login_service" - add_field => { "[zeek_cols][service]" => "%{[zeek_cols][proto]}" } } - } - } else if ([log_source] == "modbus") { ############################################################################################################################# # modbus.log @@ -2225,39 +2221,6 @@ filter { mutate { id => "mutate_add_tag_ics_modbus_read_write_multiple_registers_log" add_tag => [ "ics" ] } - } else if ([log_source] == "modbus_register_change") { - ############################################################################################################################# - # modbus_register_change.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/track-memmap.zeek.html#type-Modbus::MemmapInfo - - dissect { - id => "dissect_zeek_modbus_register_change" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][register]} %{[zeek_cols][old_val]} %{[zeek_cols][new_val]} %{[zeek_cols][delta]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_register_change" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_register_change" - init => "$zeek_modbus_register_change_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'register', 'old_val', 'new_val', 'delta' ]" - code => "event.set('[zeek_cols]', $zeek_modbus_register_change_field_names.zip(event.get('[message]')).to_h)" - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_register_change" - add_field => { "[zeek_cols][service]" => "modbus" } - } - - mutate { id => "mutate_add_tag_ics_modbus_register_change_log" - add_tag => [ "ics" ] } - } else if ([log_source] == "mqtt_connect") { ############################################################################################################################# # mqtt_connect.log @@ -3192,7 +3155,7 @@ filter { id => "dissect_zeek_software" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}" } } if ("_dissectfailure" in [tags]) { @@ -3203,7 +3166,7 @@ filter { } ruby { id => "ruby_zip_zeek_software" - init => "$zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version' ]" + init => "$zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]" code => "event.set('[zeek_cols]', $zeek_software_field_names.zip(event.get('[message]')).to_h)" } } @@ -3835,53 +3798,52 @@ filter { # rename the zeek child array to match the log type mutate { id => "mutate_rename_zeek_log_type" - rename => { "[zeek_cols]" => "[zeek_%{[log_source]}]" } } + rename => { "[zeek_cols]" => "[zeek][%{[log_source]}]" } } # move "up" some fields that are considered to be "multi-log" fields (eg., they # show up in many types of logs) mutate { id => "mutate_rename_zeek_common_fields" - rename => { "[zeek_%{[log_source]}][ts]" => "[zeek][ts]" } - rename => { "[zeek_%{[log_source]}][uid]" => "[zeek][uid]" } - rename => { "[zeek_%{[log_source]}][fuid]" => "[zeek][fuid]" } - rename => { "[zeek_%{[log_source]}][orig_h]" => "[zeek][orig_h]" } - rename => { "[zeek_%{[log_source]}][orig_p]" => "[zeek][orig_p]" } - rename => { "[zeek_%{[log_source]}][orig_l2_addr]" => "[zeek][orig_l2_addr]" } - rename => { "[zeek_%{[log_source]}][resp_h]" => "[zeek][resp_h]" } - rename => { "[zeek_%{[log_source]}][resp_p]" => "[zeek][resp_p]" } - rename => { "[zeek_%{[log_source]}][resp_l2_addr]" => "[zeek][resp_l2_addr]" } - rename => { "[zeek_%{[log_source]}][proto]" => "[zeek][proto]" } - rename => { "[zeek_%{[log_source]}][service]" => "[zeek][service]" } - rename => { "[zeek_%{[log_source]}][user]" => "[zeek][user]" } - rename => { "[zeek_%{[log_source]}][password]" => "[zeek][password]" } - rename => { "[zeek_%{[log_source]}][community_id]" => "[zeek][community_id]" } + rename => { "[zeek][%{[log_source]}][ts]" => "[zeek][ts]" } + rename => { "[zeek][%{[log_source]}][uid]" => "[zeek][uid]" } + rename => { "[zeek][%{[log_source]}][fuid]" => "[zeek][fuid]" } + rename => { "[zeek][%{[log_source]}][orig_h]" => "[source][ip]" } + rename => { "[zeek][%{[log_source]}][orig_p]" => "[source][port]" } + rename => { "[zeek][%{[log_source]}][orig_l2_addr]" => "[source][mac]" } + rename => { "[zeek][%{[log_source]}][resp_h]" => "[destination][ip]" } + rename => { "[zeek][%{[log_source]}][resp_p]" => "[destination][port]" } + rename => { "[zeek][%{[log_source]}][resp_l2_addr]" => "[destination][mac]" } + rename => { "[zeek][%{[log_source]}][proto]" => "[network][transport]" } + rename => { "[zeek][%{[log_source]}][service]" => "[network][protocol]" } + rename => { "[zeek][%{[log_source]}][user]" => "[related][user]" } + rename => { "[zeek][%{[log_source]}][password]" => "[related][password]" } + rename => { "[zeek][%{[log_source]}][community_id]" => "[network][community_id]" } } - if ([zeek][orig_h]) { mutate { id => "mutate_add_field_zeek_srcIp" - add_field => { "[source][ip]" => "%{[zeek][orig_h]}" } } } - if ([zeek][orig_p]) { mutate { id => "mutate_add_field_zeek_srcPort" - add_field => { "[source][port]" => "%{[zeek][orig_p]}" } } } - if ([zeek][resp_h]) { mutate { id => "mutate_add_field_zeek_dstIp" - add_field => { "[destination][ip]" => "%{[zeek][resp_h]}" } } } - if ([zeek][resp_p]) { mutate { id => "mutate_add_field_zeek_dstPort" - add_field => { "[destination][port]" => "%{[zeek][resp_p]}" } } } - if ([zeek][community_id]) { mutate { id => "mutate_add_field_zeek_communityId" - add_field => { "[network][community_id]" => "%{[zeek][community_id]}" } } } - - if ([zeek][orig_l2_addr]) { - # copy orig_l2_addr into source.mac array (with a count of 1) - mutate { id => "mutate_merge_field_zeek_srcMac" - merge => { "[source][mac]" => "[zeek][orig_l2_addr]" } } - mutate { id => "mutate_add_field_zeek_srcMacCnt" - add_field => { "[source][mac-cnt]" => "1" } } + if ([source][mac]) { + mutate { id => "mutate_split_zeek_source_mac" + split => { "[source][mac]" => "," } } + ruby { + id => "ruby_zeek_conn_src_mac_cnt" + path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" + script_params => { + "source" => "[source][mac]" + "target" => "[source][mac-cnt]" + } + } } - if ([zeek][resp_l2_addr]) { - # copy resp_l2_addr into destination.mac array (with a count of 1) - mutate { id => "mutate_merge_field_zeek_dstMac" - merge => { "[destination][mac]" => "[zeek][resp_l2_addr]" } } - mutate { id => "mutate_add_field_zeek_dstMacCnt" - add_field => { "[destination][mac-cnt]" => "1" } } + if ([destination][mac]) { + mutate { id => "mutate_split_zeek_destination_mac" + split => { "[destination][mac]" => "," } } + ruby { + id => "ruby_zeek_conn_dst_mac_cnt" + path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" + script_params => { + "destination" => "[destination][mac]" + "target" => "[destination][mac-cnt]" + } + } } if ([zeek][uid]) { @@ -3899,27 +3861,30 @@ filter { mutate { id => "mutate_add_field_zeek_uid" add_field => { "[zeek][uid]" => "%{[@metadata][uuid]}" } } } + # ECS - zeek.uid -> event.id + mutate { id => "mutate_add_field_ecs_id_uid" + merge => { "[event][id]" => "[zeek][uid]" } } # if present, FUIDs are always a vector (comma-separated) if ([zeek][fuid]) { mutate { id => "mutate_split_zeek_fuids" split => { "[zeek][fuid]" => "," } } } if ([log_source] == "conn") { - mutate { id => "mutate_add_field_zeek_conn_zeekLogDocId" - add_field => { "[zeekLogDocId]" => "%{[zeek][uid]}" } } + mutate { id => "mutate_add_field_zeek_conn_malcolmDocId" + add_field => { "[malcolmDocId]" => "%{[zeek][uid]}" } } } else { if ([log][offset]) { - mutate { id => "mutate_add_field_zeek_not_conn_offset_zeekLogDocId" - add_field => { "[zeekLogDocId]" => "%{[zeek][uid]}-%{log_source}-%{[log][offset]}" } } + mutate { id => "mutate_add_field_zeek_not_conn_offset_malcolmDocId" + add_field => { "[malcolmDocId]" => "%{[zeek][uid]}-%{log_source}-%{[log][offset]}" } } } else { uuid { id => "uuid_zeek_random_not_conn" target => "[@metadata][uuid]" overwrite => true } - mutate { id => "mutate_add_field_zeek_not_conn_zeekLogDocId" - add_field => { "[zeekLogDocId]" => "%{[zeek][uid]}-%{log_source}:%{[@metadata][uuid]}" } } + mutate { id => "mutate_add_field_zeek_not_conn_malcolmDocId" + add_field => { "[malcolmDocId]" => "%{[zeek][uid]}-%{log_source}:%{[@metadata][uuid]}" } } } } # if/else for defining logOffset field used in document ID for elasticsearch @@ -3951,19 +3916,32 @@ filter { code => "event.set('[timestamp]', (1000*event.get('[zeek][ts]').to_f).round(0)) event.set('[firstPacket]', event.get('[timestamp]'))" } - if ([zeek_conn]) and ([zeek_conn][duration]) { + + # ECS - firstPacket -> event.start + mutate { id => "mutate_add_field_ecs_event_start" + add_field => { "[event][start]" => "%{[firstPacket]}" } } + + if ([zeek][conn]) and ([zeek][conn][duration]) { # convert duration (floating-point seconds) to milliseconds ruby { id => "ruby_zeek_duration_calc" - code => "event.set('[length]', (1000*event.get('[zeek_conn][duration]').to_f).round(0)) + code => "event.set('[length]', (1000*event.get('[zeek][conn][duration]').to_f).round(0)) event.set('[lastPacket]', event.get('[timestamp]').to_i + event.get('[length]').to_i)" } + # ECS - zeek.conn.duration -> event.duration + ruby { + id => "ruby_zeek_duration_to_ecs_event_duration" + code => "event.set('[event][duration]', (1000000000 * event.get('[zeek][conn][duration]').to_f).round(0))" + } } else { mutate { id => "mutate_add_field_zeek_lastPacket" add_field => { "[lastPacket]" => "%{timestamp}" } } mutate { id => "mutate_add_field_zeek_length" add_field => { "[length]" => "0" } } } + # ECS - lastPacket -> event.end + mutate { id => "mutate_add_field_ecs_event_end" + add_field => { "[event][end]" => "%{[lastPacket]}" } } # set the ts back as something more readable mutate { id => "mutate_replace_zeek_ts" @@ -3971,36 +3949,52 @@ filter { } # if ([zeek][ts]) # set user and transport- and application-level protocols if specified - if ([zeek][user]) { - mutate { id => "mutate_split_zeek_user" - split => { "[zeek][user]" => "," } } + if ([related][user]) { + mutate { id => "mutate_split_related_user" + split => { "[related][user]" => "," } } mutate { id => "mutate_merge_zeek_user" - merge => { "[user]" => "[zeek][user]" } } + merge => { "[user]" => "[related][user]" } } + # TODO: ECS user, see https://www.elastic.co/guide/en/ecs/current/ecs-user.html#_field_reuse_24 + # user field could (should?) be stored elsewhere, perhaps? + # note that if so, the arkime "user" field may conflict with ECS here } - if ([zeek][proto]) { + if ([network][transport]) { translate { id => "translate_zeek_proto" - field => "[zeek][proto]" + field => "[network][transport]" destination => "[ipProtocol]" dictionary_path => "/etc/ip_protocol_numbers.yaml" } mutate { id => "mutate_split_zeek_proto" - split => { "[zeek][proto]" => "," } } + split => { "[network][transport]" => "," } } mutate { id => "mutate_merge_zeek_proto" - merge => { "[protocol]" => "[zeek][proto]" } } + merge => { "[protocol]" => "[network][transport]" } } + + if ([ipProtocol]) { + # ECS - ipProtocol -> network.iana_number + mutate { id => "mutate_add_field_ecs_network_iana_number" + add_field => { "[network][iana_number]" => "%{[ipProtocol]}" } } + } } - if ([zeek][service]) { + if ([network][protocol]) { mutate { id => "mutate_split_zeek_service" - split => { "[zeek][service]" => "," } } + split => { "[network][protocol]" => "," } } ruby { - id => "ruby_zeek_service_uniq" + id => "ruby_zeek_network_protocol_uniq" path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" script_params => { - "field" => "[zeek][service]" + "field" => "[network][protocol]" } } mutate { id => "mutate_merge_zeek_service" - merge => { "[protocol]" => "[zeek][service]" } } + merge => { "[protocol]" => "[network][protocol]" } } + + # ECS - network.protocol -> network.application + # TODO: what's the difference? https://www.elastic.co/guide/en/ecs/current/ecs-network.html + if ([network][protocol]) { + mutate { id => "mutate_add_field_ecs_network_application" + add_field => { "[network][application]" => "%{[network][protocol]}" } } + } } if ([log_source] == "conn") { @@ -4009,22 +4003,24 @@ filter { translate { id => "translate_zeek_conn_state" - field => "[zeek_conn][conn_state]" - destination => "[zeek_conn][conn_state_description]" + field => "[zeek][conn][conn_state]" + destination => "[zeek][conn][conn_state_description]" dictionary_path => "/etc/conn_states.yaml" } mutate { id => "mutate_split_zeek_conn_tunnel_parents" - split => { "[zeek_conn][tunnel_parents]" => "," } } + split => { "[zeek][conn][tunnel_parents]" => "," } } - if ([zeek_conn][vlan] or [zeek_conn][inner_vlan]) { - if ([zeek_conn][vlan]) { + if ([zeek][conn][vlan] or [zeek][conn][inner_vlan]) { + # ECS - zeek.conn.vlan -> network.vlan.id + if ([zeek][conn][vlan]) { mutate { id => "mutate_merge_zeek_conn_vlan" - merge => { "[network][vlan][id]" => "[zeek_conn][vlan]" } } + merge => { "[network][vlan][id]" => "[zeek][conn][vlan]" } } } - if ([zeek_conn][inner_vlan]) { + if ([zeek][conn][inner_vlan]) { + # ECS - zeek.conn.inner_vlan -> network.inner.vlan.id mutate { id => "mutate_merge_zeek_conn_inner_vlan" - merge => { "[network][vlan][id]" => "[zeek_conn][inner_vlan]" } } + merge => { "[network][inner][vlan][id]" => "[zeek][conn][inner_vlan]" } } } ruby { id => "ruby_zeek_conn_vlanCnt" @@ -4044,11 +4040,11 @@ filter { event.set('[network][packets]', event.get('[source][packets]').to_i + event.get('[destination][packets]').to_i)" } - if ([zeek_conn][history]) { + if ([zeek][conn][history]) { ruby { id => "ruby_zeek_conn_history" # see https://www.zeek.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info - code => "historyStr = event.get('[zeek_conn][history]').upcase + code => "historyStr = event.get('[zeek][conn][history]').upcase sCnt = historyStr.count('S') hCnt = historyStr.count('H') aCnt = historyStr.count('A') @@ -4063,19 +4059,19 @@ filter { } # tag ICS services from conn.log - if (("bacnet" in [zeek][service]) or - ("bsap" in [zeek][service]) or - ("cip" in [zeek][service]) or - ("cotp" in [zeek][service]) or - ("dnp3" in [zeek][service]) or - ("ecat" in [zeek][service]) or - ("enip" in [zeek][service]) or - ("ethercat" in [zeek][service]) or - ("iso_cotp" in [zeek][service]) or - ("modbus" in [zeek][service]) or - ("profinet" in [zeek][service]) or - ("profinet_dce_rpc" in [zeek][service]) or - ("s7comm" in [zeek][service])) { + if (("bacnet" in [network][protocol]) or + ("bsap" in [network][protocol]) or + ("cip" in [network][protocol]) or + ("cotp" in [network][protocol]) or + ("dnp3" in [network][protocol]) or + ("ecat" in [network][protocol]) or + ("enip" in [network][protocol]) or + ("ethercat" in [network][protocol]) or + ("iso_cotp" in [network][protocol]) or + ("modbus" in [network][protocol]) or + ("profinet" in [network][protocol]) or + ("profinet_dce_rpc" in [network][protocol]) or + ("s7comm" in [network][protocol])) { mutate { id => "mutate_add_tag_ics_conn_log" add_tag => [ "ics" ] } } @@ -4085,68 +4081,106 @@ filter { # bacnet_discovery.log specific logic # bacnet_discovery.range ccan be split into a min/max (All, 12345-12350, etc.) - if ([zeek_bacnet_discovery][range]) { - if ([zeek_bacnet_discovery][range] == "All") { + if ([zeek][bacnet_discovery][range]) { + if ([zeek][bacnet_discovery][range] == "All") { mutate { id => "mutate_add_field_zeek_bacnet_discovery_range_low" - add_field => { "[zeek_bacnet_discovery][range_low]" => "0" } } + add_field => { "[zeek][bacnet_discovery][range_low]" => "0" } } mutate { id => "mutate_add_field_zeek_bacnet_discovery_range_high" - add_field => { "[zeek_bacnet_discovery][range_high]" => "4194300" } } - } else if ([zeek_bacnet_discovery][range] =~ "^\d+-\d+$") { + add_field => { "[zeek][bacnet_discovery][range_high]" => "4194300" } } + } else if ([zeek][bacnet_discovery][range] =~ "^\d+-\d+$") { ruby { id => "ruby_bacnet_discovery_range_split" code => " - if (bacnetRange = event.get('[zeek_bacnet_discovery][range]').split('-')) and (bacnetRange.length == 2) then - event.set('[zeek_bacnet_discovery][range_low]', bacnetRange[0]) - event.set('[zeek_bacnet_discovery][range_high]', bacnetRange[1]) + if (bacnetRange = event.get('[zeek][bacnet_discovery][range]').split('-')) and (bacnetRange.length == 2) then + event.set('[zeek][bacnet_discovery][range_low]', bacnetRange[0]) + event.set('[zeek][bacnet_discovery][range_high]', bacnetRange[1]) end" } } } + } else if ([log_source] == "cip_identity") { + ############################################################################################################################# + # cip_identity.log specific logic + + if ([zeek][cip_identity][socket_address]) { + + # if this is a zeek_cip_identity record with socket_address, ASN/GeoIP it as well + geoip { + id => "geoip_zeek_cip_identity_socket_address" + default_database_type => "ASN" + source => "[zeek][cip_identity][socket_address]" + target => "[@metadata][zeek_cip_identity_asn]" + } + if ([@metadata][zeek_cip_identity_asn] and [@metadata][zeek_cip_identity_asn][as_org] and [@metadata][zeek_cip_identity_asn][asn]) { + # this is stupid, the %{} doesn't seem to be liked by mutate.merge + mutate { id => "mutate_add_field_zeek_cip_identity_asn" + add_field => { "[@metadata][cip_asn_str]" => "AS%{[@metadata][zeek_cip_identity_asn][asn]} %{[@metadata][zeek_cip_identity_asn][as_org]}" } } + mutate { id => "mutate_merge_zeek_cip_identity_asn" + merge => { "[zeek][cip_identity][socket_address_asn]" => "[@metadata][cip_asn_str]" } } + } + geoip { + id => "geoip_zeek_cip_identity_socket_address_geo" + source => "[zeek][cip_identity][socket_address]" + target => "[zeek][cip_identity][socket_address_geo]" + } + + } + } else if ([log_source] == "dhcp") { ############################################################################################################################# # dhcp.log specific logic - if ([zeek][orig_l2_addr]) { + if ([source][mac]) { mutate { id => "mutate_add_fields_zeek_dhcp_mac" - add_field => { "[zeek_dhcp][mac]" => "%{[zeek][orig_l2_addr]}" } + add_field => { "[zeek][dhcp][mac]" => "%{[source][mac]}" } } mutate { id => "mutate_merge_zeek_dhcp_mac" - merge => { "[dhcp][mac]" => "[zeek][orig_l2_addr]" } } + merge => { "[dhcp][mac]" => "[source][mac]" } } mutate { id => "mutate_add_field_dhcp_macCnt" add_field => { "[dhcp][macCnt]" => "1" } } } - if ([zeek_dhcp][msg_types]) { + if ([zeek][dhcp][msg_types]) { mutate { id => "mutate_split_zeek_dhcp_msg_types" - split => { "[zeek_dhcp][msg_types]" => "," } } + split => { "[zeek][dhcp][msg_types]" => "," } } ruby { id => "ruby_zeek_dhcp_msg_types" path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" script_params => { - "field" => "[zeek_dhcp][msg_types]" + "field" => "[zeek][dhcp][msg_types]" } } mutate { id => "mutate_merge_zeek_dhcp_type" - merge => { "[dhcp][type]" => "[zeek_dhcp][msg_types]" } } + merge => { "[dhcp][type]" => "[zeek][dhcp][msg_types]" } } } - if ([zeek_dhcp][trans_id]) { + if ([zeek][dhcp][trans_id]) { mutate { id => "mutate_merge_zeek_dhcp_id" - merge => { "[dhcp][id]" => "[zeek_dhcp][trans_id]" } } + merge => { "[dhcp][id]" => "[zeek][dhcp][trans_id]" } } mutate { id => "mutate_add_field_dhcp_idCnt" add_field => { "[dhcp][idCnt]" => "1" } } } - if ([zeek_dhcp][host_name]) { + if ([zeek][dhcp][host_name]) { mutate { id => "mutate_merge_zeek_dhcp_host_name" - merge => { "[dhcp][host]" => "[zeek_dhcp][host_name]" } } + merge => { "[dhcp][host]" => "[zeek][dhcp][host_name]" } } + + # ECS - zeek.dhcp.host_name -> client.domain + mutate { id => "mutate_add_field_ecs_client_domain_dhcp_host_name" + add_field => { "[client][domain]" => "%{[zeek][dhcp][host_name]}" } } } - if ([zeek_dhcp][assigned_ip]) { + if ([zeek][dhcp][domain]) { + # ECS - zeek.dhcp.domain -> client.domain + mutate { id => "mutate_add_field_ecs_client_domain_dhcp_domain" + add_field => { "[client][domain]" => "%{[zeek][dhcp][domain]}" } } + } + + if ([zeek][dhcp][assigned_ip]) { mutate { id => "mutate_merge_zeek_dhcp_host" - merge => { "[dhcp][host]" => "[zeek_dhcp][assigned_ip]" } } + merge => { "[dhcp][host]" => "[zeek][dhcp][assigned_ip]" } } } if ([dhcp][host]) { @@ -4170,13 +4204,13 @@ filter { id => "ruby_parse_dnp3_iin" init => "$zeek_dnp3_iin_flags = [ 'Function Code not Implemented', 'Requested Objects Unknown', 'Parameters Invalid or Out of Range', 'Event Buffer Overflow', 'Operation Already Executing', 'Configuration Corrupt', 'Reserved', 'Reserved', 'Broadcast Msg Rx', 'Class 1 Data Available', 'Class 2 Data Available', 'Class 3 Data Available', 'Time Sync Required', 'Digital Outputs in Local', 'Device Trouble', 'Device Restart' ]" code => " - iinNum = event.get('[zeek_dnp3][iin]').to_i + iinNum = event.get('[zeek][dnp3][iin]').to_i if (iinNum > 0) then iinFlags = Array.new $zeek_dnp3_iin_flags.each_with_index do |val, idx| iinFlags.push(val) if (iinNum[idx] == 1) end - event.set('[zeek_dnp3][iin_flags]', iinFlags) + event.set('[zeek][dnp3][iin_flags]', iinFlags) end" } @@ -4184,25 +4218,34 @@ filter { ############################################################################################################################# # dns.log specific logic + mutate { id => "mutate_split_zeek_dns_TTLs" + split => { "[zeek][dns][TTLs]" => "," } } + # this must be done because [dns][ip] only handles IPv4 or IPv6 addresses # but [answers] can contain hostnames as well - if ([zeek_dns][answers]) { + if ([zeek][dns][answers]) { ruby { id => "ruby_zeek_dns_answers_ip_extract" # todo: adjust this regex so it at least sort of catches IPv6 as well - code => "event.set('[@metadata][answers_ip]', event.get('[zeek_dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))" + code => "event.set('[@metadata][answers_ip]', event.get('[zeek][dns][answers]').scan(/\d+\.\d+\.\d+\.\d+/).join(','))" } mutate { id => "mutate_split_zeek_dns_answers" - split => { "[zeek_dns][answers]" => "," } } + split => { "[zeek][dns][answers]" => "," } } mutate { id => "mutate_split_zeek_dns_answers_ip" split => { "[@metadata][answers_ip]" => "," } } + # ECS - zeek.dns -> dns.answers + ruby { + id => "ruby_zeek_dns_answers_to_ecs" + code => ' + event.set("[dns][answers]", [Array(event.get("[zeek][dns][answers]")), Array(event.get("[zeek][dns][TTLs]"))].transpose.map{ |d| Hash[[:data, :ttl].zip(d)] }) + '} + mutate { id => "mutate_add_field_ecs_dns_type_answer" + add_field => { "[dns][type]" => "answer" } } } - mutate { id => "mutate_split_zeek_dns_TTLs" - split => { "[zeek_dns][TTLs]" => "," } } - if ([zeek_dns][query]) { + if ([zeek][dns][query]) { mutate { id => "mutate_merge_zeek_query" - merge => { "[dns][host]" => "[zeek_dns][query]" } } + merge => { "[dns][host]" => "[zeek][dns][query]" } } # seriously I do not get how merge works mutate { id => "mutate_add_field_zeek_opcode" add_field => { "[@metadata][opcode]" => "QUERY" } } @@ -4225,75 +4268,142 @@ filter { "target" => "[dns][ipCnt]" } } + # ECS dns.ip -> dns.resolved_ip + mutate { id => "mutate_merge_ecs_dhs_resolved_ip" + merge => { "[dns][resolved_ip]" => "[dns][ip]" } } } - if ([zeek_dns][qclass_name]) { + if ([zeek][dns][qclass_name]) { mutate { id => "mutate_merge_zeek_dns_qc" - merge => { "[dns][qc]" => "[zeek_dns][qclass_name]" } } + merge => { "[dns][qc]" => "[zeek][dns][qclass_name]" } } mutate { id => "mutate_add_field_dns_qcCnt" add_field => { "[dns][qcCnt]" => "1" } } } - if ([zeek_dns][qtype_name]) { + if ([zeek][dns][qtype_name]) { mutate { id => "mutate_merge_zeek_dns_qt" - merge => { "[dns][qt]" => "[zeek_dns][qtype_name]" } } + merge => { "[dns][qt]" => "[zeek][dns][qtype_name]" } } mutate { id => "mutate_add_field_dns_qtCnt" add_field => { "[dns][qtCnt]" => "1" } } } + # dns.op_code + if ([dns][opcode]) { mutate { id => "mutate_add_field_ecs_dns_opcode" + add_field => { "[dns][op_code]" => "%{[dns][opcode]}" } } } + + # dns.question.class + if ([zeek][dns][qclass_name]) { mutate { id => "mutate_add_field_ecs_dns_qclass" + add_field => { "[dns][question][class]" => "%{[zeek][dns][qclass_name]}" } } } + + # dns.question.type + if ([zeek][dns][qtype_name]) { mutate { id => "mutate_add_field_ecs_dns_qtype" + add_field => { "[dns][question][type]" => "%{[zeek][dns][qtype_name]}" } } } + + # dns.question.name and dns.type:query + if ([zeek][dns][query]) { + mutate { id => "mutate_add_field_ecs_dns_query" + add_field => { "[dns][question][name]" => "%{[zeek][dns][query]}" } } + if (![dns][type]) { mutate { id => "mutate_add_field_ecs_dns_type_query" + add_field => { "[dns][type]" => "query" } } } + } + + if ([dns][type]) { + # dns.header_flags + if ([zeek][AA] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_aa" + add_field => { "[dns][header_flags]" => "AA" } } } + if ([zeek][TC] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_tc" + add_field => { "[dns][header_flags]" => "TC" } } } + if ([zeek][RD] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_rd" + add_field => { "[dns][header_flags]" => "RD" } } } + if ([zeek][RA] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_ra" + add_field => { "[dns][header_flags]" => "RA" } } } + } + + # dns.response_code + if ([zeek][dns][rcode_name]) { mutate { id => "mutate_add_field_ecs_dns_response_code" + add_field => { "[dns][response_code]" => "%{[zeek][dns][rcode_name]}" } } } + + # dns.id + if ([zeek][dns][trans_id]) { mutate { id => "mutate_add_field_ecs_dns_id" + add_field => { "[dns][id]" => "%{[zeek][dns][trans_id]}" } } } + + # TODO: domain stuff (dns.question.registered_domain, dns.question.subdomain, dns.question.top_level_domain) + # perhaps use something like https://github.com/plutonbacon/logstash-filter-publicsuffix + } else if ([log_source] == "files") { ############################################################################################################################# # files.log specific logic - if ([zeek_files][total_bytes]) { + if ([zeek][files][total_bytes]) { ruby { id => "ruby_zeek_files_totBytes" - code => "event.set('[network][bytes]', event.get('[zeek_files][total_bytes]').to_i)" + code => "event.set('[network][bytes]', event.get('[zeek][files][total_bytes]').to_i)" } } - if ([zeek_files][seen_bytes]) { + if ([zeek][files][seen_bytes]) { ruby { id => "ruby_zeek_files_totDataBytes" - code => "event.set('[totDataBytes]', event.get('[zeek_files][seen_bytes]').to_i)" + code => "event.set('[totDataBytes]', event.get('[zeek][files][seen_bytes]').to_i)" } } - if ([zeek_files][parent_fuid]) { mutate { id => "mutate_split_zeek_files_parent_fuid" - split => { "[zeek_files][parent_fuid]" => "," } } } + if ([zeek][files][parent_fuid]) { mutate { id => "mutate_split_zeek_files_parent_fuid" + split => { "[zeek][files][parent_fuid]" => "," } } } - if ([zeek_files][analyzers]) { mutate { id => "mutate_split_zeek_files_analyzers" - split => { "[zeek_files][analyzers]" => "," } } } + if ([zeek][files][analyzers]) { mutate { id => "mutate_split_zeek_files_analyzers" + split => { "[zeek][files][analyzers]" => "," } } } - if ([zeek_files][source]) { + if ([zeek][files][source]) { # do some normalization on files source mutate { id => "mutate_gsub_field_zeek_files_source_spicy_suffix" - gsub => [ "[zeek_files][source]", "_(TCP|UDP|DATA)$", "" ] } + gsub => [ "[zeek][files][source]", "_(TCP|UDP|DATA)$", "" ] } mutate { id => "mutate_gsub_field_zeek_files_source_spicy_prefix" - gsub => [ "[zeek_files][source]", "^SPICY_", "" ] } + gsub => [ "[zeek][files][source]", "^SPICY_", "" ] } - if ([zeek_files][source] =~ /^XOR decrypted from /) { + if ([zeek][files][source] =~ /^XOR decrypted from /) { # PE_XOR plugin writes source as "XOR decrypted from FM7Tr545kxt3ofR7x2-"..., let's # standardize that to just "XOR decrypted" and put the source fuid in parent_fuid grok { id => "grok_zeek_files_source_xor" - match => { "[zeek_files][source]" => [ "decrypted%{SPACE}from%{SPACE}%{WORD:[@metadata][source_xor_fuid]}" ] } + match => { "[zeek][files][source]" => [ "decrypted%{SPACE}from%{SPACE}%{WORD:[@metadata][source_xor_fuid]}" ] } } if ([@metadata][source_xor_fuid]) { mutate { id => "mutate_merge_zeek_files_source_xor_parent_fuid" - merge => { "[zeek_files][parent_fuid]" => "[@metadata][source_xor_fuid]" } } } + merge => { "[zeek][files][parent_fuid]" => "[@metadata][source_xor_fuid]" } } } mutate { id => "mutate_replace_zeek_files_source_xor" - replace => { "[zeek_files][source]" => "XOR decrypted" } } + replace => { "[zeek][files][source]" => "XOR decrypted" } } + + } else if ([zeek][files][source] == "SSL") { + # SSL->TLS to match up with what the service field has for cross-referencing + mutate { id => "mutate_replace_zeek_files_source_ssl_to_tls" + replace => { "[zeek][files][source]" => "TLS" } } } } + # ECS - "file" -> file.type + mutate { id => "mutate_add_field_ecs_file_type" + add_field => { "[file][type]" => "file" } } + + # ECS -> zeek_files.total_bytes -> file.size + if ([zeek][files][total_bytes]) { mutate { id => "mutate_add_field_ecs_files_size" + add_field => { "[file][size]" => "%{[zeek][files][total_bytes]}" } } } + + # ECS -> zeek_files.(md5|sha1|sha256) -> file.hash.(md5|sha1|sha256) + if ([zeek][files][md5]) { mutate { id => "mutate_add_field_ecs_files_hash_md5" + add_field => { "[file][hash][md5]" => "%{[zeek][files][md5]}" } } } + if ([zeek][files][sha1]) { mutate { id => "mutate_add_field_ecs_files_hash_sha1" + add_field => { "[file][hash][sha1]" => "%{[zeek][files][sha1]}" } } } + if ([zeek][files][sha256]) { mutate { id => "mutate_add_field_ecs_files_hash_sha256" + add_field => { "[file][hash][sha256]" => "%{[zeek][files][sha256]}" } } } + } else if ([log_source] == "ftp") { ############################################################################################################################# # ftp.log specific logic - if ([zeek_ftp][file_size]) { + if ([zeek][ftp][file_size]) { ruby { id => "ruby_zeek_ftp_totDataBytes" - code => "event.set('[totDataBytes]', event.get('[zeek_ftp][file_size]').to_i)" + code => "event.set('[totDataBytes]', event.get('[zeek][ftp][file_size]').to_i)" } } @@ -4301,24 +4411,24 @@ filter { ############################################################################################################################# # gquic.log specific logic - if ([zeek_gquic][user_agent]) { + if ([zeek][gquic][user_agent]) { mutate { id => "mutate_merge_zeek_quic_useragent" - merge => { "[quic][useragent]" => "[zeek_gquic][user_agent]" } } + merge => { "[quic][useragent]" => "[zeek][gquic][user_agent]" } } mutate { id => "mutate_add_field_zeek_quic_useragentCnt" add_field => { "[quic][useragentCnt]" => "1" } } } - if ([zeek_gquic][server_name]) { + if ([zeek][gquic][server_name]) { mutate { id => "mutate_merge_zeek_quic_host" - merge => { "[quic][host]" => "[zeek_gquic][server_name]" } } + merge => { "[quic][host]" => "[zeek][gquic][server_name]" } } mutate { id => "mutate_add_field_zeek_quic_hostCnt" add_field => { "[quic][hostCnt]" => "1" } } } - if ([zeek_gquic][version]) { + if ([zeek][gquic][version]) { ruby { id => "ruby_zeek_set_quic_version" - code => "event.set('[quic][version]', 'Q' + event.get('[zeek_gquic][version]').rjust(3, '0'))" + code => "event.set('[quic][version]', 'Q' + event.get('[zeek][gquic][version]').rjust(3, '0'))" } mutate { id => "mutate_add_field_zeek_quic_versionCnt" add_field => { "[quic][versionCnt]" => "1" } } @@ -4330,62 +4440,68 @@ filter { # http.log specific logic mutate { id => "mutate_split_zeek_http_orig_fuids" - split => { "[zeek_http][orig_fuids]" => "," } } + split => { "[zeek][http][orig_fuids]" => "," } } mutate { id => "mutate_split_zeek_http_orig_filenames" - split => { "[zeek_http][orig_filenames]" => "," } } + split => { "[zeek][http][orig_filenames]" => "," } } mutate { id => "mutate_split_zeek_http_orig_mime_types" - split => { "[zeek_http][orig_mime_types]" => "," } } + split => { "[zeek][http][orig_mime_types]" => "," } } mutate { id => "mutate_split_zeek_http_resp_fuids" - split => { "[zeek_http][resp_fuids]" => "," } } + split => { "[zeek][http][resp_fuids]" => "," } } mutate { id => "mutate_split_zeek_http_resp_filenames" - split => { "[zeek_http][resp_filenames]" => "," } } + split => { "[zeek][http][resp_filenames]" => "," } } mutate { id => "mutate_split_zeek_http_resp_mime_types" - split => { "[zeek_http][resp_mime_types]" => "," } } + split => { "[zeek][http][resp_mime_types]" => "," } } mutate { id => "mutate_split_zeek_http_tags" - split => { "[zeek_http][tags]" => "," } } + split => { "[zeek][http][tags]" => "," } } mutate { id => "mutate_split_zeek_http_proxied" - split => { "[zeek_http][proxied]" => "," } } + split => { "[zeek][http][proxied]" => "," } } - if ([zeek_http][host]) { + if ([zeek][http][host]) { mutate { id => "mutate_merge_zeek_http_host" - merge => { "[http][host]" => "[zeek_http][host]" } } + merge => { "[http][host]" => "[zeek][http][host]" } } mutate { id => "mutate_add_field_http_hostCnt" add_field => { "[http][hostCnt]" => "1" } } } - if ([zeek_http][uri]) { - if ([zeek_http][host]) { + if ([zeek][http][uri]) { + if ([zeek][http][host]) { mutate { id => "mutate_add_field_metadata_http_host_and_uri" - add_field => { "[@metadata][http_uri]" => "%{[zeek_http][host]}%{[zeek_http][uri]}" } } + add_field => { "[@metadata][http_uri]" => "%{[zeek][http][host]}%{[zeek][http][uri]}" } } mutate { id => "mutate_merge_zeek_http_host_and_uri" merge => { "[http][uri]" => "[@metadata][http_uri]" } } } else { mutate { id => "mutate_merge_zeek_http_uri" - merge => { "[http][uri]" => "[zeek_http][uri]" } } + merge => { "[http][uri]" => "[zeek][http][uri]" } } } - } else if ([zeek_http][referrer]) { + } else if ([zeek][http][referrer]) { mutate { id => "mutate_merge_zeek_http_referrer" - merge => { "[http][uri]" => "[zeek_http][referrer]" } } + merge => { "[http][uri]" => "[zeek][http][referrer]" } } } if ([http][uri]) { mutate { id => "mutate_add_field_http_uriCnt" add_field => { "[http][uriCnt]" => "1" } } } - if ([zeek_http][user_agent]) { + if ([zeek][http][user_agent]) { mutate { id => "mutate_merge_zeek_http_user_agent" - merge => { "[http][useragent]" => "[zeek_http][user_agent]" } } + merge => { "[http][useragent]" => "[zeek][http][user_agent]" } } mutate { id => "mutate_add_field_http_useragentCnt" add_field => { "[http][useragentCnt]" => "1" } } } - if ([zeek_http][orig_mime_types]) { + if ([zeek][http][orig_mime_types]) { mutate { id => "mutate_merge_zeek_http_orig_mime_types" - merge => { "[http][bodyMagic]" => "[zeek_http][orig_mime_types]" } } + merge => { "[http][bodyMagic]" => "[zeek][http][orig_mime_types]" } } + # ECS - zeek.http.orig_mime_types -> http.request.mime_type + mutate { id => "mutate_merge_ecs_http_request_mime_type" + merge => { "[http][request][mime_type]" => "[zeek][http][orig_mime_types]" } } } - if ([zeek_http][resp_mime_types]) { + if ([zeek][http][resp_mime_types]) { mutate { id => "mutate_merge_zeek_http_resp_mime_types" - merge => { "[http][bodyMagic]" => "[zeek_http][resp_mime_types]" } } + merge => { "[http][bodyMagic]" => "[zeek][http][resp_mime_types]" } } + # ECS - zeek.http.resp_mime_types -> http.response.mime_type + mutate { id => "mutate_merge_ecs_http_response_mime_type" + merge => { "[http][response][mime_type]" => "[zeek][http][resp_mime_types]" } } } if ([http][bodyMagic]) { @@ -4406,46 +4522,97 @@ filter { } } - if ([zeek_http][version]) { + if ([zeek][http][version]) { mutate { id => "mutate_merge_zeek_http_clientVersion" - merge => { "[http][clientVersion]" => "[zeek_http][version]" } } + merge => { "[http][clientVersion]" => "[zeek][http][version]" } } mutate { id => "mutate_add_field_http_clientVersion" add_field => { "[http][clientVersionCnt]" => "1" } } } - if ([zeek_http][status_code]) { + if ([zeek][http][status_code]) { mutate { id => "mutate_merge_zeek_http_statuscode" - merge => { "[http][statuscode]" => "[zeek_http][status_code]" } } + merge => { "[http][statuscode]" => "[zeek][http][status_code]" } } mutate { id => "mutate_add_field_http_statuscodeCnt" add_field => { "[http][statuscodeCnt]" => "1" } } } - if ([zeek_http][method]) { + if ([zeek][http][method]) { mutate { id => "mutate_merge_zeek_http_method" - merge => { "[http][method]" => "[zeek_http][method]" } } + merge => { "[http][method]" => "[zeek][http][method]" } } mutate { id => "mutate_add_field_http_methodCnt" add_field => { "[http][methodCnt]" => "1" } } } - if ([zeek_http][post_username]) { + if ([zeek][http][post_username]) { mutate { id => "mutate_merge_zeek_http_post_username_1" - merge => { "[zeek][user]" => "[zeek_http][post_username]" } } + merge => { "[related][user]" => "[zeek][http][post_username]" } } mutate { id => "mutate_merge_zeek_http_post_username_2" - merge => { "[user]" => "[zeek_http][post_username]" } } + merge => { "[user]" => "[zeek][http][post_username]" } } } - if (![zeek][password]) and ([zeek_http][post_password_plain]) { + if (![related][password]) and ([zeek][http][post_password_plain]) { mutate { id => "mutate_add_field_zeek_http_post_password_plain" - add_field => { "[zeek][password]" => "%{[zeek_http][post_password_plain]}" } } + add_field => { "[related][password]" => "%{[zeek][http][post_password_plain]}" } } } - if ([zeek_http][response_body_len]) { mutate { id => "mutate_add_field_zeek_http_server_bytes" - add_field => { "[server][bytes]" => "%{[zeek_http][response_body_len]}" } } } - if ([zeek_http][request_body_len]) { mutate { id => "mutate_add_field_zeek_http_client_bytes" - add_field => { "[client][bytes]" => "%{[zeek_http][request_body_len]}" } } } + if ([zeek][http][response_body_len]) { mutate { id => "mutate_add_field_zeek_http_server_bytes" + add_field => { "[server][bytes]" => "%{[zeek][http][response_body_len]}" } } } + if ([zeek][http][request_body_len]) { mutate { id => "mutate_add_field_zeek_http_client_bytes" + add_field => { "[client][bytes]" => "%{[zeek][http][request_body_len]}" } } } ruby { id => "ruby_zeek_http_totDataBytes" - code => "event.set('[totDataBytes]', event.get('[zeek_http][response_body_len]').to_i + event.get('[zeek_http][request_body_len]').to_i)" + code => "event.set('[totDataBytes]', event.get('[zeek][http][response_body_len]').to_i + event.get('[zeek][http][request_body_len]').to_i)" + } + + # ECS - zeek.http.request_body_len -> http.request.body.bytes + if ([zeek][http][request_body_len]) { mutate { id => "mutate_add_field_ecs_http_request_body_bytes" + add_field => { "[http][request][body][bytes]" => "%{[zeek][http][request_body_len]}" } } } + # ECS - zeek.http.method -> http.request.method + if ([zeek][http][method]) { mutate { id => "mutate_add_field_ecs_http_request_method" + add_field => { "[http][request][method]" => "%{[zeek][http][method]}" } } } + # ECS - zeek.http.referrer -> http.request.referrer + if ([zeek][http][referrer]) { mutate { id => "mutate_add_field_ecs_http_request_referrer" + add_field => { "[http][request][referrer]" => "%{[zeek][http][referrer]}" } } } + # ECS - zeek.http.response_body_len -> http.response.body.bytes + if ([zeek][http][response_body_len]) { mutate { id => "mutate_add_field_ecs_http_response_body_bytes" + add_field => { "[http][response][body][bytes]" => "%{[zeek][http][response_body_len]}" } } } + # ECS - zeek.http.status_code -> http.response.status_code + if ([zeek][http][status_code]) { mutate { id => "mutate_add_field_ecs_http_response_status_code" + add_field => { "[http][response][status_code]" => "%{[zeek][http][status_code]}" } } } + # ECS - zeek.http.version -> http.version + if ([zeek][http][version]) { mutate { id => "mutate_add_field_ecs_http_version" + add_field => { "[http][version]" => "%{[zeek][http][version]}" } } } + + # ECS - zeek.http.host and zeek_http.uri -> url.* (https://www.elastic.co/guide/en/ecs/current/ecs-url.html) + if ([zeek][http][uri]) or ([zeek][http][host]) { + ruby { + id => "ruby_ecs_uri_parse_from_zeek_http" + init => "require 'uri'" + code => " + scheme = 'http' + user = event.get('[related][user]') + password = event.get('[related][password]') + host = event.get('[zeek][http][host]') + port = event.get('[destination][port]') + uri = event.get('[zeek][http][uri]') + ext = (uri.nil? || !(uri.include? '/')) ? nil : File.extname(uri).partition('.').last.split(/[\?#]/)[0] + fragment = uri.nil? ? nil : uri.partition('#').last + query = uri.nil? ? nil : uri.partition('?').last + event.set('[url][scheme]', scheme) + event.set('[url][original]', scheme + '://' + (host.nil? ? '' : host) + (uri.nil? ? '' : uri)) + event.set('[url][full]', scheme + '://' + (user.nil? ? '' : Array(user).first) + (password.nil? ? '' : ':' + password) + ((user.nil? && password.nil?) ? '' : '@') + (host.nil? ? '' : host) + (port.nil? ? '' : ':' + port) + (uri.nil? ? '' : uri)) + event.set('[url][domain]', host) unless host.nil? + event.set('[url][extension]', ext) unless ext.nil? || ext.empty? + event.set('[url][fragment]', fragment) unless fragment.nil? || fragment.empty? + event.set('[url][password]', password) unless password.nil? + event.set('[url][path]', uri) unless uri.nil? + event.set('[url][port]', port) unless port.nil? + event.set('[url][query]', query) unless query.nil? || query.empty? + event.set('[url][user]', Array(user).first) unless user.nil? + " + # TODO: ECS url domain stuff (url.registered_domain, url.top_level_domain) + # perhaps use something like https://github.com/plutonbacon/logstash-filter-publicsuffix + } } } else if ([log_source] == "ipsec") { @@ -4453,44 +4620,44 @@ filter { # ipsec.log specific logic mutate { id => "mutate_split_zeek_ipsec_vendor_ids" - split => { "[zeek_ipsec][vendor_ids]" => "," } } + split => { "[zeek][ipsec][vendor_ids]" => "," } } mutate { id => "mutate_split_zeek_ipsec_notify_messages" - split => { "[zeek_ipsec][notify_messages]" => "," } } + split => { "[zeek][ipsec][notify_messages]" => "," } } mutate { id => "mutate_split_zeek_ipsec_transforms" - split => { "[zeek_ipsec][transforms]" => "," } } + split => { "[zeek][ipsec][transforms]" => "," } } mutate { id => "mutate_split_zeek_ipsec_ke_dh_groups" - split => { "[zeek_ipsec][ke_dh_groups]" => "," } } + split => { "[zeek][ipsec][ke_dh_groups]" => "," } } mutate { id => "mutate_split_zeek_ipsec_proposals" - split => { "[zeek_ipsec][proposals]" => "," } } + split => { "[zeek][ipsec][proposals]" => "," } } mutate { id => "mutate_split_zeek_ipsec_certificates" - split => { "[zeek_ipsec][certificates]" => "," } } + split => { "[zeek][ipsec][certificates]" => "," } } mutate { id => "mutate_split_zeek_ipsec_transform_attributes" - split => { "[zeek_ipsec][transform_attributes]" => "," } } + split => { "[zeek][ipsec][transform_attributes]" => "," } } ruby { id => "ruby_zeek_field_ipsec_flags" code => ' flags = Array.new - if (event.get("[zeek_ipsec][flag_e]") == "T") then + if (event.get("[zeek][ipsec][flag_e]") == "T") then flags << "E" end - if (event.get("[zeek_ipsec][flag_c]") == "T") then + if (event.get("[zeek][ipsec][flag_c]") == "T") then flags << "C" end - if (event.get("[zeek_ipsec][flag_a]") == "T") then + if (event.get("[zeek][ipsec][flag_a]") == "T") then flags << "A" end - if (event.get("[zeek_ipsec][flag_i]") == "T") then + if (event.get("[zeek][ipsec][flag_i]") == "T") then flags << "I" end - if (event.get("[zeek_ipsec][flag_v]") == "T") then + if (event.get("[zeek][ipsec][flag_v]") == "T") then flags << "V" end - if (event.get("[zeek_ipsec][flag_r]") == "T") then + if (event.get("[zeek][ipsec][flag_r]") == "T") then flags << "R" end if !flags.empty? then - event.set("[zeek_ipsec][flags]", flags) + event.set("[zeek][ipsec][flags]", flags) end' } @@ -4498,21 +4665,21 @@ filter { ############################################################################################################################# # irc.log specific logic - if ([zeek_irc][nick]) { + if ([zeek][irc][nick]) { mutate { id => "mutate_merge_zeek_irc_nick" - merge => { "[irc][nick]" => "[zeek_irc][nick]" } } + merge => { "[irc][nick]" => "[zeek][irc][nick]" } } mutate { id => "mutate_add_field_irc_nickCnt" add_field => { "[irc][nickCnt]" => "1" } } # store "nick" alongside "user" mutate { id => "mutate_merge_irc_nick_user_1" - merge => { "[zeek][user]" => "[zeek_irc][nick]" } } + merge => { "[related][user]" => "[zeek][irc][nick]" } } mutate { id => "mutate_merge_irc_nick_user_2" - merge => { "[user]" => "[zeek_irc][nick]" } } + merge => { "[user]" => "[zeek][irc][nick]" } } } - if ([zeek_irc][command]) and ([zeek_irc][value]) and (([zeek_irc][command] == "JOIN") or ([zeek_irc][command] == "PART")) { + if ([zeek][irc][command]) and ([zeek][irc][value]) and (([zeek][irc][command] == "JOIN") or ([zeek][irc][command] == "PART")) { mutate { id => "mutate_merge_zeek_irc_channel" - merge => { "[irc][channel]" => "[zeek_irc][value]" } } + merge => { "[irc][channel]" => "[zeek][irc][value]" } } mutate { id => "mutate_add_field_irc_channelCnt" add_field => { "[irc][channelCnt]" => "1" } } } @@ -4521,84 +4688,84 @@ filter { ############################################################################################################################# # intel.log specific logic - if ([zeek_intel][sources]) { mutate { id => "mutate_split_zeek_intel_sources" - split => { "[zeek_intel][sources]" => "," } } } + if ([zeek][intel][sources]) { mutate { id => "mutate_split_zeek_intel_sources" + split => { "[zeek][intel][sources]" => "," } } } } else if ([log_source] == "kerberos") { ############################################################################################################################# # kerberos.log specific logic - if ([zeek_kerberos][cname]) { + if ([zeek][kerberos][cname]) { mutate { id => "mutate_merge_zeek_kerberos_cname" - merge => { "[krb5][cname]" => "[zeek_kerberos][cname]" } } + merge => { "[krb5][cname]" => "[zeek][kerberos][cname]" } } mutate { id => "mutate_add_field_kerberos_cnameCnt" add_field => { "[krb5][cnameCnt]" => "1" } } } - if ([zeek_kerberos][sname]) { + if ([zeek][kerberos][sname]) { mutate { id => "mutate_merge_zeek_kerberos_sname" - merge => { "[krb5][sname]" => "[zeek_kerberos][sname]" } } + merge => { "[krb5][sname]" => "[zeek][kerberos][sname]" } } mutate { id => "mutate_add_field_kerberos_snameCnt" add_field => { "[krb5][snameCnt]" => "1" } } } - if ([zeek_kerberos][client_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_client_cert_fuid" - split => { "[zeek_kerberos][client_cert_fuid]" => "," } } } + if ([zeek][kerberos][client_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_client_cert_fuid" + split => { "[zeek][kerberos][client_cert_fuid]" => "," } } } - if ([zeek_kerberos][server_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_server_cert_fuid" - split => { "[zeek_kerberos][server_cert_fuid]" => "," } } } + if ([zeek][kerberos][server_cert_fuid]) { mutate { id => "mutate_split_zeek_kerberos_server_cert_fuid" + split => { "[zeek][kerberos][server_cert_fuid]" => "," } } } } else if ([log_source] == "ldap") { ############################################################################################################################# # ldap.log specific logic mutate { id => "mutate_split_zeek_ldap_fields" - split => { "[zeek_ldap][operation]" => "," - "[zeek_ldap][result_code]" => "," - "[zeek_ldap][result_message]" => "," - "[zeek_ldap][object]" => "," - "[zeek_ldap][argument]" => "," } } + split => { "[zeek][ldap][operation]" => "," + "[zeek][ldap][result_code]" => "," + "[zeek][ldap][result_message]" => "," + "[zeek][ldap][object]" => "," + "[zeek][ldap][argument]" => "," } } - if ([zeek_ldap][object]) or ([zeek_ldap][argument]) { + if ([zeek][ldap][object]) or ([zeek][ldap][argument]) { ruby { id => "ruby_zeek_ldap_object_and_arguments_adjustment" code => " - if (objects = event.get('[zeek_ldap][object]')) and (objects.length > 0) then + if (objects = event.get('[zeek][ldap][object]')) and (objects.length > 0) then objectsAdj = Array.new objects.each do |val| objectsAdj.push(val.gsub('\\x2c', ',')) end - event.set('[zeek_ldap][object]', objectsAdj) + event.set('[zeek][ldap][object]', objectsAdj) end - if (arguments = event.get('[zeek_ldap][argument]')) and (arguments.length > 0) then + if (arguments = event.get('[zeek][ldap][argument]')) and (arguments.length > 0) then argsAdj = Array.new arguments.each do |val| argsAdj.push(val.gsub('\\x2c', ',')) end - event.set('[zeek_ldap][argument]', argsAdj) + event.set('[zeek][ldap][argument]', argsAdj) end" } } # map simple bind "object" and "argument" to username and password # and map to Arkime types - if ("bind simple" in [zeek_ldap][operation]) { - if ([zeek_ldap][object]) { + if ("bind simple" in [zeek][ldap][operation]) { + if ([zeek][ldap][object]) { mutate { id => "mutate_merge_zeek_ldap_bind_object_user" - merge => { "[zeek][user]" => "[zeek_ldap][object]" } } + merge => { "[related][user]" => "[zeek][ldap][object]" } } mutate { id => "mutate_merge_ldap_bind_name" - merge => { "[ldap][bindname]" => "[zeek_ldap][object]" } } + merge => { "[ldap][bindname]" => "[zeek][ldap][object]" } } mutate { id => "mutate_add_field_ldap_bindnameCnt" add_field => { "[ldap][bindnameCnt]" => "1" } } } - if ([zeek_ldap][argument]) { + if ([zeek][ldap][argument]) { mutate { id => "mutate_merge_zeek_ldap_bind_argument_password" - merge => { "[zeek][password]" => "[zeek_ldap][argument]" } } + merge => { "[related][password]" => "[zeek][ldap][argument]" } } } mutate { id => "mutate_add_field_ldap_authtype_simple" add_field => { "[@metadata][ldapAuthType]" => "simple" } } - } else if ("bind SASL" in [zeek_ldap][operation]) { + } else if ("bind SASL" in [zeek][ldap][operation]) { mutate { id => "mutate_add_field_ldap_authtype_sasl" add_field => { "[@metadata][ldapAuthType]" => "sasl" } } } @@ -4614,22 +4781,23 @@ filter { # ldap_search.log specific logic mutate { id => "mutate_split_zeek_ldap_search_fields" - split => { "[zeek_ldap_search][scope]" => "," - "[zeek_ldap_search][deref]" => "," - "[zeek_ldap_search][base_object]" => "," - "[zeek_ldap_search][result_code]" => "," - "[zeek_ldap_search][result_message]" => "," } } - - if ([zeek_ldap_search][base_object]) { + split => { "[zeek][ldap_search][scope]" => "," + "[zeek][ldap_search][deref]" => "," + "[zeek][ldap_search][attributes]" => "," + "[zeek][ldap_search][base_object]" => "," + "[zeek][ldap_search][result_code]" => "," + "[zeek][ldap_search][result_message]" => "," } } + + if ([zeek][ldap_search][base_object]) { ruby { id => "ruby_zeek_ldap_search_base_object_adjustment" code => " - if (objects = event.get('[zeek_ldap_search][base_object]')) and (objects.length > 0) then + if (objects = event.get('[zeek][ldap_search][base_object]')) and (objects.length > 0) then objectsAdj = Array.new objects.each do |val| objectsAdj.push(val.gsub('\\x2c', ',')) end - event.set('[zeek_ldap_search][base_object]', objectsAdj) + event.set('[zeek][ldap_search][base_object]', objectsAdj) end" } } @@ -4638,23 +4806,23 @@ filter { ############################################################################################################################# # modbus_detailed.log specific logic - if ([zeek_modbus_detailed][values]) { + if ([zeek][modbus_detailed][values]) { mutate { id => "mutate_split_zeek_modbus_detailed_values" - split => { "[zeek_modbus_detailed][values]" => "," } } + split => { "[zeek][modbus_detailed][values]" => "," } } } } else if ([log_source] == "modbus_read_write_multiple_registers") { ############################################################################################################################# # modbus_read_write_multiple_registers.log specific logic - if ([zeek_modbus_read_write_multiple_registers][read_registers]) { + if ([zeek][modbus_read_write_multiple_registers][read_registers]) { mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_registers" - split => { "[zeek_modbus_read_write_multiple_registers][read_registers]" => "," } } + split => { "[zeek][modbus_read_write_multiple_registers][read_registers]" => "," } } } - if ([zeek_modbus_read_write_multiple_registers][write_registers]) { + if ([zeek][modbus_read_write_multiple_registers][write_registers]) { mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_write_registers" - split => { "[zeek_modbus_read_write_multiple_registers][write_registers]" => "," } } + split => { "[zeek][modbus_read_write_multiple_registers][write_registers]" => "," } } } } else if ([log_source] == "mqtt_publish") { @@ -4664,12 +4832,12 @@ filter { # MQTT payload *may* be JSON, or it may not json { skip_on_invalid_json => true - source => "[zeek_mqtt_publish][payload]" - target => "[zeek_mqtt_publish][payload_dict]" + source => "[zeek][mqtt_publish][payload]" + target => "[zeek][mqtt_publish][payload_dict]" } - if ([zeek_mqtt_publish][payload_len]) { mutate { id => "mutate_add_field_zeek_mqtt_publish_client_len" - add_field => { "[client][bytes]" => "%{[zeek_mqtt_publish][payload_len]}" } } } + if ([zeek][mqtt_publish][payload_len]) { mutate { id => "mutate_add_field_zeek_mqtt_publish_client_len" + add_field => { "[client][bytes]" => "%{[zeek][mqtt_publish][payload_len]}" } } } } else if ([log_source] == "mqtt_subscribe") { @@ -4677,16 +4845,16 @@ filter { # mqtt_subscribe.log specific logic mutate { id => "mutate_split_zeek_mqtt_subscribe_fields" - split => { "[zeek_mqtt_subscribe][topics]" => "," - "[zeek_mqtt_subscribe][qos_levels]" => "," } } + split => { "[zeek][mqtt_subscribe][topics]" => "," + "[zeek][mqtt_subscribe][qos_levels]" => "," } } } else if ([log_source] == "mysql") { ############################################################################################################################# # mysql.log specific logic - if ([zeek_mysql][rows] == 0) { + if ([zeek][mysql][rows] == 0) { mutate { id => "mutate_remove_field_zeek_mysql_zero_rows" - remove_field => [ "[zeek_mysql][rows]" ] } + remove_field => [ "[zeek][mysql][rows]" ] } } } else if ([log_source] == "notice") { @@ -4694,44 +4862,40 @@ filter { # notice.log specific logic mutate { id => "mutate_split_zeek_notice_actions" - split => { "[zeek_notice][actions]" => "," } } + split => { "[zeek][notice][actions]" => "," } } # split "Category::Subcategory" into two different fields ruby { id => "ruby_zeek_notice_category_extract" code => " - if (noticeNote = event.get('[zeek_notice][note]')) and (noticeParts = noticeNote.split('::')) then + if (noticeNote = event.get('[zeek][notice][note]')) and (noticeParts = noticeNote.split('::')) then if (noticeParts.length >= 2) then - event.set('[zeek_notice][category]', noticeParts[0]) - event.set('[zeek_notice][sub_category]', noticeParts[1]) + event.set('[zeek][notice][category]', noticeParts[0]) + event.set('[zeek][notice][sub_category]', noticeParts[1]) elsif (noticeParts.length == 1) then - event.set('[zeek_notice][category]', noticeParts[0]) + event.set('[zeek][notice][category]', noticeParts[0]) end end" } - if ([zeek_notice][category] == "ATTACK") and ([zeek_notice][msg] =~ /(from|against|to)\s+host/) { + if ([zeek][notice][category] == "ATTACK") and ([zeek][notice][msg] =~ /(from|against|to)\s+host/) { # ATTACK::Discovery - Detected activity from host 192.168.199.133, total attempts 5 within timeframe 5.0 mins # but no IP addresses set :( if (![source][ip]) { grok { id => "grok_zeek_notice_attack_src_hosts" - match => { "[zeek_notice][msg]" => [ "from%{SPACE}host%{SPACE}%{DATA:[source][ip]}%{SPACE}($|[^\d:\.\w-]+)" ] } + match => { "[zeek][notice][msg]" => [ "from%{SPACE}host%{SPACE}%{DATA:[source][ip]}%{SPACE}($|[^\d:\.\w-]+)" ] } } - if ([source][ip]) { mutate { id => "mutate_add_field_zeek_orig_h_attack" - add_field => { "[zeek][orig_h]" => "%{[source][ip]}" } } } } if (![destination][ip]) { grok { id => "grok_zeek_notice_attack_dst_hosts" - match => { "[zeek_notice][msg]" => [ "(against|to)%{SPACE}host%{SPACE}%{DATA:[destination][ip]}%{SPACE}($|[^\d:\.\w-]+)" ] } + match => { "[zeek][notice][msg]" => [ "(against|to)%{SPACE}host%{SPACE}%{DATA:[destination][ip]}%{SPACE}($|[^\d:\.\w-]+)" ] } } - if ([destination][ip]) { mutate { id => "mutate_add_field_zeek_resp_h_attack" - add_field => { "[zeek][resp_h]" => "%{[destination][ip]}" } } } } } - if ([zeek_notice][note] == "Corelight::XOR_Encrypted_PE_File_Seen") and ([zeek_notice][sub] =~ /Decrypted File ID/) { + if ([zeek][notice][note] == "Corelight::XOR_Encrypted_PE_File_Seen") and ([zeek][notice][sub] =~ /Decrypted File ID/) { # zeek_notice.note Corelight::XOR_Encrypted_PE_File_Seen # # zeek.fuid F7QoY740DvrZF2lrsa @@ -4740,22 +4904,159 @@ filter { # = zeek.fuid F7QoY740DvrZF2lrsa, FqNQ8i3LbG2ZY5EO3k grok { id => "grok_zeek_notice_xor_fuid" - match => { "[zeek_notice][sub]" => [ "Decrypted%{SPACE}File%{SPACE}ID:%{SPACE}%{WORD:[@metadata][decrypted_xor_fuid]}" ] } + match => { "[zeek][notice][sub]" => [ "Decrypted%{SPACE}File%{SPACE}ID:%{SPACE}%{WORD:[@metadata][decrypted_xor_fuid]}" ] } } if ([@metadata][decrypted_xor_fuid]) { mutate { id => "mutate_merge_zeek_notice_decrypted_xor_fuid" merge => { "[zeek][fuid]" => "[@metadata][decrypted_xor_fuid]" } } } } + # ECS - "Notices" -> rule.ruleset + mutate { id => "mutate_add_field_ecs_rule_ruleset_notice_zeek" + add_field => { "[rule][ruleset]" => "Zeek Notices" } } + + # ECS - zeek.notice.category -> rule.category + if ([zeek][notice][category]) { mutate { id => "mutate_add_field_ecs_rule_category_notice_category" + add_field => { "[rule][category]" => "%{[zeek][notice][category]}" } } } + # ECS - zeek.notice.sub_category -> rule.name + if ([zeek][notice][sub_category]) { mutate { id => "mutate_add_field_ecs_rule_category_notice_sub_category" + add_field => { "[rule][name]" => "%{[zeek][notice][sub_category]}" } } } + + # ECS - zeek.notice.category -> rule.author (mapped) + translate { + id => "translate_zeek_notice_author" + field => "[zeek][notice][category]" + destination => "[@metadata][zeek_noticed_mapped_author]" + dictionary_path => "/etc/notice_authors.yaml" + fallback => "Zeek" + } + if ([@metadata][zeek_noticed_mapped_author]) { + mutate { id => "mutate_merge_zeek_noticed_mapped_author" + merge => { "[rule][author]" => "[@metadata][zeek_noticed_mapped_author]" } } + } + + # ECS - zeek.notice.category -> rule.reference (mapped) + translate { + id => "translate_zeek_notice_reference" + field => "[zeek][notice][category]" + destination => "[@metadata][zeek_noticed_mapped_reference]" + dictionary_path => "/etc/notice_reference.yaml" + fallback => "https://docs.zeek.org/en/current/zeek-noticeindex.html" + } + if ([@metadata][zeek_noticed_mapped_reference]) { + mutate { id => "mutate_merge_zeek_noticed_mapped_reference" + merge => { "[rule][reference]" => "[@metadata][zeek_noticed_mapped_reference]" } } + } + + # ECS - zeek.notice.category -> rule.license (mapped) + translate { + id => "translate_zeek_notice_license" + field => "[zeek][notice][category]" + destination => "[@metadata][zeek_noticed_mapped_license]" + dictionary_path => "/etc/notice_license.yaml" + fallback => "https://raw.githubusercontent.com/zeek/zeek/master/COPYING" + } + if ([@metadata][zeek_noticed_mapped_license]) { + mutate { id => "mutate_merge_zeek_noticed_mapped_license" + merge => { "[rule][license]" => "[@metadata][zeek_noticed_mapped_license]" } } + } + + # ECS - zeek.notice.category -> threat.* (https://www.elastic.co/guide/en/ecs/current/ecs-threat.html) + if ([zeek][notice][category] == "ATTACK") { + + # populate threat information for MITRE ATT&CK notices from mitre-attack/bzar plugin + mutate { id => "mutate_add_field_ecs_threat_framework_mitre_attack" + add_field => { "[threat][framework]" => "MITRE ATT&CK" } } + + if ([zeek][notice][sub_category]) { + mutate { id => "mutate_add_field_ecs_threat_tactic_name_mitre" + add_field => { "[threat][tactic][name]" => "%{[zeek][notice][sub_category]}" } } + mutate { id => "mutate_gsub_ecs_threat_tactic_name_notice_sub" + gsub => [ "[threat][tactic][name]", "_,", " " ] } + translate { + id => "translate_zeek_mitre_attack_tactic_name_to_id" + field => "[zeek][notice][sub_category]" + destination => "[threat][tactic][id]" + dictionary_path => "/etc/mitre_attack_tactic_ids.yaml" + } + translate { + id => "translate_zeek_mitre_attack_tactic_name_to_reference" + field => "[zeek][notice][sub_category]" + destination => "[threat][tactic][reference]" + dictionary_path => "/etc/mitre_attack_tactic_reference.yaml" + fallback => "https://attack.mitre.org/tactics/enterprise/" + } + } + + if ([zeek][notice][sub]) and ([zeek][notice][sub] =~ /^T/) { + # eg., T1077 Windows Admin Shares + T1105 Remote File Copy + ruby { + id => "ruby_ecs_threat_technique_from_attack" + code => " + idArray = Array.new + nameArray = Array.new + event.get('[zeek][notice][sub]').split('+').each do |technique| + id, name = technique.strip.match(/(^T.*?)\s+(.+$)/).captures + idArray.push(id) unless id.nil? + nameArray.push(name) unless name.nil? + end + event.set('[threat][technique][id]', idArray) + event.set('[threat][technique][name]', nameArray) + event.set('[threat][technique][reference]', idArray.clone.map(&:clone).map{|x| x.prepend('https://attack.mitre.org/techniques/')}) + " + } + } + + } else if ([zeek][notice][category] == "EternalSafety") { + # populate threat information for EternalSafety from 0xl3x1/zeek-EternalSafety plugin + mutate { id => "mutate_add_field_ecs_threat_framework_eternal_safety" + add_field => { "[threat][framework]" => "EternalSafety" } } + if ([zeek][notice][sub_category]) { mutate { id => "mutate_add_field_ecs_threat_technique_name_eternal" + add_field => { "[threat][technique][name]" => "%{[zeek][notice][sub_category]}" } } } + if ([rule][reference]) { mutate { id => "mutate_add_field_ecs_threat_technique_reference_eternal" + add_field => { "[threat][technique][reference]" => "%{[rule][reference]}" } } } + } + + if (([zeek][notice][category] =~ /^CVE/) or + ([zeek][notice][category] == "EternalSafety") or + ([zeek][notice][category] == "Ripple20") or + ([zeek][notice][category] == "Zerologon")) { + # ECS - zeek.notice.category -> vulnerability.* (https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html) + mutate { id => "mutate_merge_ecs_vulnerability_category_notice_category" + merge => { "[vulnerability][category]" => "[zeek][notice][category]" } } + mutate { id => "mutate_merge_ecs_vulnerability_description_notice_subcategory" + merge => { "[vulnerability][description]" => "[zeek][notice][sub_category]" } } + if ([rule][reference]) { mutate { id => "mutate_merge_zeek_noticed_mapped_vulnerability_reference" + merge => { "[vulnerability][reference]" => "[rule][reference]" } } } + if ([rule][author]) { mutate { id => "mutate_merge_zeek_noticed_mapped_vulnerability_vendor" + merge => { "[vulnerability][scanner][vendor]" => "[rule][author]" } } } + } + + } else if ([log_source] == "ntlm") { + ############################################################################################################################# + # ntlm.log specific logic + + # ECS - zeek.ntlm.host -> client.domain + if ([zeek][ntlm][host]) { + mutate { id => "mutate_add_field_ecs_client_domain_ntlm_host_name" + add_field => { "[client][domain]" => "%{[zeek][ntlm][host]}" } } + } + + # ECS - zeek.ntlm.domain -> client.domain + if ([zeek][ntlm][domain]) { + mutate { id => "mutate_add_field_ecs_client_domain_ntlm_domain" + add_field => { "[client][domain]" => "%{[zeek][ntlm][domain]}" } } + } + } else if ([log_source] == "ntp") { ############################################################################################################################# # ntp.log specific logic # map mode to string for readability - if ([zeek_ntp][mode]) { + if ([zeek][ntp][mode]) { translate { id => "translate_zeek_ntp_mode_str" - field => "[zeek_ntp][mode]" - destination => "[zeek_ntp][mode_str]" + field => "[zeek][ntp][mode]" + destination => "[zeek][ntp][mode_str]" dictionary_path => "/etc/ntp_modes.yaml" } } @@ -4765,37 +5066,37 @@ filter { # pe.log specific logic mutate { id => "mutate_split_zeek_pe_section_names" - split => { "[zeek_pe][section_names]" => "," } } + split => { "[zeek][pe][section_names]" => "," } } } else if ([log_source] == "radius") { ############################################################################################################################# # radius.log specific logic - if ([zeek][user]) { mutate { id => "mutate_merge_zeek_radius_user" - merge => { "[radius][user]" => "[zeek][user]" } } } + if ([related][user]) { mutate { id => "mutate_merge_zeek_radius_user" + merge => { "[radius][user]" => "[related][user]" } } } - if ([zeek_radius][framed_addr]) { + if ([zeek][radius][framed_addr]) { mutate { id => "mutate_merge_zeek_radius_framed_addr" - merge => { "[radius][framedIp]" => "[zeek_radius][framed_addr]" } } + merge => { "[radius][framedIp]" => "[zeek][radius][framed_addr]" } } mutate { id => "mutate_add_field_radius_framedIpCnt" add_field => { "[radius][framedIpCnt]" => "1" } } } - if ([zeek_radius][tunnel_client]) { + if ([zeek][radius][tunnel_client]) { mutate { id => "mutate_merge_zeek_radius_tunnel_client" - merge => { "[radius][endpointIp]" => "[zeek_radius][tunnel_client]" } } + merge => { "[radius][endpointIp]" => "[zeek][radius][tunnel_client]" } } mutate { id => "mutate_add_field_radius_endpointIpCnt" add_field => { "[radius][endpointIpCnt]" => "1" } } } - if ([zeek_radius][mac]) { + if ([zeek][radius][mac]) { mutate { id => "mutate_merge_zeek_radius_mac" - merge => { "[radius][mac]" => "[zeek_radius][mac]" } } + merge => { "[radius][mac]" => "[zeek][radius][mac]" } } mutate { id => "mutate_add_field_radius_macCnt" add_field => { "[radius][macCnt]" => "1" } } - if (![zeek][orig_l2_addr]) { + if (![source][mac]) { mutate { id => "mutate_merge_zeek_radius_zeek_mac" - merge => { "[zeek][orig_l2_addr]" => "[zeek_radius][mac]" } } + merge => { "[source][mac]" => "[zeek][radius][mac]" } } } } @@ -4804,33 +5105,33 @@ filter { # rdp.log specific logic mutate { id => "mutate_split_zeek_rdp_client_channels" - split => { "[zeek_rdp][client_channels]" => "," } } + split => { "[zeek][rdp][client_channels]" => "," } } } else if ([log_source] == "s7comm") { ############################################################################################################################# # s7comm.log specific logic - if ([zeek_s7comm][parameter]) { + if ([zeek][s7comm][parameter]) { ruby { id => "ruby_zeek_s7comm_parse_parameter" code => " - parameterHash = event.get('[zeek_s7comm][parameter]').split(',').each_with_object({}) do |a, hash| + parameterHash = event.get('[zeek][s7comm][parameter]').split(',').each_with_object({}) do |a, hash| key,value = a.split(/\s*=\s*/) hash[key] = value end - event.set('[zeek_s7comm][parameters]', parameterHash)" + event.set('[zeek][s7comm][parameters]', parameterHash)" } mutate { id => "mutate_split_field_s7comm_parameter" - split => { "[zeek_s7comm][parameter]" => "," } } + split => { "[zeek][s7comm][parameter]" => "," } } } - if ([zeek_s7comm][data_info] == "Null") { + if ([zeek][s7comm][data_info] == "Null") { mutate { id => "mutate_remove_field_s7comm_data_info_null" - remove_field => [ "[zeek_s7comm][data_info]" ] } - } else if ([zeek_s7comm][data_info]) { + remove_field => [ "[zeek][s7comm][data_info]" ] } + } else if ([zeek][s7comm][data_info]) { mutate { id => "mutate_split_field_s7comm_data_info" - split => { "[zeek_s7comm][data_info]" => "," } } + split => { "[zeek][s7comm][data_info]" => "," } } } } else if ([log_source] == "signatures") { @@ -4841,21 +5142,21 @@ filter { # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it # sub_message contains fuid(s) comma-separated - if ([zeek_signatures][sub_message]) { + if ([zeek][signatures][sub_message]) { mutate { id => "mutate_split_zeek_signatures_sub_message" - split => { "[zeek_signatures][sub_message]" => "," } } + split => { "[zeek][signatures][sub_message]" => "," } } mutate { id => "mutate_rename_zeek_signatures_sub_message" - rename => { "[zeek_signatures][sub_message]" => "[zeek][fuid]" } } + rename => { "[zeek][signatures][sub_message]" => "[zeek][fuid]" } } } - if ([zeek_signatures][event_message]) { + if ([zeek][signatures][event_message]) { # sub_message contains "Signature [Engine]" list semi-colon separated ruby { id => "ruby_zeek_signatures_event_message_parse" code => " matchesHash = Hash.new idArray = Array.new - event.get('[zeek_signatures][event_message]').split(';').each { |hit| + event.get('[zeek][signatures][event_message]').split(';').each { |hit| nameAndEngines = hit.split(/(.+?)\s*<(.+)>/) nameAndEngines[2].split(',').each { |engine| unless matchesHash.key?(engine) @@ -4865,23 +5166,33 @@ filter { idArray.push(nameAndEngines[1]) } } - event.set('[zeek_signatures][signature_id]', idArray.uniq) - event.set('[zeek_signatures][engine]', matchesHash.keys) - event.set('[zeek_signatures][hits]', matchesHash)" + event.set('[zeek][signatures][signature_id]', idArray.uniq) + event.set('[zeek][signatures][engine]', matchesHash.keys) + event.set('[zeek][signatures][hits]', matchesHash)" } mutate { id => "mutate_remove_field_zeek_signatures_event_message" - remove_field => [ "[zeek_signatures][event_message]" ] + remove_field => [ "[zeek][signatures][event_message]" ] } } } else { - if ([zeek_signatures][signature_id] =~ /^dpd_/) { + if ([zeek][signatures][signature_id] =~ /^dpd_/) { # I don't care about DPD matching signatures drop { id => "drop_zeek_ignored_signatures_dpd" } } } + # ECS - zeek.signatures.engine -> rule.author + if ([zeek][signatures][engine]) { mutate { id => "mutate_merge_field_ecs_rule_author_signatures_engine" + merge => { "[rule][author]" => "[zeek][signatures][engine]" } } } + # ECS - zeek.signatures.signature_id -> rule.name + if ([zeek][signatures][signature_id]) { mutate { id => "mutate_add_field_ecs_rule_id_signature_name" + merge => { "[rule][name]" => "[zeek][signatures][signature_id]" } } } + # ECS - zeek.signatures.event_message -> rule.description + if ([zeek][signatures][event_message]) { mutate { id => "mutate_add_field_ecs_rule_id_signature_event_message" + merge => { "[rule][description]" => "[zeek][signatures][event_message]" } } } + } else if ([log_source] == "sip") { ############################################################################################################################# # sip.log specific logic @@ -4890,22 +5201,22 @@ filter { id => "ruby_zeek_field_zeek_sip_version" code => ' versions = Array.new - paths = [event.get("[zeek_sip][request_path]"), event.get("[zeek_sip][response_path]")].compact.join(",") + paths = [event.get("[zeek][sip][request_path]"), event.get("[zeek][sip][response_path]")].compact.join(",") paths.scan(/\bSIP:?\/([\d\.]+)/i) { |match| versions << match[0] } - event.set("[zeek_sip][version]", versions.uniq)' + event.set("[zeek][sip][version]", versions.uniq)' } mutate { id => "mutate_split_zeek_sip_request_path" - split => { "[zeek_sip][request_path]" => "," } } + split => { "[zeek][sip][request_path]" => "," } } mutate { id => "mutate_split_zeek_sip_response_path" - split => { "[zeek_sip][response_path]" => "," } } + split => { "[zeek][sip][response_path]" => "," } } - if ([zeek_sip][request_body_len]) { mutate { id => "mutate_add_field_zeek_sip_client_bytes" - add_field => { "[client][bytes]" => "%{[zeek_sip][request_body_len]}" } } } + if ([zeek][sip][request_body_len]) { mutate { id => "mutate_add_field_zeek_sip_client_bytes" + add_field => { "[client][bytes]" => "%{[zeek][sip][request_body_len]}" } } } - if ([zeek_sip][response_body_len]) { mutate { id => "mutate_add_field_zeek_sip_server_bytes" - add_field => { "[server][bytes]" => "%{[zeek_sip][response_body_len]}" } } } + if ([zeek][sip][response_body_len]) { mutate { id => "mutate_add_field_zeek_sip_server_bytes" + add_field => { "[server][bytes]" => "%{[zeek][sip][response_body_len]}" } } } } else if ([log_source] == "smb_cmd") or ([log_source] == "smb_files") { ############################################################################################################################# @@ -4913,14 +5224,14 @@ filter { # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files, which is why I've combined # the logic here to avoid duplication - if ([zeek_smb_cmd]) { + if ([zeek][smb_cmd]) { - if ([zeek_smb_cmd][referenced_file]) { + if ([zeek][smb_cmd][referenced_file]) { # move "up" referenced_file to its own smb_files top-level entity mutate { id => "mutate_rename_zeek_zeek_smb_cmd_referenced_file" - rename => { "[zeek_smb_cmd][referenced_file]" => "[zeek_smb_files]" } + rename => { "[zeek][smb_cmd][referenced_file]" => "[zeek][smb_files]" } } # remove unset (-) or "(empty)" referenced_file (now zeek_smb_files) subfield values @@ -4928,34 +5239,34 @@ filter { id => "ruby_zeek_remove_empty_smb_cmd_referenced_file_values" path => "/usr/share/logstash/malcolm-ruby/compact_event_hash.rb" script_params => { - "field" => "[zeek_smb_files]" + "field" => "[zeek][smb_files]" } } # collect referenced file FUID(s) at parent level (here rather than in 12_zeek_normalize.conf because # this would have already been done as a root-level fuid array in the main "rename" above if we # had not had to move it up a level just now) - if ([zeek_smb_files][fuid]) { + if ([zeek][smb_files][fuid]) { mutate { id => "mutate_merge_zeek_smb_files_fuid" - merge => { "[zeek][fuid]" => "[zeek_smb_files][fuid]" } } + merge => { "[zeek][fuid]" => "[zeek][smb_files][fuid]" } } mutate { id => "mutate_remove_zeek_smb_files_fuid" - remove_field => [ "[zeek_smb_files][fuid]" ] } + remove_field => [ "[zeek][smb_files][fuid]" ] } } - if ([zeek_smb_files][action]) { mutate { id => "mutate_gsub_zeek_smb_cmd_referenced_file_action" - gsub => [ "[zeek_smb_files][action]", "^SMB::", "" ] } } + if ([zeek][smb_files][action]) { mutate { id => "mutate_gsub_zeek_smb_cmd_referenced_file_action" + gsub => [ "[zeek][smb_files][action]", "^SMB::", "" ] } } - } # if ([zeek_smb_cmd][referenced_file]) + } # if ([zeek][smb_cmd][referenced_file]) - } # if ([zeek_smb_cmd]) + } # if ([zeek][smb_cmd]) # this should now apply to either lines from smb_files.log or smb_cmd.referenced_file - if ([zeek_smb_files]) { + if ([zeek][smb_files]) { - if ([zeek_smb_files][name]) { mutate { id => "mutate_merge_zeek_smb_files_name_to_filename" - merge => { "[smb][filename]" => "[zeek_smb_files][name]" } } } - if ([zeek_smb_files][prev_name]) { mutate { id => "mutate_merge_zeek_smb_files_prev_name_to_filename" - merge => { "[smb][filename]" => "[zeek_smb_files][prev_name]" } } } + if ([zeek][smb_files][name]) { mutate { id => "mutate_merge_zeek_smb_files_name_to_filename" + merge => { "[smb][filename]" => "[zeek][smb_files][name]" } } } + if ([zeek][smb_files][prev_name]) { mutate { id => "mutate_merge_zeek_smb_files_prev_name_to_filename" + merge => { "[smb][filename]" => "[zeek][smb_files][prev_name]" } } } if ([smb][filename]) { ruby { id => "ruby_zeek_smb_files_filename_uniq" @@ -4974,10 +5285,10 @@ filter { } } - if ([zeek_smb_files][path]) { + if ([zeek][smb_files][path]) { grok { id => "grok_zeek_smb_files_path" - match => { "[zeek_smb_files][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } + match => { "[zeek][smb_files][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } } if ([@metadata][smb_host]) { mutate { id => "mutate_merge_zeek_smb_files_host" @@ -4999,22 +5310,22 @@ filter { } } - } # if ([zeek_smb_files]) + } # if ([zeek][smb_files]) } else if ([log_source] == "smb_mapping") { ############################################################################################################################# # smb_mapping.log specific logic - if ([zeek_smb_mapping][path]) { + if ([zeek][smb_mapping][path]) { # todo: figure out how to replace \\ -> \ mutate { id => "mutate_merge_zeek_smb_mapping_share" - merge => { "[smb][share]" => "[zeek_smb_mapping][path]" } } + merge => { "[smb][share]" => "[zeek][smb_mapping][path]" } } } - if ([zeek_smb_mapping][path]) { + if ([zeek][smb_mapping][path]) { grok { id => "grok_zeek_smb_mapping_path" - match => { "[zeek_smb_mapping][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } + match => { "[zeek][smb_mapping][path]" => [ "^%{SPACE}[\\\/]+%{DATA:[@metadata][smb_host]}[\\\/]+%{DATA:[@metadata][smb_share]}(?:[\\\/]+%{GREEDYDATA:[@metadata][smb_path]})?$" ] } } if ([@metadata][smb_host]) { mutate { id => "mutate_merge_zeek_smb_mapping_host" @@ -5044,27 +5355,27 @@ filter { # smtp.log specific logic mutate { id => "mutate_split_zeek_smtp_rcptto" - split => { "[zeek_smtp][rcptto]" => "," } } + split => { "[zeek][smtp][rcptto]" => "," } } mutate { id => "mutate_split_zeek_smtp_to" - split => { "[zeek_smtp][to]" => "," } } + split => { "[zeek][smtp][to]" => "," } } mutate { id => "mutate_split_zeek_smtp_cc" - split => { "[zeek_smtp][cc]" => "," } } + split => { "[zeek][smtp][cc]" => "," } } mutate { id => "mutate_split_zeek_smtp_path" - split => { "[zeek_smtp][path]" => "," } } + split => { "[zeek][smtp][path]" => "," } } - if ([zeek_smtp][user_agent]) { + if ([zeek][smtp][user_agent]) { mutate { id => "mutate_merge_zeek_smtp_user_agent" - merge => { "[email][useragent]" => "[zeek_smtp][user_agent]" } } + merge => { "[email][useragent]" => "[zeek][smtp][user_agent]" } } mutate { id => "mutate_add_field_email_useragentCnt" add_field => { "[email][useragentCnt]" => "1" } } } - if ([zeek_smtp][from]) { mutate { id => "mutate_merge_zeek_smtp_from" - merge => { "[email][src]" => "[zeek_smtp][from]" } } } - if ([zeek_smtp][mailfrom]) { mutate { id => "mutate_merge_zeek_smtp_mailfrom" - merge => { "[email][src]" => "[zeek_smtp][mailfrom]" } } } - if ([zeek_smtp][reply_to]) { mutate { id => "mutate_merge_zeek_smtp_reply_to" - merge => { "[email][src]" => "[zeek_smtp][reply_to]" } } } + if ([zeek][smtp][from]) { mutate { id => "mutate_merge_zeek_smtp_from" + merge => { "[email][src]" => "[zeek][smtp][from]" } } } + if ([zeek][smtp][mailfrom]) { mutate { id => "mutate_merge_zeek_smtp_mailfrom" + merge => { "[email][src]" => "[zeek][smtp][mailfrom]" } } } + if ([zeek][smtp][reply_to]) { mutate { id => "mutate_merge_zeek_smtp_reply_to" + merge => { "[email][src]" => "[zeek][smtp][reply_to]" } } } if ([email][src]) { ruby { id => "ruby_zeek_email_src_uniq" @@ -5083,15 +5394,15 @@ filter { } } - if ([zeek_smtp][to]) { mutate { id => "mutate_merge_zeek_smtp_dst_from_to" - merge => { "[email][dst]" => "[zeek_smtp][to]" } } } - if ([zeek_smtp][cc]) { mutate { id => "mutate_merge_zeek_smtp_dst_from_cc" - merge => { "[email][dst]" => "[zeek_smtp][cc]" } } } - if ([zeek_smtp][rcptto]) { mutate { id => "mutate_merge_zeek_dst_from_rcptto" - merge => { "[email][dst]" => "[zeek_smtp][rcptto]" } } } - if ([zeek_smtp][helo]) { + if ([zeek][smtp][to]) { mutate { id => "mutate_merge_zeek_smtp_dst_from_to" + merge => { "[email][dst]" => "[zeek][smtp][to]" } } } + if ([zeek][smtp][cc]) { mutate { id => "mutate_merge_zeek_smtp_dst_from_cc" + merge => { "[email][dst]" => "[zeek][smtp][cc]" } } } + if ([zeek][smtp][rcptto]) { mutate { id => "mutate_merge_zeek_dst_from_rcptto" + merge => { "[email][dst]" => "[zeek][smtp][rcptto]" } } } + if ([zeek][smtp][helo]) { mutate { id => "mutate_merge_zeek_smtp_helo" - merge => { "[email][smtpHello]" => "[zeek_smtp][helo]" } } + merge => { "[email][smtpHello]" => "[zeek][smtp][helo]" } } mutate { id => "mutate_merge_add_field_zeek_smtp_helo_cnt" add_field => { "[email][smtpHelloCnt]" => "1" } } } @@ -5113,26 +5424,26 @@ filter { } } - if ([zeek_smtp][subject]) { + if ([zeek][smtp][subject]) { mutate { id => "mutate_merge_zeek_smtp_subject" - merge => { "[email][subject]" => "[zeek_smtp][subject]" } } + merge => { "[email][subject]" => "[zeek][smtp][subject]" } } mutate { id => "mutate_add_field_email_subjectCnt" add_field => { "[email][subjectCnt]" => "1" } } } - if ([zeek_smtp][msg_id]) { + if ([zeek][smtp][msg_id]) { mutate { id => "mutate_gsub_zeek_smtp_msg_id" - gsub => [ "[zeek_smtp][msg_id]", "(^<|>$)", "" ] } + gsub => [ "[zeek][smtp][msg_id]", "(^<|>$)", "" ] } mutate { id => "mutate_merge_zeek_smtp_msg_id" - merge => { "[email][id]" => "[zeek_smtp][msg_id]" } } + merge => { "[email][id]" => "[zeek][smtp][msg_id]" } } } - if ([zeek_smtp][in_reply_to]) { + if ([zeek][smtp][in_reply_to]) { mutate { id => "mutate_gsub_zeek_smtp_in_reply_to" - gsub => [ "[zeek_smtp][in_reply_to]", "(^<|>$)", "" ] } + gsub => [ "[zeek][smtp][in_reply_to]", "(^<|>$)", "" ] } mutate { id => "mutate_merge_zeek_smtp_in_reply_to" - merge => { "[email][id]" => "[zeek_smtp][in_reply_to]" } } + merge => { "[email][id]" => "[zeek][smtp][in_reply_to]" } } } - if ([zeek_smtp][id]) { + if ([email][id]) { ruby { id => "ruby_zeek_smtp_idCnt" path => "/usr/share/logstash/malcolm-ruby/add_count_field.rb" @@ -5143,34 +5454,42 @@ filter { } } - if ([zeek_smtp][last_reply]) { + if ([zeek][smtp][last_reply]) { # will be mapped to a "result" later in normalization grok { id => "grok_zeek_zeek_smtp_last_reply" - match => { "[zeek_smtp][last_reply]" => [ "^%{SPACE}%{NUMBER:[zeek_smtp][last_reply_code]}" ] } + match => { "[zeek][smtp][last_reply]" => [ "^%{SPACE}%{NUMBER:[zeek][smtp][last_reply_code]}" ] } } } + } else if ([log_source] == "software") { + ############################################################################################################################# + # software.log specific logic + # ECS - zeek.software.url -> url.original/url.full + if ([zeek][software][url]) { mutate { id => "mutate_add_field_ecs_software_url" + add_field => { "[url][original]" => "%{[zeek][software][url]}" + "[url][full]" => "%{[zeek][software][url]}" } } } + } else if ([log_source] == "ssh") { ############################################################################################################################# # ssh.log specific logic - if ([zeek_ssh][server]) { mutate { id => "mutate_merge_zeek_ssh_server_version" - merge => { "[ssh][version]" => "[zeek_ssh][server]" } } } + if ([zeek][ssh][server]) { mutate { id => "mutate_merge_zeek_ssh_server_version" + merge => { "[ssh][version]" => "[zeek][ssh][server]" } } } - if ([zeek_ssh][client]) { mutate { id => "mutate_merge_zeek_client_version" - merge => { "[ssh][version]" => "[zeek_ssh][client]" } } } + if ([zeek][ssh][client]) { mutate { id => "mutate_merge_zeek_client_version" + merge => { "[ssh][version]" => "[zeek][ssh][client]" } } } - if (![ssh][version]) and ([zeek_ssh][version]) { mutate { id => "mutate_merge_zeek_ssh_version" - merge => { "[ssh][version]" => "[zeek_ssh][version]" } } } + if (![ssh][version]) and ([zeek][ssh][version]) { mutate { id => "mutate_merge_zeek_ssh_version" + merge => { "[ssh][version]" => "[zeek][ssh][version]" } } } if ([ssh][version]) { mutate { id => "mutate_add_field_ssh_versionCnt" add_field => { "[ssh][versionCnt]" => "1" } } } - if ([zeek_ssh][host_key] and [zeek_ssh][host_key_alg]) { + if ([zeek][ssh][host_key] and [zeek][ssh][host_key_alg]) { # this is stupid, the %{} doesn't seem to be liked by mutate.merge mutate { id => "mutate_add_field_zeek_ssh_host_key" - add_field => { "[@metadata][ssh_key_str]" => "%{[zeek_ssh][host_key_alg]} %{[zeek_ssh][host_key]}" } } + add_field => { "[@metadata][ssh_key_str]" => "%{[zeek][ssh][host_key_alg]} %{[zeek][ssh][host_key]}" } } mutate { id => "mutate_merge_zeek_ssh_key" merge => { "[ssh][key]" => "[@metadata][ssh_key_str]" } } mutate { id => "mutate_add_field_ssh_keyCnt" @@ -5179,31 +5498,31 @@ filter { # HASSH stuff (see https://github.com/salesforce/hassh/tree/master/bro) - if ([zeek_ssh][hassh]) { + if ([zeek][ssh][hassh]) { mutate { id => "mutate_merge_zeek_ssh_hassh" - merge => { "[ssh][hassh]" => "[zeek_ssh][hassh]" } } + merge => { "[ssh][hassh]" => "[zeek][ssh][hassh]" } } mutate { id => "mutate_add_field_zeek_ssh_hasshCnt" add_field => { "[ssh][hasshCnt]" => "1" } } } - if ([zeek_ssh][hasshServer]) { + if ([zeek][ssh][hasshServer]) { mutate { id => "mutate_merge_zeek_ssh_hasshServer" - merge => { "[ssh][hasshServer]" => "[zeek_ssh][hasshServer]" } } + merge => { "[ssh][hasshServer]" => "[zeek][ssh][hasshServer]" } } mutate { id => "mutate_add_field_zeek_ssh_hasshServerCnt" add_field => { "[ssh][hasshServerCnt]" => "1" } } } - if ([zeek_ssh][hasshAlgorithms]) { mutate { id => "mutate_split_zeek_ssh_hasshAlgorithms" - split => { "[zeek_ssh][hasshAlgorithms]" => "," } } } + if ([zeek][ssh][hasshAlgorithms]) { mutate { id => "mutate_split_zeek_ssh_hasshAlgorithms" + split => { "[zeek][ssh][hasshAlgorithms]" => "," } } } - if ([zeek_ssh][hasshServerAlgorithms]) { mutate { id => "mutate_split_zeek_ssh_hasshServerAlgorithms" - split => { "[zeek_ssh][hasshServerAlgorithms]" => "," } } } + if ([zeek][ssh][hasshServerAlgorithms]) { mutate { id => "mutate_split_zeek_ssh_hasshServerAlgorithms" + split => { "[zeek][ssh][hasshServerAlgorithms]" => "," } } } - if ([zeek_ssh][cshka]) { mutate { id => "mutate_split_zeek_ssh_cshka" - split => { "[zeek_ssh][cshka]" => "," } } } + if ([zeek][ssh][cshka]) { mutate { id => "mutate_split_zeek_ssh_cshka" + split => { "[zeek][ssh][cshka]" => "," } } } - if ([zeek_ssh][sshka]) { mutate { id => "mutate_split_zeek_ssh_sshka" - split => { "[zeek_ssh][sshka]" => "," } } } + if ([zeek][ssh][sshka]) { mutate { id => "mutate_split_zeek_ssh_sshka" + split => { "[zeek][ssh][sshka]" => "," } } } } else if ([log_source] == "ssl") { @@ -5216,157 +5535,255 @@ filter { # 3. split fields by comma into destination hashes # 4. urldecode any commas we might have had - if ([zeek_ssl][subject]) { + if ([zeek][ssl][subject]) { mutate { id => "mutate_gsub_zeek_ssl_subject" - gsub => [ "[zeek_ssl][subject]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][ssl][subject]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_ssl_subject" - rename => { "[zeek_ssl][subject]" => "[zeek_ssl][subject_full]" } } + rename => { "[zeek][ssl][subject]" => "[zeek][ssl][subject_full]" } } kv { id => "mutate_kv_zeek_ssl_subject" field_split => "," - source => "[zeek_ssl][subject_full]" - target => "[zeek_ssl][subject]" + source => "[zeek][ssl][subject_full]" + target => "[zeek][ssl][subject]" } urldecode { id => "mutate_urldecode_zeek_ssl_subject" - field => "[zeek_ssl][subject]" + field => "[zeek][ssl][subject]" } urldecode { id => "mutate_urldecode_zeek_ssl_subject_full" - field => "[zeek_ssl][subject_full]" + field => "[zeek][ssl][subject_full]" } } - if ([zeek_ssl][client_subject]) { + if ([zeek][ssl][client_subject]) { mutate { id => "mutate_gsub_zeek_ssl_client_subject" - gsub => [ "[zeek_ssl][client_subject]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][ssl][client_subject]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_ssl_client_subject" - rename => { "[zeek_ssl][client_subject]" => "[zeek_ssl][client_subject_full]" } } + rename => { "[zeek][ssl][client_subject]" => "[zeek][ssl][client_subject_full]" } } kv { id => "mutate_kv_zeek_ssl_client_subject" field_split => "," - source => "[zeek_ssl][client_subject_full]" - target => "[zeek_ssl][client_subject]" + source => "[zeek][ssl][client_subject_full]" + target => "[zeek][ssl][client_subject]" } urldecode { id => "mutate_urldecode_zeek_ssl_client_subject" - field => "[zeek_ssl][client_subject]" + field => "[zeek][ssl][client_subject]" } urldecode { id => "mutate_urldecode_zeek_ssl_client_subject_full" - field => "[zeek_ssl][client_subject_full]" + field => "[zeek][ssl][client_subject_full]" } } - if ([zeek_ssl][issuer]) { + if ([zeek][ssl][issuer]) { mutate { id => "mutate_gsub_zeek_ssl_issuer" - gsub => [ "[zeek_ssl][issuer]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][ssl][issuer]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_ssl_issuer" - rename => { "[zeek_ssl][issuer]" => "[zeek_ssl][issuer_full]" } } + rename => { "[zeek][ssl][issuer]" => "[zeek][ssl][issuer_full]" } } kv { id => "mutate_kv_zeek_ssl_issuer" field_split => "," - source => "[zeek_ssl][issuer_full]" - target => "[zeek_ssl][issuer]" + source => "[zeek][ssl][issuer_full]" + target => "[zeek][ssl][issuer]" } urldecode { id => "mutate_urldecode_zeek_ssl_issuer" - field => "[zeek_ssl][issuer]" + field => "[zeek][ssl][issuer]" } urldecode { id => "mutate_urldecode_zeek_ssl_issuer_full" - field => "[zeek_ssl][issuer_full]" + field => "[zeek][ssl][issuer_full]" } } - if ([zeek_ssl][client_issuer]) { + if ([zeek][ssl][client_issuer]) { mutate { id => "mutate_gsub_zeek_ssl_client_issuer" - gsub => [ "[zeek_ssl][client_issuer]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][ssl][client_issuer]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_ssl_client_issuer" - rename => { "[zeek_ssl][client_issuer]" => "[zeek_ssl][client_issuer_full]" } } + rename => { "[zeek][ssl][client_issuer]" => "[zeek][ssl][client_issuer_full]" } } kv { id => "mutate_kv_zeek_ssl_client_issuer" field_split => "," - source => "[zeek_ssl][client_issuer_full]" - target => "[zeek_ssl][client_issuer]" + source => "[zeek][ssl][client_issuer_full]" + target => "[zeek][ssl][client_issuer]" } urldecode { id => "mutate_urldecode_zeek_ssl_client_issuer" - field => "[zeek_ssl][client_issuer]" + field => "[zeek][ssl][client_issuer]" } urldecode { id => "mutate_urldecode_zeek_ssl_client_issuer_full" - field => "[zeek_ssl][client_issuer_full]" + field => "[zeek][ssl][client_issuer_full]" } } - if ([zeek_ssl][ssl_version]) { - mutate { id => "mutate_merge_zeek_ssl_version" - merge => { "[tls][version]" => "[zeek_ssl][ssl_version]" } } - mutate { id => "mutate_add_field_ssl_versionCnt" - add_field => { "[tls][versionCnt]" => "1" } } - } - - if ([zeek_ssl][cipher]) { + if ([zeek][ssl][cipher]) { + # ECS - zeek.ssl.cipher -> tls.cipher mutate { id => "mutate_merge_zeek_ssl_cipher" - merge => { "[tls][cipher]" => "[zeek_ssl][cipher]" } } + merge => { "[tls][cipher]" => "[zeek][ssl][cipher]" } } mutate { id => "mutate_add_field_ssl_cipherCnt" add_field => { "[tls][cipherCnt]" => "1" } } } - if ([zeek_ssl][ja3]) { + if ([zeek][ssl][ja3]) { mutate { id => "mutate_merge_zeek_ssl_ja3" - merge => { "[tls][ja3]" => "[zeek_ssl][ja3]" } } + merge => { "[tls][ja3]" => "[zeek][ssl][ja3]" } } mutate { id => "mutate_add_field_zeek_ssl_ja3Cnt" add_field => { "[tls][ja3Cnt]" => "1" } } } - if ([zeek_ssl][ja3s]) { + if ([zeek][ssl][ja3s]) { mutate { id => "mutate_merge_zeek_ssl_ja3s" - merge => { "[tls][ja3s]" => "[zeek_ssl][ja3s]" } } + merge => { "[tls][ja3s]" => "[zeek][ssl][ja3s]" } } mutate { id => "mutate_add_field_zeek_ssl_ja3sCnt" add_field => { "[tls][ja3sCnt]" => "1" } } } - if ([zeek_ssl][cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_cert_chain_fuids" - split => { "[zeek_ssl][cert_chain_fuids]" => "," } } } + if ([zeek][ssl][cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_cert_chain_fuids" + split => { "[zeek][ssl][cert_chain_fuids]" => "," } } } - if ([zeek_ssl][client_cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_client_cert_chain_fuids" - split => { "[zeek_ssl][client_cert_chain_fuids]" => "," } } } + if ([zeek][ssl][client_cert_chain_fuids]) { mutate { id => "mutate_split_zeek_ssl_client_cert_chain_fuids" + split => { "[zeek][ssl][client_cert_chain_fuids]" => "," } } } - if ([zeek_ssl][cert_chain_fps]) { + if ([zeek][ssl][cert_chain_fps]) { mutate { id => "mutate_split_zeek_ssl_cert_chain_fps" - split => { "[zeek_ssl][cert_chain_fps]" => "," } } + split => { "[zeek][ssl][cert_chain_fps]" => "," } } # store certificate chain fingerprints in zeek_x509.fingerprint as well for cross-reference with x509.log mutate { id => "mutate_merge_zeek_ssl_cert_chain_fps" - merge => { "[zeek_x509][fingerprint]" => "[zeek_ssl][cert_chain_fps]" } } + merge => { "[zeek][x509][fingerprint]" => "[zeek][ssl][cert_chain_fps]" } } + # TODO: zeek.ssl.*cert_chain_fps to: + # https://www.elastic.co/guide/en/ecs/current/ecs-tls.html#field-tls-client-hash-md5 (or sha1, sha256, etc.) + # https://www.elastic.co/guide/en/ecs/current/ecs-tls.html#field-tls-server-hash-md5 (or sha1, sha256, etc.) } - if ([zeek_ssl][client_cert_chain_fps]) { + if ([zeek][ssl][client_cert_chain_fps]) { mutate { id => "mutate_split_zeek_ssl_client_cert_chain_fps" - split => { "[zeek_ssl][client_cert_chain_fps]" => "," } } + split => { "[zeek][ssl][client_cert_chain_fps]" => "," } } # store certificate chain fingerprints in zeek_x509.fingerprint as well for cross-reference with x509.log mutate { id => "mutate_merge_zeek_ssl_client_cert_chain_fps" - merge => { "[zeek_x509][fingerprint]" => "[zeek_ssl][client_cert_chain_fps]" } } + merge => { "[zeek][x509][fingerprint]" => "[zeek][ssl][client_cert_chain_fps]" } } + } + + # ECS - zeek.ssl.ssl_version -> tls.version and tls.version_protocol + if ([zeek][ssl][ssl_version]) { + # turn TLSv10, TLSv13, TSLv12, etc. to 'tls' and '1.2', etc. + ruby { + id => "ruby_ecs_ssl_version_parse" + code => " + verMatch = event.get('[zeek][ssl][ssl_version]').tr('.', '').match(/(.+)\s*[v-]\s*([\d\.]+)/i) + verParts = verMatch.nil? ? nil : verMatch.captures + unless verParts.nil? + event.set('[tls][version_protocol]', verParts[0].downcase) + event.set('[tls][version]', verParts[1].split(//).join('.')) + end + " + } + mutate { id => "mutate_add_field_ssl_versionCnt" + add_field => { "[tls][versionCnt]" => "1" } } + } + + # ECS - zeek.ssl.established -> tls.established + if ([zeek][ssl][established]) { mutate { id => "mutate_add_field_ecs_zeek_tls_established" + add_field => { "[tls][established]" => "%{[zeek][ssl][established]}" } } } + + # ECS - zeek.ssl.resumed -> tls.resumed + if ([zeek][ssl][resumed]) { mutate { id => "mutate_add_field_ecs_zeek_tls_resumed" + add_field => { "[tls][resumed]" => "%{[zeek][ssl][resumed]}" } } } + + # ECS - zeek.ssl.next_protocol -> tls.next_protocol + if ([zeek][ssl][next_protocol]) { + mutate { id => "mutate_add_field_ecs_zeek_tls_next_protocol" + add_field => { "[tls][next_protocol]" => "%{[zeek][ssl][next_protocol]}" } } + mutate { id => "mutate_lowercase_field_ecs_zeek_tls_next_protocol" + lowercase => [ "[tls][next_protocol]" ] } + } + + # ECS - zeek.ssl.curve -> tls.curve + if ([zeek][ssl][curve]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_curve" + add_field => { "[tls][curve]" => "%{[zeek][ssl][curve]}" } } } + + # ECS - zeek.ssl.ja3 -> tls.client.ja3 + if ([zeek][ssl][ja3]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_ja3" + add_field => { "[tls][client][ja3]" => "%{[zeek][ssl][ja3]}" } } } + + # ECS - zeek.ssl.client_issuer_full -> tls.client.issuer + if ([zeek][ssl][client_issuer_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_issuer_full" + add_field => { "[tls][client][issuer]" => "%{[zeek][ssl][client_issuer_full]}" } } } + + # ECS - zeek.ssl.client_subject_full -> tls.client.subject + if ([zeek][ssl][client_subject_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_subject_full" + add_field => { "[tls][client][subject]" => "%{[zeek][ssl][client_subject_full]}" } } } + + # ECS - zeek.ssl.server_name -> tls.client.server_name and server.domain + if ([zeek][ssl][server_name]) { + mutate { id => "mutate_add_field_ecs_zeek_tls_client_server_name" + add_field => { "[tls][client][server_name]" => "%{[zeek][ssl][server_name]}" } } + mutate { id => "mutate_add_field_ecs_zeek_tls_client_server_name_destination_domain" + add_field => { "[server][domain]" => "%{[zeek][ssl][server_name]}" } } } + # ECS - zeek.ssl.issuer_full -> tls.server.issuer + if ([zeek][ssl][issuer_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_issuer_full" + add_field => { "[tls][server][issuer]" => "%{[zeek][ssl][issuer_full]}" } } } + + # ECS - zeek.ssl.ja3s -> tls.server.ja3s + if ([zeek][ssl][ja3s]) { mutate { id => "mutate_add_field_ecs_zeek_tls_server_ja3s" + add_field => { "[tls][server][ja3s]" => "%{[zeek][ssl][ja3s]}" } } } + + # ECS - zeek.ssl.subject_full -> tls.server.subject + if ([zeek][ssl][subject_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_subject_full" + add_field => { "[tls][server][subject]" => "%{[zeek][ssl][subject_full]}" } } } + + } else if ([log_source] == "stun_nat") { + ############################################################################################################################# + # stun_nat.log specific logic + + # ECS - zeek.stun_nat.wan_addr -> source.nat.ip + if ([zeek][stun_nat][wan_addr]) { mutate { id => "mutate_add_field_ecs_zeek_stun_nat_wan_addr" + add_field => { "[source][nat][ip]" => "%{[zeek][stun_nat][wan_addr]}" } } } + + # ECS - zeek.stun_nat.wan_port -> source.nat.port + if ([zeek][stun_nat][wan_port]) { mutate { id => "mutate_add_field_ecs_zeek_stun_nat_wan_port" + add_field => { "[source][nat][port]" => "%{[zeek][stun_nat][wan_port]}" } } } + } else if ([log_source] == "tds_rpc") { ############################################################################################################################# # tds_rpc.log specific logic - if ([zeek_tds_rpc][parameter]) { + if ([zeek][tds_rpc][parameter]) { ruby { id => "ruby_zeek_tds_rpc_parse_parameter" code => " - parameterHash = event.get('[zeek_tds_rpc][parameter]').split(',').each_with_object({}) do |a, hash| + parameterHash = event.get('[zeek][tds_rpc][parameter]').split(',').each_with_object({}) do |a, hash| key,value = a.split(/\s*=\s*/) hash[key.delete_prefix('@')] = value end - event.set('[zeek_tds_rpc][parameters]', parameterHash)" + event.set('[zeek][tds_rpc][parameters]', parameterHash)" } mutate { id => "mutate_split_field_tds_rpc_parameter" - split => { "[zeek_tds_rpc][parameter]" => "," } } + split => { "[zeek][tds_rpc][parameter]" => "," } } + } + + } else if ([log_source] == "weird") { + ############################################################################################################################# + # weird.log specific logic + + if ([zeek][weird][name]) { + # ECS - "Zeek" -> rule.author + mutate { id => "mutate_add_field_ecs_rule_author_zeek_weird" + add_field => { "[rule][author]" => "Zeek" } } + # ECS - "Zeek Weird Logs" -> rule.ruleset + mutate { id => "mutate_add_field_ecs_rule_ruleset_zeek_weird" + add_field => { "[rule][ruleset]" => "Zeek Weird Logs" } } + # ECS - zeek weird URL -> rule.reference + mutate { id => "mutate_add_field_ecs_rule_reference_zeek_weird" + add_field => { "[rule][reference]" => "https://docs.zeek.org/en/current/scripts/base/frameworks/notice/weird.zeek.html" } } + # ECS - zeek.weird.name -> rule.name + mutate { id => "mutate_add_field_ecs_rule_name_weird_name" + add_field => { "[rule][name]" => "%{[zeek][weird][name]}" } } } } else if ([log_source] == "x509") { @@ -5379,70 +5796,70 @@ filter { # 3. split fields by comma into destination hashes # 4. urldecode any commas we might have had - if ([zeek_x509][certificate_subject]) { + if ([zeek][x509][certificate_subject]) { mutate { id => "mutate_gsub_zeek_x509_certificate_subject" - gsub => [ "[zeek_x509][certificate_subject]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][x509][certificate_subject]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_x509_certificate_subject" - rename => { "[zeek_x509][certificate_subject]" => "[zeek_x509][certificate_subject_full]" } } + rename => { "[zeek][x509][certificate_subject]" => "[zeek][x509][certificate_subject_full]" } } kv { id => "mutate_kv_zeek_x509_certificate_subject" field_split => "," - source => "[zeek_x509][certificate_subject_full]" - target => "[zeek_x509][certificate_subject]" + source => "[zeek][x509][certificate_subject_full]" + target => "[zeek][x509][certificate_subject]" } urldecode { id => "mutate_urldecode_zeek_x509_certificate_subject" - field => "[zeek_x509][certificate_subject]" + field => "[zeek][x509][certificate_subject]" } urldecode { id => "mutate_urldecode_zeek_x509_certificate_subject_full" - field => "[zeek_x509][certificate_subject_full]" + field => "[zeek][x509][certificate_subject_full]" } - if ([zeek_x509][certificate_subject][CN]) { + if ([zeek][x509][certificate_subject][CN]) { mutate { id => "mutate_merge_zeek_x509_certificate_subject_CN" - merge => { "[@metadata][cert][subjectCN]" => "[zeek_x509][certificate_subject][CN]" } } + merge => { "[@metadata][cert][subjectCN]" => "[zeek][x509][certificate_subject][CN]" } } } - if ([zeek_x509][certificate_subject][O]) { + if ([zeek][x509][certificate_subject][O]) { mutate { id => "mutate_add_zeek_x509_certificate_subject_O" - add_field => { "[@metadata][cert][subjectON]" => "%{[zeek_x509][certificate_subject][O]}" } } + add_field => { "[@metadata][cert][subjectON]" => "%{[zeek][x509][certificate_subject][O]}" } } } } - if ([zeek_x509][certificate_issuer]) { + if ([zeek][x509][certificate_issuer]) { mutate { id => "mutate_gsub_zeek_x509_certificate_issuer" - gsub => [ "[zeek_x509][certificate_issuer]", "\\\\,", "%2C" ] } + gsub => [ "[zeek][x509][certificate_issuer]", "\\\\,", "%2C" ] } mutate { id => "mutate_rename_zeek_x509_certificate_issuer" - rename => { "[zeek_x509][certificate_issuer]" => "[zeek_x509][certificate_issuer_full]" } } + rename => { "[zeek][x509][certificate_issuer]" => "[zeek][x509][certificate_issuer_full]" } } kv { id => "mutate_kv_zeek_x509_certificate_issuer" field_split => "," - source => "[zeek_x509][certificate_issuer_full]" - target => "[zeek_x509][certificate_issuer]" + source => "[zeek][x509][certificate_issuer_full]" + target => "[zeek][x509][certificate_issuer]" } urldecode { id => "mutate_urldecode_zeek_x509_certificate_issuer" - field => "[zeek_x509][certificate_issuer]" + field => "[zeek][x509][certificate_issuer]" } urldecode { id => "mutate_urldecode_zeek_x509_certificate_issuer_full" - field => "[zeek_x509][certificate_issuer_full]" + field => "[zeek][x509][certificate_issuer_full]" } - if ([zeek_x509][certificate_issuer][CN]) { + if ([zeek][x509][certificate_issuer][CN]) { mutate { id => "mutate_merge_zeek_x509_certificate_issuer_CN" - merge => { "[@metadata][cert][issuerCN]" => "[zeek_x509][certificate_issuer][CN]" } } + merge => { "[@metadata][cert][issuerCN]" => "[zeek][x509][certificate_issuer][CN]" } } } - if ([zeek_x509][certificate_issuer][O]) { + if ([zeek][x509][certificate_issuer][O]) { mutate { id => "mutate_add_zeek_x509_certificate_issuer_O" - add_field => { "[@metadata][cert][issuerON]" => "%{[zeek_x509][certificate_issuer][O]}" } } + add_field => { "[@metadata][cert][issuerON]" => "%{[zeek][x509][certificate_issuer][O]}" } } } } - if ([zeek_x509][certificate_not_valid_before]) and ([zeek_x509][certificate_not_valid_after]) { + if ([zeek][x509][certificate_not_valid_before]) and ([zeek][x509][certificate_not_valid_after]) { ruby { id => "ruby_zeek_x509_valid_range" - code => "event.set('[@metadata][cert][notBefore]', (1000*event.get('[zeek_x509][certificate_not_valid_before]').to_f).round(0)) - event.set('[@metadata][cert][notAfter]', (1000*event.get('[zeek_x509][certificate_not_valid_after]').to_f).round(0)) - event.set('[@metadata][cert][validDays]', ((event.get('[zeek_x509][certificate_not_valid_after]').to_f - event.get('[zeek_x509][certificate_not_valid_before]').to_f)/(24.0*60.0*60.0)).round(0))" + code => "event.set('[@metadata][cert][notBefore]', (1000*event.get('[zeek][x509][certificate_not_valid_before]').to_f).round(0)) + event.set('[@metadata][cert][notAfter]', (1000*event.get('[zeek][x509][certificate_not_valid_after]').to_f).round(0)) + event.set('[@metadata][cert][validDays]', ((event.get('[zeek][x509][certificate_not_valid_after]').to_f - event.get('[zeek][x509][certificate_not_valid_before]').to_f)/(24.0*60.0*60.0)).round(0))" } mutate { id => "mutate_convert_zeek_x509_time_range" @@ -5454,14 +5871,14 @@ filter { } } - if ([zeek_x509][certificate_serial]) { + if ([zeek][x509][certificate_serial]) { # todo: serial not showing up right... # ruby { # id => "ruby_zeek_x509_serial" # code => "event.set('[@metadata][cert][serial]', event.get('[certificate_serial]').unpack('C*').map {|e| e.to_s 16}.join(':'))" # } mutate { id => "mutate_add_field_zeek_x509_serial" - add_field => { "[@metadata][cert][serial]" => "%{[zeek_x509][certificate_serial]}" } } + add_field => { "[@metadata][cert][serial]" => "%{[zeek][x509][certificate_serial]}" } } } if ([@metadata][cert]) { @@ -5474,26 +5891,86 @@ filter { } } - if ([zeek_x509][san_ip]) { mutate { id => "mutate_split_zeek_x509_san_ip" - split => { "[zeek_x509][san_ip]" => "," } } } + if ([zeek][x509][san_ip]) { mutate { id => "mutate_split_zeek_x509_san_ip" + split => { "[zeek][x509][san_ip]" => "," } } } + + if ([zeek][x509][fingerprint]) { mutate { id => "mutate_split_zeek_x509_fingerprint" + split => { "[zeek][x509][fingerprint]" => "," } } } - if ([zeek_x509][fingerprint]) { mutate { id => "mutate_split_zeek_x509_fingerprint" - split => { "[zeek_x509][fingerprint]" => "," } } } + # TODO: ECS TLS/X509 nestings? + # - https://www.elastic.co/guide/en/ecs/current/ecs-tls.html#ecs-tls-nestings + # - https://www.elastic.co/guide/en/ecs/current/ecs-x509.html#_field_reuse_27 } # end if/else if/else for specific log type logic ####################################################################################################### - # rename log_source (eg., conn, ssh, etc.) to zeek.logType + # ECS - "zeek" -> event.provider + if (![event][provider]) { mutate { id => "mutate_add_field_event_provider_zeek" + add_field => { "[event][provider]" => "zeek" } } } + + # rename log_source (eg., conn, ssh, etc.) to event.dataset mutate { id => "mutate_rename_zeek_logType" - rename => { "[log_source]" => "[zeek][logType]" } } + rename => { "[log_source]" => "[event][dataset]" } } # kind of a unique case, smb_cmd can also be smb_files - if ([zeek][logType] == "smb_cmd") and ([zeek_smb_files]) { - # seriously I do not get how merge works, why can't I just merge the string literal? - mutate { id => "mutate_add_field_zeek_tmp_logtype" - add_field => { "[@metadata][tmpLogType]" => "smb_files" } } - mutate { id => "mutate_merge_zeek_smb_cmd_and_smb_files_logType" - merge => { "[zeek][logType]" => "[@metadata][tmpLogType]" } } + if ([zeek][smb_files]) { + + if ([event][dataset] == "smb_cmd") { + # seriously I do not get how merge works, why can't I just merge the string literal? + mutate { id => "mutate_add_field_zeek_tmp_logtype" + add_field => { "[@metadata][tmpLogType]" => "smb_files" } } + mutate { id => "mutate_merge_zeek_smb_cmd_and_smb_files_logType" + merge => { "[event][dataset]" => "[@metadata][tmpLogType]" } } + } + + # ECS - zeek.smb_files.times_created -> file.created + # ECS - zeek.smb_files.times_accessed -> file.accessed + # ECS - zeek.smb_files.times_changed -> file.ctime + # ECS - zeek.smb_files.times_modified -> file.mtime + # ECS - zeek.smb_files.size -> file.size + # ECS - zeek.smb_files.name -> file.name + if ([zeek][smb_files][times_created]) { mutate { id => "mutate_add_field_ecs_smb_created" + add_field => { "[file][created]" => "%{[zeek][smb_files][times_created]}" } } } + + if ([zeek][smb_files][times_accessed]) { mutate { id => "mutate_add_field_ecs_smb_accessed" + add_field => { "[file][accessed]" => "%{[zeek][smb_files][times_accessed]}" } } } + + if ([zeek][smb_files][times_changed]) { mutate { id => "mutate_add_field_ecs_smb_changed" + add_field => { "[file][ctime]" => "%{[zeek][smb_files][times_changed]}" } } } + + if ([zeek][smb_files][times_modified]) { mutate { id => "mutate_add_field_ecs_smb_modified" + add_field => { "[file][mtime]" => "%{[zeek][smb_files][times_modified]}" } } } + + if ([zeek][smb_files][size]) { mutate { id => "mutate_add_field_ecs_smb_size" + add_field => { "[file][size]" => "%{[zeek][smb_files][size]}" } } } + if (![file][name]) and ([zeek][smb_files][name]) { + mutate { id => "mutate_add_field_ecs_file_smb_files_name" + add_field => { "[file][name]" => "%{[zeek][smb_files][name]}" } } + } + } # end if ([zeek][smb_files]) + # ECS - zeek.smb_files.path and zeek_smb_mapping.path -> file.directory + if ([@metadata][smb_path]) { + if (![file][type]) { mutate { id => "mutate_add_field_ecs_file_type_smb_path" + add_field => { "[file][type]" => "file" } } } + mutate { id => "mutate_add_field_ecs_file_directory_from_smb" + add_field => { "[file][directory]" => "%{[@metadata][smb_path]}" } } + } + + # ECS - event.kind based on event.dataset (https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-kind.html) + if ([zeek][notice]) or ([zeek][signatures]) or ([zeek][weird]) { + mutate { id => "mutate_add_field_ecs_event_kind_alert" + add_field => { "[event][kind]" => "alert" } } + } else { + mutate { id => "mutate_add_field_ecs_event_kind_event" + add_field => { "[event][kind]" => "event" } } + } + + # ECS - event.category based on event.dataset (https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html) + translate { + id => "translate_zeek_ecs_event_category" + field => "[event][dataset]" + destination => "[event][category]" + dictionary_path => "/etc/zeek_log_ecs_categories.yaml" } # get counts for some arrays that each log type may contribute to individually diff --git a/logstash/pipelines/zeek/12_zeek_normalize.conf b/logstash/pipelines/zeek/12_zeek_normalize.conf index ab1673012..273ffbd21 100644 --- a/logstash/pipelines/zeek/12_zeek_normalize.conf +++ b/logstash/pipelines/zeek/12_zeek_normalize.conf @@ -1,318 +1,305 @@ filter { # Protocol/service version ########################################################################################## - # collect protocol version under the parent zeek.service_version array + # collect protocol version under the parent network.protocol_version array - if ([zeek_gquic][version]) { mutate { id => "mutate_merge_normalize_zeek_gquic_version" - merge => { "[zeek][service_version]" => "[zeek_gquic][version]" } } } + if ([zeek][gquic][version]) { mutate { id => "mutate_merge_normalize_zeek_gquic_version" + merge => { "[network][protocol_version]" => "[zeek][gquic][version]" } } } - if ([zeek_http][version]) { mutate { id => "mutate_merge_normalize_zeek_http_version" - merge => { "[zeek][service_version]" => "[zeek_http][version]" } } } + if ([zeek][http][version]) { mutate { id => "mutate_merge_normalize_zeek_http_version" + merge => { "[network][protocol_version]" => "[zeek][http][version]" } } } - if ([zeek_ipsec]) { + if ([zeek][ipsec]) { ruby { - id => "ruby_zeek_field_zeek_service_version_ipsec" + id => "ruby_zeek_field_network_protocol_version_ipsec" code => " versions = Array.new - versions << [event.get('[zeek_ipsec][maj_ver]'), - event.get('[zeek_ipsec][min_ver]')].compact.join('.') - event.set('[zeek][service_version]', versions)" + versions << [event.get('[zeek][ipsec][maj_ver]'), + event.get('[zeek][ipsec][min_ver]')].compact.join('.') + event.set('[network][protocol_version]', versions)" } } - if ([zeek_ldap][version]) { mutate { id => "mutate_merge_normalize_zeek_ldap_version" - merge => { "[zeek][service_version]" => "[zeek_ldap][version]" } } } + if ([zeek][ldap][version]) { mutate { id => "mutate_merge_normalize_zeek_ldap_version" + merge => { "[network][protocol_version]" => "[zeek][ldap][version]" } } } - if ([zeek_ntp][version]) { mutate { id => "mutate_merge_normalize_zeek_ntp_version" - merge => { "[zeek][service_version]" => "[zeek_ntp][version]" } } } + if ([zeek][ntp][version]) { mutate { id => "mutate_merge_normalize_zeek_ntp_version" + merge => { "[network][protocol_version]" => "[zeek][ntp][version]" } } } - if ([zeek_profinet][block_version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_block_version" - merge => { "[zeek][service_version]" => "[zeek_profinet][block_version]" } } } + if ([zeek][profinet][block_version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_block_version" + merge => { "[network][protocol_version]" => "[zeek][profinet][block_version]" } } } - if ([zeek_profinet_dce_rpc][version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_version" - merge => { "[zeek][service_version]" => "[zeek_profinet_dce_rpc][version]" } } } + if ([zeek][profinet_dce_rpc][version]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_version" + merge => { "[network][protocol_version]" => "[zeek][profinet_dce_rpc][version]" } } } - if ([zeek_rfb]) { + if ([zeek][rfb]) { ruby { - id => "ruby_zeek_field_zeek_service_version_rfb" + id => "ruby_zeek_field_network_protocol_version_rfb" code => ' versions = Array.new - clientMajorVersion = event.get("[zeek_rfb][client_major_version]").sub!(/^0*/, "") - clientMinorVersion = event.get("[zeek_rfb][client_minor_version]").sub!(/^0*/, "") - serverMajorVersion = event.get("[zeek_rfb][server_major_version]").sub!(/^0*/, "") - serverMinorVersion = event.get("[zeek_rfb][server_minor_version]").sub!(/^0*/, "") + clientMajorVersion = event.get("[zeek][rfb][client_major_version]").sub!(/^0*/, "") + clientMinorVersion = event.get("[zeek][rfb][client_minor_version]").sub!(/^0*/, "") + serverMajorVersion = event.get("[zeek][rfb][server_major_version]").sub!(/^0*/, "") + serverMinorVersion = event.get("[zeek][rfb][server_minor_version]").sub!(/^0*/, "") if clientMajorVersion then versions << [clientMajorVersion, clientMinorVersion].join(".") end if serverMajorVersion then versions << [serverMajorVersion, serverMinorVersion].join(".") end - event.set("[zeek][service_version]", versions.uniq)' + event.set("[network][protocol_version]", versions.uniq)' } } - if ([zeek_rdp][client_build]) { mutate { id => "mutate_merge_normalize_zeek_rdp_client_build" - merge => { "[zeek][service_version]" => "[zeek_rdp][client_build]" } } } + if ([zeek][rdp][client_build]) { mutate { id => "mutate_merge_normalize_zeek_rdp_client_build" + merge => { "[network][protocol_version]" => "[zeek][rdp][client_build]" } } } - if ([zeek_smtp][version]) { mutate { id => "mutate_merge_normalize_zeek_smtp_version" - merge => { "[zeek][service_version]" => "[zeek_smtp][version]" } } } + if ([zeek][smb_cmd][version]) { mutate { id => "mutate_merge_normalize_zeek_smb_cmd_version" + merge => { "[network][protocol_version]" => "[zeek][smb_cmd][version]" } } } - if ([zeek_smb_cmd][version]) { mutate { id => "mutate_merge_normalize_zeek_smb_cmd_version" - merge => { "[zeek][service_version]" => "[zeek_smb_cmd][version]" } } } + if ([zeek][snmp][version]) { mutate { id => "mutate_merge_normalize_zeek_snmp_version" + merge => { "[network][protocol_version]" => "[zeek][snmp][version]" } } } - if ([zeek_snmp][version]) { mutate { id => "mutate_merge_normalize_zeek_snmp_version" - merge => { "[zeek][service_version]" => "[zeek_snmp][version]" } } } + if ([zeek][socks][version]) { mutate { id => "mutate_merge_normalize_zeek_socks_version" + merge => { "[network][protocol_version]" => "[zeek][socks][version]" } } } - if ([zeek_socks][version]) { mutate { id => "mutate_merge_normalize_zeek_socks_version" - merge => { "[zeek][service_version]" => "[zeek_socks][version]" } } } + if ([zeek][ssh][version]) { mutate { id => "mutate_merge_normalize_zeek_ssh_version" + merge => { "[network][protocol_version]" => "[zeek][ssh][version]" } } } - if ([zeek_ssh][version]) { mutate { id => "mutate_merge_normalize_zeek_ssh_version" - merge => { "[zeek][service_version]" => "[zeek_ssh][version]" } } } - - if ([zeek_ssl][ssl_version]) { mutate { id => "mutate_merge_normalize_zeek_ssl_ssl_version" - merge => { "[zeek][service_version]" => "[zeek_ssl][ssl_version]" } } } - - if ([zeek][service_version]) { - ruby { - id => "ruby_zeek_service_version_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[zeek][service_version]" - } - } - } + if ([zeek][ssl][ssl_version]) { mutate { id => "mutate_merge_normalize_zeek_ssl_ssl_version" + merge => { "[network][protocol_version]" => "[zeek][ssl][ssl_version]" } } } # Action ############################################################################################################ - # collect all actions/operations/commands under the parent [zeek][action] array + # collect all actions/operations/commands under the parent [event][action] array - if ([zeek_bacnet][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service" - merge => { "[zeek][action]" => "[zeek_bacnet][pdu_service]" } } } + if ([zeek][bacnet][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_pdu_service" + merge => { "[event][action]" => "[zeek][bacnet][pdu_service]" } } } - if ([zeek_bacnet_discovery][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_discovery_pdu_service" - merge => { "[zeek][action]" => "[zeek_bacnet_discovery][pdu_service]" } } } + if ([zeek][bacnet_discovery][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_discovery_pdu_service" + merge => { "[event][action]" => "[zeek][bacnet_discovery][pdu_service]" } } } - if ([zeek_bacnet_property][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_property_pdu_service" - merge => { "[zeek][action]" => "[zeek_bacnet_property][pdu_service]" } } } + if ([zeek][bacnet_property][pdu_service]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_property_pdu_service" + merge => { "[event][action]" => "[zeek][bacnet_property][pdu_service]" } } } - if ([zeek_bsap_ip_rdb]) { + if ([zeek][bsap_ip_rdb]) { ruby { # action = zeek_bsap_ip_rdb.app_func_code:zeek_bsap_ip_rdb.func_code id => "ruby_zeek_bsap_ip_rdb_generate_action" code => " - actions = Array.new unless (actions = event.get('[zeek][action]')) - actions.append([event.get('[zeek_bsap_ip_rdb][app_func_code]'), - event.get('[zeek_bsap_ip_rdb][func_code]')].compact.join(':')) - event.set('[zeek][action]', actions)" + actions = Array.new unless (actions = event.get('[event][action]')) + actions.append([event.get('[zeek][bsap_ip_rdb][app_func_code]'), + event.get('[zeek][bsap_ip_rdb][func_code]')].compact.join(':')) + event.set('[event][action]', actions)" } } - if ([zeek_bsap_serial_header][sfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_header_sfun" - merge => { "[zeek][action]" => "[zeek_bsap_serial_header][sfun]" } } } + if ([zeek][bsap_serial_header][sfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_header_sfun" + merge => { "[event][action]" => "[zeek][bsap_serial_header][sfun]" } } } - if ([zeek_bsap_serial_header][dfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_header_dfun" - merge => { "[zeek][action]" => "[zeek_bsap_serial_header][dfun]" } } } + if ([zeek][bsap_serial_header][dfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_header_dfun" + merge => { "[event][action]" => "[zeek][bsap_serial_header][dfun]" } } } - if ([zeek_bsap_serial_rdb][func_code]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_func_code" - merge => { "[zeek][action]" => "[zeek_bsap_serial_rdb][func_code]" } } } + if ([zeek][bsap_serial_rdb][func_code]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_func_code" + merge => { "[event][action]" => "[zeek][bsap_serial_rdb][func_code]" } } } - if ([zeek_bsap_serial_rdb_ext][sfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_sfun" - merge => { "[zeek][action]" => "[zeek_bsap_serial_rdb_ext][sfun]" } } } + if ([zeek][bsap_serial_rdb_ext][sfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_sfun" + merge => { "[event][action]" => "[zeek][bsap_serial_rdb_ext][sfun]" } } } - if ([zeek_bsap_serial_rdb_ext][dfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_dfun" - merge => { "[zeek][action]" => "[zeek_bsap_serial_rdb_ext][dfun]" } } } + if ([zeek][bsap_serial_rdb_ext][dfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_dfun" + merge => { "[event][action]" => "[zeek][bsap_serial_rdb_ext][dfun]" } } } - if ([zeek_bsap_serial_rdb_ext][extfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_extfun" - merge => { "[zeek][action]" => "[zeek_bsap_serial_rdb_ext][extfun]" } } } + if ([zeek][bsap_serial_rdb_ext][extfun]) { mutate { id => "mutate_merge_normalize_zeek_bsap_serial_rdb_ext_extfun" + merge => { "[event][action]" => "[zeek][bsap_serial_rdb_ext][extfun]" } } } - if ([zeek_cip][cip_service]) { mutate { id => "mutate_merge_normalize_zeek_cip_cip_service" - merge => { "[zeek][action]" => "[zeek_cip][cip_service]" } } } + if ([zeek][cip][cip_service]) { mutate { id => "mutate_merge_normalize_zeek_cip_cip_service" + merge => { "[event][action]" => "[zeek][cip][cip_service]" } } } - if ([zeek_dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_dce_rpc_operation" - merge => { "[zeek][action]" => "[zeek_dce_rpc][operation]" } } } + if ([zeek][dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_dce_rpc_operation" + merge => { "[event][action]" => "[zeek][dce_rpc][operation]" } } } - if ([zeek_dhcp][msg_types]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_msg_types" - merge => { "[zeek][action]" => "[zeek_dhcp][msg_types]" } } } + if ([zeek][dhcp][msg_types]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_msg_types" + merge => { "[event][action]" => "[zeek][dhcp][msg_types]" } } } - if ([zeek_dnp3][fc_request]) { mutate { id => "mutate_merge_normalize_zeek_dnp3_fc_request" - merge => { "[zeek][action]" => "[zeek_dnp3][fc_request]" } } } + if ([zeek][dnp3][fc_request]) { mutate { id => "mutate_merge_normalize_zeek_dnp3_fc_request" + merge => { "[event][action]" => "[zeek][dnp3][fc_request]" } } } - if ([zeek_dnp3_control]) { + if ([zeek][dnp3_control]) { ruby { # action = function_code:operation_type:trip_control_code id => "ruby_zeek_dnp3_control_generate_action" code => " - actions = Array.new unless (actions = event.get('[zeek][action]')) - actions.append([event.get('[zeek_dnp3_control][function_code]'), - event.get('[zeek_dnp3_control][operation_type]'), - event.get('[zeek_dnp3_control][trip_control_code]')].compact.join(':')) - event.set('[zeek][action]', actions)" + actions = Array.new unless (actions = event.get('[event][action]')) + actions.append([event.get('[zeek][dnp3_control][function_code]'), + event.get('[zeek][dnp3_control][operation_type]'), + event.get('[zeek][dnp3_control][trip_control_code]')].compact.join(':')) + event.set('[event][action]', actions)" } } - if ([zeek_dnp3_read_objects][function_code]) { mutate { id => "mutate_merge_normalize_zeek_dnp3_read_objects" - merge => { "[zeek][action]" => "[zeek_dnp3_read_objects][function_code]" } } } + if ([zeek][dnp3_objects][function_code]) { mutate { id => "mutate_merge_normalize_zeek_dnp3_objects" + merge => { "[event][action]" => "[zeek][dnp3_objects][function_code]" } } } - if ([zeek_dns]) { + if ([zeek][dns]) { # action: query class and type - if ([zeek_dns][qclass_name]) and ([zeek_dns][qtype_name]) { + if ([zeek][dns][qclass_name]) and ([zeek][dns][qtype_name]) { mutate { id => "mutate_add_field_metadata_dns_class_and_type" - add_field => { "[@metadata][dns_action]" => "%{[zeek_dns][qclass_name]} %{[zeek_dns][qtype_name]}" } } - } else if ([zeek_dns][qclass_name]) { + add_field => { "[@metadata][dns_action]" => "%{[zeek][dns][qclass_name]} %{[zeek][dns][qtype_name]}" } } + } else if ([zeek][dns][qclass_name]) { mutate { id => "mutate_add_field_metadata_dns_class" - add_field => { "[@metadata][dns_action]" => "%{[zeek_dns][qclass_name]}" } } - } else if ([zeek_dns][qtype_name]) { + add_field => { "[@metadata][dns_action]" => "%{[zeek][dns][qclass_name]}" } } + } else if ([zeek][dns][qtype_name]) { mutate { id => "mutate_add_field_metadata_dns_type" - add_field => { "[@metadata][dns_action]" => "%{[zeek_dns][qtype_name]}" } } + add_field => { "[@metadata][dns_action]" => "%{[zeek][dns][qtype_name]}" } } } else { mutate { id => "mutate_add_field_metadata_dns_query" add_field => { "[@metadata][dns_action]" => "Query" } } } mutate { id => "mutate_merge_zeek_dns_action" - merge => { "[zeek][action]" => "[@metadata][dns_action]" } } + merge => { "[event][action]" => "[@metadata][dns_action]" } } } # TODO: convert zeek_ecat_foe_info.opcode and zeek_ecat_soe_info.opcode to operations # zeek EtherCAT commands/operations - if ([zeek_ecat_aoe_info][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_aoe_info_command" - merge => { "[zeek][action]" => "[zeek_ecat_aoe_info][command]" } } } - if ([zeek_ecat_foe_info][opcode]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_opcode" - merge => { "[zeek][action]" => "[zeek_ecat_foe_info][opcode]" } } } - if ([zeek_ecat_log_address][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_log_address" - merge => { "[zeek][action]" => "[zeek_ecat_log_address][command]" } } } - if ([zeek_ecat_registers][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_registers_command" - merge => { "[zeek][action]" => "[zeek_ecat_registers][command]" } } } - if ([zeek_ecat_soe_info][opcode]) { mutate { id => "mutate_merge_normalize_zeek_ecat_soe_info_opcode" - merge => { "[zeek][action]" => "[zeek_ecat_soe_info][opcode]" } } } - if ([zeek_ecat_arp_info][arp_type]) { mutate { id => "mutate_merge_normalize_zeek_ecat_arp_info_arp_type" - merge => { "[zeek][action]" => "[zeek_ecat_arp_info][arp_type]" } } } - - if ([zeek_enip][enip_command]) { mutate { id => "mutate_merge_normalize_zeek_enip_enip_command" - merge => { "[zeek][action]" => "[zeek_enip][enip_command]" } } } - - if ([zeek_ftp][command]) { mutate { id => "mutate_merge_normalize_zeek_ftp_command" - merge => { "[zeek][action]" => "[zeek_ftp][command]" } } } - - if ([zeek_http]) { - if ([zeek_http][method]) { + if ([zeek][ecat_aoe_info][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_aoe_info_command" + merge => { "[event][action]" => "[zeek][ecat_aoe_info][command]" } } } + if ([zeek][ecat_foe_info][opcode]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_opcode" + merge => { "[event][action]" => "[zeek][ecat_foe_info][opcode]" } } } + if ([zeek][ecat_log_address][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_log_address" + merge => { "[event][action]" => "[zeek][ecat_log_address][command]" } } } + if ([zeek][ecat_registers][command]) { mutate { id => "mutate_merge_normalize_zeek_ecat_registers_command" + merge => { "[event][action]" => "[zeek][ecat_registers][command]" } } } + if ([zeek][ecat_soe_info][opcode]) { mutate { id => "mutate_merge_normalize_zeek_ecat_soe_info_opcode" + merge => { "[event][action]" => "[zeek][ecat_soe_info][opcode]" } } } + if ([zeek][ecat_arp_info][arp_type]) { mutate { id => "mutate_merge_normalize_zeek_ecat_arp_info_arp_type" + merge => { "[event][action]" => "[zeek][ecat_arp_info][arp_type]" } } } + + if ([zeek][enip][enip_command]) { mutate { id => "mutate_merge_normalize_zeek_enip_enip_command" + merge => { "[event][action]" => "[zeek][enip][enip_command]" } } } + + if ([zeek][ftp][command]) { mutate { id => "mutate_merge_normalize_zeek_ftp_command" + merge => { "[event][action]" => "[zeek][ftp][command]" } } } + + if ([zeek][http]) { + if ([zeek][http][method]) { mutate { id => "mutate_merge_normalize_zeek_http_method" - merge => { "[zeek][action]" => "[zeek_http][method]" } } + merge => { "[event][action]" => "[zeek][http][method]" } } } else { mutate { id => "mutate_add_field_zeek_http_request_action" add_field => { "[@metadata][http_request_action]" => "Request" } } mutate { id => "mutate_merge_field_zeek_http_request_action" - merge => { "[zeek][action]" => "[@metadata][http_request_action]" } } + merge => { "[event][action]" => "[@metadata][http_request_action]" } } } } - if ([zeek_irc][command]) { mutate { id => "mutate_merge_normalize_zeek_irc_command" - merge => { "[zeek][action]" => "[zeek_irc][command]" } } } + if ([zeek][irc][command]) { mutate { id => "mutate_merge_normalize_zeek_irc_command" + merge => { "[event][action]" => "[zeek][irc][command]" } } } - if ([zeek_iso_cotp][pdu_type]) { mutate { id => "mutate_merge_normalize_zeek_iso_cotp_pdu_type" - merge => { "[zeek][action]" => "[zeek_iso_cotp][pdu_type]" } } } + if ([zeek][iso_cotp][pdu_type]) { mutate { id => "mutate_merge_normalize_zeek_iso_cotp_pdu_type" + merge => { "[event][action]" => "[zeek][iso_cotp][pdu_type]" } } } - if ([zeek_kerberos][request_type]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_request_type" - merge => { "[zeek][action]" => "[zeek_kerberos][request_type]" } } } + if ([zeek][kerberos][request_type]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_request_type" + merge => { "[event][action]" => "[zeek][kerberos][request_type]" } } } - if ([zeek_ldap][operation]) { mutate { id => "mutate_merge_normalize_zeek_ldap_operation" - merge => { "[zeek][action]" => "[zeek_ldap][operation]" } } } + if ([zeek][ldap][operation]) { mutate { id => "mutate_merge_normalize_zeek_ldap_operation" + merge => { "[event][action]" => "[zeek][ldap][operation]" } } } - if ([zeek_ldap_search]) { - if ([zeek_ldap_search][scope]) { + if ([zeek][ldap_search]) { + if ([zeek][ldap_search][scope]) { mutate { id => "mutate_add_field_zeek_ldap_search_scope_action" - add_field => { "[@metadata][zeek_ldap_search_action]" => "search %{[zeek_ldap_search][scope]}" } } + add_field => { "[@metadata][zeek_ldap_search_action]" => "search %{[zeek][ldap_search][scope]}" } } } else { mutate { id => "mutate_add_field_zeek_ldap_search_action" add_field => { "[@metadata][zeek_ldap_search_action]" => "search" } } } mutate { id => "mutate_merge_field_zeek_ldap_search_action" - merge => { "[zeek][action]" => "[@metadata][zeek_ldap_search_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_ldap_search_action]" } } } - if ([zeek_modbus][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_func" - merge => { "[zeek][action]" => "[zeek_modbus][func]" } } } + if ([zeek][modbus][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_func" + merge => { "[event][action]" => "[zeek][modbus][func]" } } } - if ([zeek_modbus_mask_write_register][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_mask_write_register_func" - merge => { "[zeek][action]" => "[zeek_modbus_mask_write_register][func]" } } } + if ([zeek][modbus_mask_write_register][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_mask_write_register_func" + merge => { "[event][action]" => "[zeek][modbus_mask_write_register][func]" } } } - if ([zeek_modbus_read_write_multiple_registers][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_read_write_multiple_registers" - merge => { "[zeek][action]" => "[zeek_modbus_read_write_multiple_registers][func]" } } } + if ([zeek][modbus_read_write_multiple_registers][func]) { mutate { id => "mutate_merge_normalize_zeek_modbus_read_write_multiple_registers" + merge => { "[event][action]" => "[zeek][modbus_read_write_multiple_registers][func]" } } } - if ([zeek_mqtt_connect][connect_status]) { + if ([zeek][mqtt_connect][connect_status]) { # this log entry implicitly means "connect" mutate { id => "mutate_add_field_zeek_mqtt_connect_action" add_field => { "[@metadata][zeek_mqtt_connect_action]" => "Connect" } } mutate { id => "mutate_merge_zeek_mqtt_connect_action" - merge => { "[zeek][action]" => "[@metadata][zeek_mqtt_connect_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_mqtt_connect_action]" } } } - if ([zeek_mqtt_publish]) { - if ([zeek_mqtt_publish][payload_dict][messageType]) { + if ([zeek][mqtt_publish]) { + if ([zeek][mqtt_publish][payload_dict][messageType]) { # not sure if this is a standard or just the PCAPs I found :/ mutate { id => "mutate_merge_normalize_zeek_mqtt_publish_payload_dict_messageType" - merge => { "[zeek][action]" => "[zeek_mqtt_publish][payload_dict][messageType]" } } + merge => { "[event][action]" => "[zeek][mqtt_publish][payload_dict][messageType]" } } } else { mutate { id => "mutate_add_field_zeek_mqtt_publish_action" add_field => { "[@metadata][zeek_mqtt_publish_action]" => "Publish" } } mutate { id => "mutate_merge_zeek_mqtt_publish_action" - merge => { "[zeek][action]" => "[@metadata][zeek_mqtt_publish_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_mqtt_publish_action]" } } } } - if ([zeek_mqtt_subscribe][action]) { mutate { id => "mutate_merge_normalize_zeek_mqtt_subscribe_action" - merge => { "[zeek][action]" => "[zeek_mqtt_subscribe][action]" } } } + if ([zeek][mqtt_subscribe][action]) { mutate { id => "mutate_merge_normalize_zeek_mqtt_subscribe_action" + merge => { "[event][action]" => "[zeek][mqtt_subscribe][action]" } } } - if ([zeek_mysql][cmd]) { mutate { id => "mutate_merge_normalize_zeek_mysql_cmd" - merge => { "[zeek][action]" => "[zeek_mysql][cmd]" } } } + if ([zeek][mysql][cmd]) { mutate { id => "mutate_merge_normalize_zeek_mysql_cmd" + merge => { "[event][action]" => "[zeek][mysql][cmd]" } } } - if ([zeek_ntlm][success]) { + if ([zeek][ntlm][success]) { # this log entry implicitly means a login attempt mutate { id => "mutate_add_field_zeek_ntlm_action" add_field => { "[@metadata][zeek_ntlm_action]" => "Authenticate" } } mutate { id => "mutate_merge_zeek_ntlm_action" - merge => { "[zeek][action]" => "[@metadata][zeek_ntlm_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_ntlm_action]" } } } - if ([zeek_ntp][mode_str]) { mutate { id => "mutate_merge_normalize_zeek_ntp_mode_str" - merge => { "[zeek][action]" => "[zeek_ntp][mode_str]" } } } + if ([zeek][ntp][mode_str]) { mutate { id => "mutate_merge_normalize_zeek_ntp_mode_str" + merge => { "[event][action]" => "[zeek][ntp][mode_str]" } } } - if ([zeek_profinet][operation_type]) { mutate { id => "mutate_merge_normalize_zeek_profinet_operation_type" - merge => { "[zeek][action]" => "[zeek_profinet][operation_type]" } } } + if ([zeek][profinet][operation_type]) { mutate { id => "mutate_merge_normalize_zeek_profinet_operation_type" + merge => { "[event][action]" => "[zeek][profinet][operation_type]" } } } - if ([zeek_profinet_dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_operation" - merge => { "[zeek][action]" => "[zeek_profinet_dce_rpc][operation]" } } } + if ([zeek][profinet_dce_rpc][operation]) { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_operation" + merge => { "[event][action]" => "[zeek][profinet_dce_rpc][operation]" } } } - if ([zeek_rfb][auth]) and ([zeek_rfb][authentication_method]) { + if ([zeek][rfb][auth]) and ([zeek][rfb][authentication_method]) { # if authentication was attempted, assign an "authenticate" action mutate { id => "mutate_add_field_zeek_rfb_auth_action" add_field => { "[@metadata][zeek_rfb_auth_action]" => "Authenticate" } } mutate { id => "mutate_merge_zeek_rfb_auth_action" - merge => { "[zeek][action]" => "[@metadata][zeek_rfb_auth_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_rfb_auth_action]" } } } - if ([zeek_s7comm]) { + if ([zeek][s7comm]) { ruby { # action = rosctr:mode:type:sub id => "ruby_zeek_s7comm_generate_action" code => " - actions = Array.new unless (actions = event.get('[zeek][action]')) - actions.append([event.get('[zeek_s7comm][rosctr]'), - event.get('[zeek_s7comm][parameters][mode]'), - event.get('[zeek_s7comm][parameters][type]'), - event.get('[zeek_s7comm][parameters][sub]')].compact.join(':')) - event.set('[zeek][action]', actions)" + actions = Array.new unless (actions = event.get('[event][action]')) + actions.append([event.get('[zeek][s7comm][rosctr]'), + event.get('[zeek][s7comm][parameters][mode]'), + event.get('[zeek][s7comm][parameters][type]'), + event.get('[zeek][s7comm][parameters][sub]')].compact.join(':')) + event.set('[event][action]', actions)" } } - if ([zeek_sip][method]) { mutate { id => "mutate_merge_normalize_zeek_sip_method" - merge => { "[zeek][action]" => "[zeek_sip][method]" } } } + if ([zeek][sip][method]) { mutate { id => "mutate_merge_normalize_zeek_sip_method" + merge => { "[event][action]" => "[zeek][sip][method]" } } } - if ([zeek_smtp]) { + if ([zeek][smtp]) { # action depends on varios smtp headers' presence - if ([zeek_smtp][last_reply]) { - if ([zeek_smtp][msg_id]) { + if ([zeek][smtp][last_reply]) { + if ([zeek][smtp][msg_id]) { mutate { id => "mutate_add_field_zeek_smtp_action_deliver" add_field => { "[@metadata][zeek_smtp_action]" => "Deliver message" } } - } else if ([zeek_smtp][mailfrom]) { + } else if ([zeek][smtp][mailfrom]) { mutate { id => "mutate_add_field_zeek_smtp_action_queue" add_field => { "[@metadata][zeek_smtp_action]" => "Queue message" } } } else { @@ -325,13 +312,13 @@ filter { } if ([@metadata][zeek_smtp_action]) { mutate { id => "mutate_merge_zeek_smtp_action" - merge => { "[zeek][action]" => "[@metadata][zeek_smtp_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_smtp_action]" } } } } - if ([zeek_socks]) { + if ([zeek][socks]) { # socks action is "Authenticate" or "Connect" based on user/password or not - if ([zeek_socks][user]) or ([zeek_socks][password]) { + if ([zeek][socks][user]) or ([zeek][socks][password]) { mutate { id => "mutate_add_field_zeek_socks_action_authenticate" add_field => { "[@metadata][zeek_socks_action]" => "Authenticate" } } } else { @@ -340,60 +327,57 @@ filter { } if ([@metadata][zeek_socks_action]) { mutate { id => "mutate_merge_zeek_socks_action" - merge => { "[zeek][action]" => "[@metadata][zeek_socks_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_socks_action]" } } } } - if ([zeek_smb_cmd]) { + if ([zeek][smb_cmd]) { ruby { # action = command:sub_command id => "ruby_zeek_smb_cmd_generate_action" code => " - cmd = event.get('[zeek_smb_cmd][command]') - subCmd = event.get('[zeek_smb_cmd][sub_command]') - actions = Array.new unless (actions = event.get('[zeek][action]')) + cmd = event.get('[zeek][smb_cmd][command]') + subCmd = event.get('[zeek][smb_cmd][sub_command]') + actions = Array.new unless (actions = event.get('[event][action]')) actions.append((cmd =~ /^\s*transaction\d*\s*$/i) ? subCmd : [cmd, subCmd].compact.join(':')) - event.set('[zeek][action]', actions)" + event.set('[event][action]', actions)" } } - if ([zeek_smb_files][action]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_action" - merge => { "[zeek][action]" => "[zeek_smb_files][action]" } } } + if ([zeek][smb_files][action]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_action" + merge => { "[event][action]" => "[zeek][smb_files][action]" } } } - if ([zeek_smtp][method]) { mutate { id => "mutate_merge_normalize_zeek_smtp_method" - merge => { "[zeek][action]" => "[zeek_smtp][method]" } } } - - if ([zeek_snmp]) { + if ([zeek][snmp]) { # action based on > 0 values for variou get/set PDUs - if ([zeek_snmp][get_bulk_requests]) and ([zeek_snmp][get_bulk_requests] != "0") { + if ([zeek][snmp][get_bulk_requests]) and ([zeek][snmp][get_bulk_requests] != "0") { mutate { id => "mutate_add_field_zeek_snmp_get_bulk_requests_action" add_field => { "[@metadata][snmp_get_bulk_requests_action]" => "GetBulkRequest" } } mutate { id => "mutate_merge_zeek_snmp_action_get_bulk_requests" - merge => { "[zeek][action]" => "[@metadata][snmp_get_bulk_requests_action]" } } + merge => { "[event][action]" => "[@metadata][snmp_get_bulk_requests_action]" } } } - if ([zeek_snmp][get_requests]) and ([zeek_snmp][get_requests] != "0") { + if ([zeek][snmp][get_requests]) and ([zeek][snmp][get_requests] != "0") { mutate { id => "mutate_add_field_zeek_snmp_get_requests_action" add_field => { "[@metadata][snmp_get_requests_action]" => "GetRequest" } } mutate { id => "mutate_merge_zeek_snmp_action_get_requests" - merge => { "[zeek][action]" => "[@metadata][snmp_get_requests_action]" } } + merge => { "[event][action]" => "[@metadata][snmp_get_requests_action]" } } } - if ([zeek_snmp][get_responses]) and ([zeek_snmp][get_responses] != "0") { + if ([zeek][snmp][get_responses]) and ([zeek][snmp][get_responses] != "0") { mutate { id => "mutate_add_field_zeek_snmp_get_responses_action" add_field => { "[@metadata][snmp_get_responses_action]" => "GetResponse" } } mutate { id => "mutate_merge_zeek_snmp_action_get_responses" - merge => { "[zeek][action]" => "[@metadata][snmp_get_responses_action]" } } + merge => { "[event][action]" => "[@metadata][snmp_get_responses_action]" } } } - if ([zeek_snmp][set_requests]) and ([zeek_snmp][set_requests] != "0") { + if ([zeek][snmp][set_requests]) and ([zeek][snmp][set_requests] != "0") { mutate { id => "mutate_add_field_zeek_snmp_set_requests_action" add_field => { "[@metadata][snmp_set_requests_action]" => "SetRequest" } } mutate { id => "mutate_merge_zeek_snmp_action_set_requests" - merge => { "[zeek][action]" => "[@metadata][snmp_set_requests_action]" } } + merge => { "[event][action]" => "[@metadata][snmp_set_requests_action]" } } } } - if ([zeek_ssh]) { + if ([zeek][ssh]) { # ssh action is "Authenticate" or "Connect" based on auth_attempts - if ([zeek_ssh][auth_attempts]) { + if ([zeek][ssh][auth_attempts]) { mutate { id => "mutate_add_field_zeek_ssh_action_authenticate" add_field => { "[@metadata][zeek_ssh_action]" => "Authenticate" } } } else { @@ -402,16 +386,16 @@ filter { } if ([@metadata][zeek_ssh_action]) { mutate { id => "mutate_merge_zeek_ssh_action" - merge => { "[zeek][action]" => "[@metadata][zeek_ssh_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_ssh_action]" } } } } - if ([zeek_ssl]) { + if ([zeek][ssl]) { # SSL action will be either "connect", "validate", "resume" - if ([zeek_ssl][resumed] == "T") { + if ([zeek][ssl][resumed] == "T") { mutate { id => "mutate_add_field_zeek_ssl_resume" add_field => { "[@metadata][zeek_ssl_action]" => "Resume" } } - } else if ([zeek_ssl][established] != "T") and ([zeek_ssl][validation_status]) and ([zeek_ssl][validation_status] != "ok") { + } else if ([zeek][ssl][established] != "T") and ([zeek][ssl][validation_status]) and ([zeek][ssl][validation_status] != "ok") { mutate { id => "mutate_add_field_zeek_ssl_validate" add_field => { "[@metadata][zeek_ssl_action]" => "Validate Certificate" } } } else { @@ -419,29 +403,29 @@ filter { add_field => { "[@metadata][zeek_ssl_action]" => "Connect" } } } mutate { id => "mutate_merge_zeek_ssl_action" - merge => { "[zeek][action]" => "[@metadata][zeek_ssl_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_ssl_action]" } } } - if ([zeek_stun][method]) { mutate { id => "mutate_merge_normalize_zeek_stun_method" - merge => { "[zeek][action]" => "[zeek_stun][method]" } } } + if ([zeek][stun][method]) { mutate { id => "mutate_merge_normalize_zeek_stun_method" + merge => { "[event][action]" => "[zeek][stun][method]" } } } - if ([zeek_tds][command]) { mutate { id => "mutate_merge_normalize_zeek_tds_command" - merge => { "[zeek][action]" => "[zeek_tds][command]" } } } + if ([zeek][tds][command]) { mutate { id => "mutate_merge_normalize_zeek_tds_command" + merge => { "[event][action]" => "[zeek][tds][command]" } } } - if ([zeek_tds_rpc][procedure_name]) { + if ([zeek][tds_rpc][procedure_name]) { mutate { id => "mutate_add_field_zeek_tds_rpc_procedure_name_tmp" - add_field => { "[@metadata][zeek_tds_rpc_procedure_name_tmp]" => "%{[zeek_tds_rpc][procedure_name]}" } } + add_field => { "[@metadata][zeek_tds_rpc_procedure_name_tmp]" => "%{[zeek][tds_rpc][procedure_name]}" } } # remove everything after the first $ mutate { id => "mutate_gsub_field_zeek_tds_rpc_procedure_name_tmp" gsub => [ "[@metadata][zeek_tds_rpc_procedure_name_tmp]", "\$.*", "" ] } mutate { id => "mutate_merge_normalize_zeek_tds_rpc_procedure_name" - merge => { "[zeek][action]" => "[@metadata][zeek_tds_rpc_procedure_name_tmp]" } } + merge => { "[event][action]" => "[@metadata][zeek_tds_rpc_procedure_name_tmp]" } } } - if ([zeek_tftp][wrq]) { - if ([zeek_tftp][wrq] == "T") { + if ([zeek][tftp][wrq]) { + if ([zeek][tftp][wrq] == "T") { mutate { id => "mutate_add_field_zeek_tftp_wrq" add_field => { "[@metadata][zeek_tftp_action]" => "Write" } } } else { @@ -449,202 +433,202 @@ filter { add_field => { "[@metadata][zeek_tftp_action]" => "Read" } } } mutate { id => "mutate_merge_zeek_tftp_action" - merge => { "[zeek][action]" => "[@metadata][zeek_tftp_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_tftp_action]" } } } - if ([zeek_tunnel][action]) { mutate { id => "mutate_merge_normalize_zeek_tunnel_action" - merge => { "[zeek][action]" => "[zeek_tunnel][action]" } } } + if ([zeek][tunnel][action]) { mutate { id => "mutate_merge_normalize_zeek_tunnel_action" + merge => { "[event][action]" => "[zeek][tunnel][action]" } } } # Result ############################################################################################################ - # collect all result/status/response/errors under the parent [zeek][result] array + # collect all result/status/response/errors under the parent [event][result] array - if ([zeek_bacnet]) { - if ([zeek_bacnet][result_code]) { + if ([zeek][bacnet]) { + if ([zeek][bacnet][result_code]) { mutate { id => "mutate_merge_normalize_zeek_bacnet_result_code" - merge => { "[zeek][result]" => "[zeek_bacnet][result_code]" } } - } else if ([zeek_bacnet][pdu_service]) { + merge => { "[event][result]" => "[zeek][bacnet][result_code]" } } + } else if ([zeek][bacnet][pdu_service]) { mutate { id => "mutate_add_field_zeek_bacnet_success" add_field => { "[@metadata][zeek_bacnet_result]" => "Success" } } mutate { id => "mutate_merge_field_zeek_bacnet_success" - merge => { "[zeek][result]" => "[@metadata][zeek_bacnet_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_bacnet_result]" } } } } - if ([zeek_cip][cip_status]) { mutate { id => "mutate_merge_normalize_zeek_cip_status_result" - merge => { "[zeek][result]" => "[zeek_cip][cip_status]" } } } + if ([zeek][cip][cip_status]) { mutate { id => "mutate_merge_normalize_zeek_cip_status_result" + merge => { "[event][result]" => "[zeek][cip][cip_status]" } } } - if ([zeek_dhcp]) { + if ([zeek][dhcp]) { # dhcp server_message and client_message populate result, as do ACK and NAK message types - if ([zeek_dhcp][server_message]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_server_message" - merge => { "[zeek][result]" => "[zeek_dhcp][server_message]" } } } - if ([zeek_dhcp][client_message]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_client_message" - merge => { "[zeek][result]" => "[zeek_dhcp][client_message]" } } } - if ("ACK" in [zeek_dhcp][msg_types]) { + if ([zeek][dhcp][server_message]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_server_message" + merge => { "[event][result]" => "[zeek][dhcp][server_message]" } } } + if ([zeek][dhcp][client_message]) { mutate { id => "mutate_merge_normalize_zeek_dhcp_client_message" + merge => { "[event][result]" => "[zeek][dhcp][client_message]" } } } + if ("ACK" in [zeek][dhcp][msg_types]) { mutate { id => "mutate_add_field_zeek_dhcp_ack_result" add_field => { "[@metadata][zeek_dhcp_result]" => "Success" } } - } else if ("NAK" in [zeek_dhcp][msg_types]) { + } else if ("NAK" in [zeek][dhcp][msg_types]) { mutate { id => "mutate_add_field_zeek_dhcp_nak_result" add_field => { "[@metadata][zeek_dhcp_result]" => "Failure" } } } if ([@metadata][zeek_dhcp_result]) { mutate { id => "mutate_merge_zeek_dhcp_result" - merge => { "[zeek][result]" => "[@metadata][zeek_dhcp_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_dhcp_result]" } } } } # dnp3: fc_reply and iin_flags - if ([zeek_dnp3][fc_reply]) { mutate { id => "mutate_merge_zeek_dnp3_fc_reply" - merge => { "[zeek][result]" => "[zeek_dnp3][fc_reply]" } } } - if ([zeek_dnp3][iin_flags]) { mutate { id => "mutate_merge_zeek_dnp3_iin_flags" - merge => { "[zeek][result]" => "[zeek_dnp3][iin_flags]" } } } + if ([zeek][dnp3][fc_reply]) { mutate { id => "mutate_merge_zeek_dnp3_fc_reply" + merge => { "[event][result]" => "[zeek][dnp3][fc_reply]" } } } + if ([zeek][dnp3][iin_flags]) { mutate { id => "mutate_merge_zeek_dnp3_iin_flags" + merge => { "[event][result]" => "[zeek][dnp3][iin_flags]" } } } # dnp3_control.status_code - if ([zeek_dnp3_control][status_code]) { mutate { id => "mutate_merge_zeek_dnp3_control_status_code" - merge => { "[zeek][result]" => "[zeek_dnp3_control][status_code]" } } } + if ([zeek][dnp3_control][status_code]) { mutate { id => "mutate_merge_zeek_dnp3_control_status_code" + merge => { "[event][result]" => "[zeek][dnp3_control][status_code]" } } } - if ([zeek_dns]) { + if ([zeek][dns]) { # DNS result is populated by rcode_name (with NOERROR being translated to Success), and rejected - if ([zeek_dns][rcode_name]) { - if ([zeek_dns][rcode_name] == 'NOERROR') { + if ([zeek][dns][rcode_name]) { + if ([zeek][dns][rcode_name] == 'NOERROR') { mutate { id => "mutate_add_field_zeek_dns_noerror" add_field => { "[@metadata][zeek_dns_result]" => "Success" } } mutate { id => "mutate_merge_field_zeek_dns_noerror" - merge => { "[zeek][result]" => "[@metadata][zeek_dns_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_dns_result]" } } } else { mutate { id => "mutate_merge_normalize_zeek_dns_rcode_name" - merge => { "[zeek][result]" => "[zeek_dns][rcode_name]" } } + merge => { "[event][result]" => "[zeek][dns][rcode_name]" } } } } - if ([zeek_dns][rejected] == 'T') { + if ([zeek][dns][rejected] == 'T') { mutate { id => "mutate_add_field_zeek_dns_rejected" add_field => { "[@metadata][zeek_dns_rejected_result]" => "Rejected" } } mutate { id => "mutate_merge_field_zeek_dns_rejected" - merge => { "[zeek][result]" => "[@metadata][zeek_dns_rejected_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_dns_rejected_result]" } } } } # TODO: convert zeek_ecat_foe_info.error_code and zeek_ecat_soe_info.error to strings? # zeek_ecat_foe_info.error_code and zeek_ecat_soe_info.error - if ([zeek_ecat_foe_info][error_code]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_error_code" - merge => { "[zeek][result]" => "[zeek_ecat_foe_info][error_code]" } } } - if ([zeek_ecat_soe_info][error]) { mutate { id => "mutate_merge_normalize_zeek_ecat_soe_info_error" - merge => { "[zeek][result]" => "[zeek_ecat_soe_info][error]" } } } + if ([zeek][ecat_foe_info][error_code]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_error_code" + merge => { "[event][result]" => "[zeek][ecat_foe_info][error_code]" } } } + if ([zeek][ecat_soe_info][error]) { mutate { id => "mutate_merge_normalize_zeek_ecat_soe_info_error" + merge => { "[event][result]" => "[zeek][ecat_soe_info][error]" } } } # zeek_enip.enip_status - if ([zeek_enip][enip_status]) { mutate { id => "mutate_merge_normalize_zeek_enip_enip_status" - merge => { "[zeek][result]" => "[zeek_enip][enip_status]" } } } + if ([zeek][enip][enip_status]) { mutate { id => "mutate_merge_normalize_zeek_enip_enip_status" + merge => { "[event][result]" => "[zeek][enip][enip_status]" } } } - if ([zeek_ftp][reply_code]) { + if ([zeek][ftp][reply_code]) { # normalized version of reply code (reply_msg is too unpredictable) translate { id => "translate_zeek_ftp_reply_code" - field => "[zeek_ftp][reply_code]" + field => "[zeek][ftp][reply_code]" destination => "[@metadata][zeek_ftp_mapped_result]" dictionary_path => "/etc/ftp_result_codes.yaml" } if ([@metadata][zeek_ftp_mapped_result]) { mutate { id => "mutate_merge_zeek_ftp_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_ftp_mapped_result]" } } - } else if ([zeek_ftp][reply_msg]) { + merge => { "[event][result]" => "[@metadata][zeek_ftp_mapped_result]" } } + } else if ([zeek][ftp][reply_msg]) { mutate { id => "mutate_merge_zeek_ftp_reply_msg_result" - merge => { "[zeek][result]" => "[zeek_ftp][reply_msg]" } } + merge => { "[event][result]" => "[zeek][ftp][reply_msg]" } } } else { mutate { id => "mutate_merge_zeek_ftp_reply_code_result" - merge => { "[zeek][result]" => "[zeek_ftp][reply_code]" } } + merge => { "[event][result]" => "[zeek][ftp][reply_code]" } } } } - if ([zeek_http][status_code]) { + if ([zeek][http][status_code]) { # normalized version of http reply code (status_msg is too unpredictable) translate { id => "translate_zeek_http_reply_code" - field => "[zeek_http][status_code]" + field => "[zeek][http][status_code]" destination => "[@metadata][zeek_http_mapped_result]" dictionary_path => "/etc/http_result_codes.yaml" } if ([@metadata][zeek_http_mapped_result]) { mutate { id => "mutate_merge_zeek_http_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_http_mapped_result]" } } - } else if ([zeek_http][status_msg]) { + merge => { "[event][result]" => "[@metadata][zeek_http_mapped_result]" } } + } else if ([zeek][http][status_msg]) { mutate { id => "mutate_merge_zeek_http_status_msg_result" - merge => { "[zeek][result]" => "[zeek_http][status_msg]" } } + merge => { "[event][result]" => "[zeek][http][status_msg]" } } } else { mutate { id => "mutate_merge_zeek_http_status_code_result" - merge => { "[zeek][result]" => "[zeek_http][status_code]" } } + merge => { "[event][result]" => "[zeek][http][status_code]" } } } } - if ([zeek_kerberos]) { + if ([zeek][kerberos]) { # result populated from success and error_msg - if ([zeek_kerberos][success] == 'T') { + if ([zeek][kerberos][success] == 'T') { mutate { id => "mutate_add_field_zeek_zeek_kerberos_success" add_field => { "[@metadata][zeek_kerberos_result]" => "Success" } } - } else if ([zeek_kerberos][error_msg]) { + } else if ([zeek][kerberos][error_msg]) { mutate { id => "mutate_add_field_zeek_zeek_kerberos_error_msg" - add_field => { "[@metadata][zeek_kerberos_result]" => "%{[zeek_kerberos][error_msg]}" } } + add_field => { "[@metadata][zeek_kerberos_result]" => "%{[zeek][kerberos][error_msg]}" } } } else { mutate { id => "mutate_add_field_zeek_zeek_kerberos_failure" add_field => { "[@metadata][zeek_kerberos_result]" => "Failure" } } } mutate { id => "mutate_merge_zeek_kerberos_result" - merge => { "[zeek][result]" => "[@metadata][zeek_kerberos_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_kerberos_result]" } } } # (zeek_ldap|zeek_ldap_search).(result_code) - if ([zeek_ldap][result_code]) { mutate { id => "mutate_merge_normalize_zeek_ldap_result_code" - merge => { "[zeek][result]" => "[zeek_ldap][result_code]" } } } - if ([zeek_ldap_search][result_code]) { mutate { id => "mutate_merge_normalize_zeek_ldap_search_result_code" - merge => { "[zeek][result]" => "[zeek_ldap_search][result_code]" } } } + if ([zeek][ldap][result_code]) { mutate { id => "mutate_merge_normalize_zeek_ldap_result_code" + merge => { "[event][result]" => "[zeek][ldap][result_code]" } } } + if ([zeek][ldap_search][result_code]) { mutate { id => "mutate_merge_normalize_zeek_ldap_search_result_code" + merge => { "[event][result]" => "[zeek][ldap_search][result_code]" } } } - if ([zeek_modbus]) { + if ([zeek][modbus]) { # result comes from exception, but if exception is missing and we have a func, then assume success - if ([zeek_modbus][exception]) { + if ([zeek][modbus][exception]) { mutate { id => "mutate_merge_normalize_zeek_modbus_exception" - merge => { "[zeek][result]" => "[zeek_modbus][exception]" } } - } else if ([zeek_modbus][func]) { + merge => { "[event][result]" => "[zeek][modbus][exception]" } } + } else if ([zeek][modbus][func]) { mutate { id => "mutate_add_field_zeek_modbus_success" add_field => { "[@metadata][zeek_modbus_result]" => "Success" } } mutate { id => "mutate_merge_field_zeek_modbus_success" - merge => { "[zeek][result]" => "[@metadata][zeek_modbus_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_modbus_result]" } } } } # result for zeek_mqtt_connect: connect_status.'Connection Accepted' -> 'Success', else connect_status - if ([zeek_mqtt_connect][connect_status] == 'Connection Accepted') { + if ([zeek][mqtt_connect][connect_status] == 'Connection Accepted') { mutate { id => "mutate_add_field_zeek_mqtt_connect_success" add_field => { "[@metadata][zeek_mqtt_connect_success]" => "Success" } } mutate { id => "mutate_merge_field_zeek_mqtt_connect_success" - merge => { "[zeek][result]" => "[@metadata][zeek_mqtt_connect_success]" } } - } else if ([zeek_mqtt_connect][connect_status]) { + merge => { "[event][result]" => "[@metadata][zeek_mqtt_connect_success]" } } + } else if ([zeek][mqtt_connect][connect_status]) { mutate { id => "mutate_merge_zeek_mqtt_connect_connect_status" - merge => { "[zeek][result]" => "[zeek_mqtt_connect][connect_status]" } } + merge => { "[event][result]" => "[zeek][mqtt_connect][connect_status]" } } } # result for zeek_mqtt_publish: status.'ok' -> 'Success', else status - if ([zeek_mqtt_publish][status] == 'ok') { + if ([zeek][mqtt_publish][status] == 'ok') { mutate { id => "mutate_add_field_zeek_mqtt_publish_success" add_field => { "[@metadata][zeek_mqtt_publish_success]" => "Success" } } mutate { id => "mutate_merge_field_zeek_mqtt_publish_success" - merge => { "[zeek][result]" => "[@metadata][zeek_mqtt_publish_success]" } } - } else if ([zeek_mqtt_publish][status]) { + merge => { "[event][result]" => "[@metadata][zeek_mqtt_publish_success]" } } + } else if ([zeek][mqtt_publish][status]) { mutate { id => "mutate_merge_zeek_mqtt_publish_publish_status" - merge => { "[zeek][result]" => "[zeek_mqtt_publish][status]" } } + merge => { "[event][result]" => "[zeek][mqtt_publish][status]" } } } # zeek_mqtt_subscribe.ack.'T' -> 'Acknowledged' - if ([zeek_mqtt_subscribe][ack] == 'T') { + if ([zeek][mqtt_subscribe][ack] == 'T') { mutate { id => "mutate_add_field_zeek_mqtt_subscribe_ack" add_field => { "[@metadata][zeek_mqtt_subscribe_acknowledged]" => "Acknowledged" } } mutate { id => "mutate_merge_field_zeek_mqtt_subscribe_ack" - merge => { "[zeek][result]" => "[@metadata][zeek_mqtt_subscribe_acknowledged]" } } + merge => { "[event][result]" => "[@metadata][zeek_mqtt_subscribe_acknowledged]" } } } - if ([zeek_mysql]) { + if ([zeek][mysql]) { # mysql result comes from success and response - if ([zeek_mysql][success] == "T") { + if ([zeek][mysql][success] == "T") { mutate { id => "mutate_add_field_zeek_mysql_success" add_field => { "[@metadata][zeek_mysql_result]" => "Success" } } - } else if ([zeek_mysql][response] =~ /^Access denied/) { + } else if ([zeek][mysql][response] =~ /^Access denied/) { mutate { id => "mutate_add_field_zeek_mysql_access" add_field => { "[@metadata][zeek_mysql_result]" => "Access denied" } } } else { @@ -652,12 +636,12 @@ filter { add_field => { "[@metadata][zeek_mysql_result]" => "Failure" } } } mutate { id => "mutate_merge_zeek_mysql_result" - merge => { "[zeek][result]" => "[@metadata][zeek_mysql_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_mysql_result]" } } } - if ([zeek_ntlm]) { + if ([zeek][ntlm]) { # ntlm result comes from .success - if ([zeek_ntlm][success] == "T") { + if ([zeek][ntlm][success] == "T") { mutate { id => "mutate_add_field_zeek_ntlm_success" add_field => { "[@metadata][zeek_ntlm_result]" => "Success" } } } else { @@ -665,109 +649,109 @@ filter { add_field => { "[@metadata][zeek_ntlm_result]" => "Failure" } } } mutate { id => "mutate_merge_zeek_ntlm_result" - merge => { "[zeek][result]" => "[@metadata][zeek_ntlm_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_ntlm_result]" } } } - if ([zeek_radius][result]) { - if ([zeek_radius][result] =~ /^(?i)succ/) { + if ([zeek][radius][result]) { + if ([zeek][radius][result] =~ /^(?i)succ/) { mutate { id => "mutate_add_field_zeek_radius_success" add_field => { "[@metadata][zeek_radius_result]" => "Success" } } - } else if ([zeek_radius][result] =~ /^(?i)fail/) { + } else if ([zeek][radius][result] =~ /^(?i)fail/) { mutate { id => "mutate_add_field_zeek_radius_failure" add_field => { "[@metadata][zeek_radius_result]" => "Failure" } } } else { mutate { id => "mutate_add_field_zeek_radius_result_fallback" - add_field => { "[@metadata][zeek_radius_result]" => "%{[zeek_radius][result]}" } } + add_field => { "[@metadata][zeek_radius_result]" => "%{[zeek][radius][result]}" } } } mutate { id => "mutate_merge_zeek_radius_result" - merge => { "[zeek][result]" => "[@metadata][zeek_radius_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_radius_result]" } } # if authentication was attempted, also assign an "authenticate" action mutate { id => "mutate_add_field_zeek_radius_auth_action" add_field => { "[@metadata][zeek_radius_auth_action]" => "Authenticate" } } mutate { id => "mutate_merge_zeek_radius_auth_action" - merge => { "[zeek][action]" => "[@metadata][zeek_radius_auth_action]" } } + merge => { "[event][action]" => "[@metadata][zeek_radius_auth_action]" } } } - if ([zeek_rdp][result]) { mutate { id => "mutate_merge_normalize_zeek_rdp_result" - merge => { "[zeek][result]" => "[zeek_rdp][result]" } } } + if ([zeek][rdp][result]) { mutate { id => "mutate_merge_normalize_zeek_rdp_result" + merge => { "[event][result]" => "[zeek][rdp][result]" } } } - if ([zeek_s7comm][parameters][code]) { + if ([zeek][s7comm][parameters][code]) { # reference: https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-s7comm.c translate { id => "translate_zeek_s7comm_parameters_code" - field => "[zeek_s7comm][parameters][code]" + field => "[zeek][s7comm][parameters][code]" destination => "[@metadata][zeek_s7comm_mapped_result]" dictionary_path => "/etc/s7comm_result_codes.yaml" - fallback => "%{[zeek_s7comm][parameters][code]}" + fallback => "%{[zeek][s7comm][parameters][code]}" } if ([@metadata][zeek_s7comm_mapped_result]) { mutate { id => "mutate_merge_zeek_s7comm_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_s7comm_mapped_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_s7comm_mapped_result]" } } } } - if ([zeek_sip][status_code]) { + if ([zeek][sip][status_code]) { # normalized version of sip reply code (status_msg may be unpredictable) translate { id => "translate_zeek_sip_reply_code" - field => "[zeek_sip][status_code]" + field => "[zeek][sip][status_code]" destination => "[@metadata][zeek_sip_mapped_result]" dictionary_path => "/etc/sip_result_codes.yaml" } if ([@metadata][zeek_sip_mapped_result]) { mutate { id => "mutate_merge_zeek_sip_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_sip_mapped_result]" } } - } else if ([zeek_sip][status_msg]) { + merge => { "[event][result]" => "[@metadata][zeek_sip_mapped_result]" } } + } else if ([zeek][sip][status_msg]) { mutate { id => "mutate_merge_zeek_sip_status_msg_result" - merge => { "[zeek][result]" => "[zeek_sip][status_msg]" } } + merge => { "[event][result]" => "[zeek][sip][status_msg]" } } } else { mutate { id => "mutate_merge_zeek_sip_status_code_result" - merge => { "[zeek][result]" => "[zeek_sip][status_code]" } } + merge => { "[event][result]" => "[zeek][sip][status_code]" } } } } - if ([zeek_smb_cmd][status]) { + if ([zeek][smb_cmd][status]) { # zeek_smb_cmd.status (SUCCESS, NO_SUCH_FILE, ACCESS_DENIED, OBJECT_NAME_COLLISION, etc.) translate { id => "translate_zeek_smb_cmd_status" - field => "[zeek_smb_cmd][status]" + field => "[zeek][smb_cmd][status]" destination => "[@metadata][zeek_smb_cmd_mapped_result]" dictionary => { "SUCCESS" => "Success" # TODO... normalize other codes? or maybe just case-normalize and remove underscores/dashes? # e.g., "ACCESS_DENIED".split(/[_-]/).collect(&:capitalize).join(' ') } - fallback => "%{[zeek_smb_cmd][status]}" + fallback => "%{[zeek][smb_cmd][status]}" } if ([@metadata][zeek_smb_cmd_mapped_result]) { mutate { id => "mutate_merge_zeek_smb_cmd_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_smb_cmd_mapped_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_smb_cmd_mapped_result]" } } } } - if ([zeek_smtp]) { - if ([zeek_smtp][last_reply_code]) { + if ([zeek][smtp]) { + if ([zeek][smtp][last_reply_code]) { # normalized version of smtp reply code (last_reply may be unpredictable) translate { id => "translate_zeek_smtp_last_reply_code" - field => "[zeek_smtp][last_reply_code]" + field => "[zeek][smtp][last_reply_code]" destination => "[@metadata][zeek_smtp_mapped_result]" dictionary_path => "/etc/smtp_result_codes.yaml" } } if ([@metadata][zeek_smtp_mapped_result]) { mutate { id => "mutate_merge_zeek_smtp_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_smtp_mapped_result]" } } - } else if ([zeek_smtp][last_reply]) { + merge => { "[event][result]" => "[@metadata][zeek_smtp_mapped_result]" } } + } else if ([zeek][smtp][last_reply]) { mutate { id => "mutate_merge_zeek_smtp_last_reply_result" - merge => { "[zeek][result]" => "[zeek_smtp][last_reply]" } } + merge => { "[event][result]" => "[zeek][smtp][last_reply]" } } } } - if ([zeek_socks][server_status]) { + if ([zeek][socks][server_status]) { translate { id => "translate_zeek_socks_server_status" - field => "[zeek_socks][server_status]" + field => "[zeek][socks][server_status]" destination => "[@metadata][zeek_socks_mapped_result]" dictionary => { "succeeded" => "Success" @@ -776,17 +760,17 @@ filter { } if ([@metadata][zeek_socks_mapped_result]) { mutate { id => "mutate_merge_zeek_socks_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_socks_mapped_result]" } } - } else if ([zeek_socks][server_status]) { + merge => { "[event][result]" => "[@metadata][zeek_socks_mapped_result]" } } + } else if ([zeek][socks][server_status]) { mutate { id => "mutate_merge_zeek_socks_server_status_result" - merge => { "[zeek][result]" => "[zeek_socks][server_status]" } } + merge => { "[event][result]" => "[zeek][socks][server_status]" } } } } - if ([zeek_ssh][auth_success]) { + if ([zeek][ssh][auth_success]) { translate { id => "translate_zeek_ssh_auth_success" - field => "[zeek_ssh][auth_success]" + field => "[zeek][ssh][auth_success]" destination => "[@metadata][zeek_ssh_mapped_result]" dictionary => { "T" => "Success" @@ -795,130 +779,136 @@ filter { } if ([@metadata][zeek_ssh_mapped_result]) { mutate { id => "mutate_merge_zeek_ssh_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_ssh_mapped_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_ssh_mapped_result]" } } } } - if ([zeek_ssl]) { - if ([zeek_ssl][established] == "T") { + if ([zeek][ssl]) { + if ([zeek][ssl][established] == "T") { mutate { id => "mutate_add_field_zeek_ssl_result_success" add_field => { "[@metadata][zeek_ssl_mapped_success_result]" => "Success" } } - } else if (![zeek_ssl][last_alert]) { + } else if (![zeek][ssl][last_alert]) { mutate { id => "mutate_add_field_zeek_ssl_result_failure" add_field => { "[@metadata][zeek_ssl_mapped_success_result]" => "Failure" } } } if ([@metadata][zeek_ssl_mapped_success_result]) { mutate { id => "mutate_merge_zeek_ssl_mapped_success_result" - merge => { "[zeek][result]" => "[@metadata][zeek_ssl_mapped_success_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_ssl_mapped_success_result]" } } } - if ([zeek_ssl][last_alert]) { + if ([zeek][ssl][last_alert]) { mutate { id => "mutate_merge_field_zeek_ssl_result_last_alert" - merge => { "[zeek][result]" => "[zeek_ssl][last_alert]" } } + merge => { "[event][result]" => "[zeek][ssl][last_alert]" } } } - if ([zeek_ssl][validation_status]) and ([zeek_ssl][validation_status] != 'ok') { + if ([zeek][ssl][validation_status]) and ([zeek][ssl][validation_status] != 'ok') { mutate { id => "mutate_merge_field_zeek_ssl_result_validation_status" - merge => { "[zeek][result]" => "[zeek_ssl][validation_status]" } } + merge => { "[event][result]" => "[zeek][ssl][validation_status]" } } } } - if ([zeek_stun][class]) { - if ([zeek_stun][class] == "RESPONSE_SUCCESS") { + if ([zeek][stun][class]) { + if ([zeek][stun][class] == "RESPONSE_SUCCESS") { mutate { id => "mutate_add_field_zeek_stun_success" add_field => { "[@metadata][zeek_stun_result]" => "Success" } } - } else if ([zeek_stun][class] == "RESPONSE_ERROR") { - if ([zeek_stun][attr_type] == "ERROR_CODE") and ([zeek_stun][attr_val]) { + } else if ([zeek][stun][class] == "RESPONSE_ERROR") { + if ([zeek][stun][attr_type] == "ERROR_CODE") and ([zeek][stun][attr_val]) { mutate { id => "mutate_add_field_zeek_stun_error_attr_val" - add_field => { "[@metadata][zeek_stun_result]" => "%{[zeek_stun][attr_val]}" } } + add_field => { "[@metadata][zeek_stun_result]" => "%{[zeek][stun][attr_val]}" } } } else { mutate { id => "mutate_add_field_zeek_stun_error" add_field => { "[@metadata][zeek_stun_result]" => "Error" } } } - } else if ([zeek_stun][class] != "REQUEST") { + } else if ([zeek][stun][class] != "REQUEST") { mutate { id => "mutate_add_field_zeek_stun_result_other" - add_field => { "[@metadata][zeek_stun_result]" => "%{[zeek_stun][class]}" } } + add_field => { "[@metadata][zeek_stun_result]" => "%{[zeek][stun][class]}" } } } if ([@metadata][zeek_stun_result]) { mutate { id => "mutate_merge_zeek_stun_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_stun_result]" } } + merge => { "[event][result]" => "[@metadata][zeek_stun_result]" } } } } - if ([zeek_tftp]) { + if ([zeek][tftp]) { - if (![zeek_tftp][error_code]) and (![zeek_tftp][error_msg]) { + if (![zeek][tftp][error_code]) and (![zeek][tftp][error_msg]) { # no error, set as "success" mutate { id => "mutate_add_field_zeek_tftp_result_success" add_field => { "[@metadata][zeek_tftp_result_success]" => "Success" } } mutate { id => "mutate_merge_zeek_tftp_result_success" - merge => { "[zeek][result]" => "[@metadata][zeek_tftp_result_success]" } } + merge => { "[event][result]" => "[@metadata][zeek_tftp_result_success]" } } } else { # normalized version of reply code translate { id => "translate_zeek_tftp_error_code" - field => "[zeek_tftp][error_code]" + field => "[zeek][tftp][error_code]" destination => "[@metadata][zeek_tftp_mapped_result]" dictionary_path => "/etc/tftp_result_codes.yaml" } if ([@metadata][zeek_tftp_mapped_result]) { mutate { id => "mutate_merge_zeek_tftp_mapped_result" - merge => { "[zeek][result]" => "[@metadata][zeek_tftp_mapped_result]" } } - } else if ([zeek_tftp][error_msg]) { + merge => { "[event][result]" => "[@metadata][zeek_tftp_mapped_result]" } } + } else if ([zeek][tftp][error_msg]) { mutate { id => "mutate_merge_zeek_tftp_error_msg_result" - merge => { "[zeek][result]" => "[zeek_tftp][error_msg]" } } + merge => { "[event][result]" => "[zeek][tftp][error_msg]" } } } else { mutate { id => "mutate_merge_zeek_tftp_error_code_result" - merge => { "[zeek][result]" => "[zeek_tftp][error_code]" } } + merge => { "[event][result]" => "[zeek][tftp][error_code]" } } } } } ##################################################################################################################### # remove any duplicates from action and result - if ([zeek][action]) { - ruby { - id => "ruby_zeek_action_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[zeek][action]" - } - } - } - if ([zeek][result]) { - ruby { - id => "ruby_zeek_result_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[zeek][result]" - } - } + if ([event][result]) { + # ECS - event.result -> event.outcome + # TODO: this gets very granular and varies wildly per protocol, not sure I can translate these 100% from event.action and event.result + # event.type - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html + # event.outcome - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html + # Eeesh, this is a swag... + # if ([event][result]) { + # ruby { + # id => "ruby_ecs_event_outcome_zeek_result" + # code => " + # event.get('[event][result]').each { |zeekResult| + # zeekResult.downcase! + # if zeekResult =~ /(abo?rt|bad|busy|close|conflict|crit|declin|denied|deny|disabl|discon|down|err|exceed|exhaust|expir|fail|forbid|illeg|imposs|inappr|incorr|insuff|interrupt|misdirected|nak|no[ _-]*such|overload|problem|refus|reject|terminat|timeout|violat|wrong|(im|dis|mis|un|un|not)[ _-]*(avail|allow|assign|auth|deciph|process|permit|found|support|exist|enough|implem|known|ok|okay|reach|respond|consist|access|satis|succes|valid|want)|too[ _-]*(large|long|small|short|early|late|many|few))/ + # event.set('[event][outcome]', 'failure') + # break + # elsif zeekResult =~ /(ok|okay|success|ack|complet|correct|good|ready|finish|valid)/ + # event.set('[event][outcome]', 'success') + # break + # end + # } + # " + # } + # } } # FUIDs ############################################################################################################# # collect all other FUIDs under parent [zeek][fuid] array (some were already done at the root level in # the "rename" in 11_zeek_logs.conf) - if ([zeek_files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid" - merge => { "[zeek][fuid]" => "[zeek_files][parent_fuid]" } } } + if ([zeek][files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid" + merge => { "[zeek][fuid]" => "[zeek][files][parent_fuid]" } } } - if ([zeek_http][orig_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_fuids" - merge => { "[zeek][fuid]" => "[zeek_http][orig_fuids]" } } } + if ([zeek][http][orig_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_fuids" + merge => { "[zeek][fuid]" => "[zeek][http][orig_fuids]" } } } - if ([zeek_http][resp_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_fuids" - merge => { "[zeek][fuid]" => "[zeek_http][resp_fuids]" } } } + if ([zeek][http][resp_fuids]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_fuids" + merge => { "[zeek][fuid]" => "[zeek][http][resp_fuids]" } } } - if ([zeek_kerberos][client_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_client_cert_fuid" - merge => { "[zeek][fuid]" => "[zeek_kerberos][client_cert_fuid]" } } } + if ([zeek][kerberos][client_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_client_cert_fuid" + merge => { "[zeek][fuid]" => "[zeek][kerberos][client_cert_fuid]" } } } - if ([zeek_kerberos][server_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_server_cert_fuid" - merge => { "[zeek][fuid]" => "[zeek_kerberos][server_cert_fuid]" } } } + if ([zeek][kerberos][server_cert_fuid]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_server_cert_fuid" + merge => { "[zeek][fuid]" => "[zeek][kerberos][server_cert_fuid]" } } } - if ([zeek_ssl][cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_cert_chain_fuids" - merge => { "[zeek][fuid]" => "[zeek_ssl][cert_chain_fuids]" } } } + if ([zeek][ssl][cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_cert_chain_fuids" + merge => { "[zeek][fuid]" => "[zeek][ssl][cert_chain_fuids]" } } } - if ([zeek_ssl][client_cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_client_cert_chain_fuids" - merge => { "[zeek][fuid]" => "[zeek_ssl][client_cert_chain_fuids]" } } } + if ([zeek][ssl][client_cert_chain_fuids]) { mutate { id => "mutate_merge_normalize_zeek_ssl_client_cert_chain_fuids" + merge => { "[zeek][fuid]" => "[zeek][ssl][client_cert_chain_fuids]" } } } if ([zeek][fuid]) { ruby { @@ -928,98 +918,174 @@ filter { "field" => "[zeek][fuid]" } } + # ECS - zeek.fuid -> event.id + mutate { id => "mutate_add_field_ecs_id_fuid" + merge => { "[event][id]" => "[zeek][fuid]" } } } # File/MIME types ################################################################################################### - # collect all file/MIME types under the parent [zeek][filetype] array - - if ([zeek_files][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_files_mime_type" - merge => { "[zeek][filetype]" => "[zeek_files][mime_type]" } } } + # ECS -> various -> file.mime_type + # collect all file/MIME types under the parent [file][mime_type] array - if ([zeek_ftp][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_ftp_mime_type" - merge => { "[zeek][filetype]" => "[zeek_ftp][mime_type]" } } } + if ([zeek][files][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_files_mime_type" + merge => { "[file][mime_type]" => "[zeek][files][mime_type]" } } } - if ([zeek_http][orig_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_mime_types" - merge => { "[zeek][filetype]" => "[zeek_http][orig_mime_types]" } } } + if ([zeek][ftp][mime_type]) { mutate { id => "mutate_merge_normalize_zeek_ftp_mime_type" + merge => { "[file][mime_type]" => "[zeek][ftp][mime_type]" } } } - if ([zeek_http][resp_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_mime_types" - merge => { "[zeek][filetype]" => "[zeek_http][resp_mime_types]" } } } + if ([zeek][http][orig_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_mime_types" + merge => { "[file][mime_type]" => "[zeek][http][orig_mime_types]" } } } - if ([zeek_irc][dcc_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_mime_type" - merge => { "[zeek][filetype]" => "[zeek_irc][dcc_mime_type]" } } } + if ([zeek][http][resp_mime_types]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_mime_types" + merge => { "[file][mime_type]" => "[zeek][http][resp_mime_types]" } } } - if ([zeek_intel][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_intel_file_mime_type" - merge => { "[zeek][filetype]" => "[zeek_intel][file_mime_type]" } } } + if ([zeek][irc][dcc_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_mime_type" + merge => { "[file][mime_type]" => "[zeek][irc][dcc_mime_type]" } } } - if ([zeek_notice][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_notice_file_mime_type" - merge => { "[zeek][filetype]" => "[zeek_notice][file_mime_type]" } } } + if ([zeek][intel][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_intel_file_mime_type" + merge => { "[file][mime_type]" => "[zeek][intel][file_mime_type]" } } } - if ([zeek_sip][content_type]) { mutate { id => "mutate_merge_normalize_zeek_sip_content_type" - merge => { "[zeek][filetype]" => "[zeek_sip][content_type]" } } } + if ([zeek][notice][file_mime_type]) { mutate { id => "mutate_merge_normalize_zeek_notice_file_mime_type" + merge => { "[file][mime_type]" => "[zeek][notice][file_mime_type]" } } } - if ([zeek][filetype]) { - ruby { - id => "ruby_zeek_filetype_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[zeek][filetype]" - } - } - } + if ([zeek][sip][content_type]) { mutate { id => "mutate_merge_normalize_zeek_sip_content_type" + merge => { "[file][mime_type]" => "[zeek][sip][content_type]" } } } # Filenames ######################################################################################################### - # collect all filenames under the parent [zeek][filename] array + # collect all filenames under the parent [file][path] array - if ([zeek_ecat_foe_info][filename]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_filename" - merge => { "[zeek][filename]" => "[zeek_ecat_foe_info][filename]" } } } + if ([zeek][ecat_foe_info][filename]) { mutate { id => "mutate_merge_normalize_zeek_ecat_foe_info_filename" + merge => { "[file][path]" => "[zeek][ecat_foe_info][filename]" } } } - if ([zeek_files][filename]) { mutate { id => "mutate_merge_normalize_zeek_files_filename" - merge => { "[zeek][filename]" => "[zeek_files][filename]" } } } + if ([zeek][files][filename]) { mutate { id => "mutate_merge_normalize_zeek_files_filename" + merge => { "[file][path]" => "[zeek][files][filename]" } } } - if ([zeek_files][extracted]) { mutate { id => "mutate_merge_normalize_zeek_files_extracted" - merge => { "[zeek][filename]" => "[zeek_files][extracted]" } } } + if ([zeek][files][extracted]) { mutate { id => "mutate_merge_normalize_zeek_files_extracted" + merge => { "[file][path]" => "[zeek][files][extracted]" } } } - if ([zeek_http][orig_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_filenames" - merge => { "[zeek][filename]" => "[zeek_http][orig_filenames]" } } } + if ([zeek][http][orig_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_orig_filenames" + merge => { "[file][path]" => "[zeek][http][orig_filenames]" } } } - if ([zeek_http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" - merge => { "[zeek][filename]" => "[zeek_http][resp_filenames]" } } } + if ([zeek][http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" + merge => { "[file][path]" => "[zeek][http][resp_filenames]" } } } - if ([zeek_irc][dcc_file_name]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_file_name" - merge => { "[zeek][filename]" => "[zeek_irc][dcc_file_name]" } } } + if ([zeek][irc][dcc_file_name]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_file_name" + merge => { "[file][path]" => "[zeek][irc][dcc_file_name]" } } } - if ([zeek_smb_files][name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_name" - merge => { "[zeek][filename]" => "[zeek_smb_files][name]" } } } + if ([zeek][smb_files][name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_name" + merge => { "[file][path]" => "[zeek][smb_files][name]" } } } - if ([zeek_smb_files][prev_name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_prev_name" - merge => { "[zeek][filename]" => "[zeek_smb_files][prev_name]" } } } + if ([zeek][smb_files][prev_name]) { mutate { id => "mutate_merge_normalize_zeek_smb_files_prev_name" + merge => { "[file][path]" => "[zeek][smb_files][prev_name]" } } } - if ([zeek_tftp][fname]) { mutate { id => "mutate_merge_normalize_zeek_tftp_fname" - merge => { "[zeek][filename]" => "[zeek_tftp][fname]" } } } + if ([zeek][tftp][fname]) { mutate { id => "mutate_merge_normalize_zeek_tftp_fname" + merge => { "[file][path]" => "[zeek][tftp][fname]" } } } - if ([zeek][filename]) { - ruby { - id => "ruby_zeek_filename_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[zeek][filename]" + # ECS - file.path from file.directory and file.name, if present and not already populated + if ([file][directory]) and (![file][path]) { + if ([file][name]) { + mutate { id => "mutate_add_field_ecs_path_from_dir_and_name" + add_field => { "[file][path]" => "%{[file][directory]}/%{[file][name]}" } } + } else { + mutate { id => "mutate_add_field_ecs_path_from_dir_only" + add_field => { "[file][path]" => "%{[file][directory]}" } } + } + } + if ([file][name]) { + if (![file][type]) { mutate { id => "mutate_add_field_ecs_file_type_name" + add_field => { "[file][type]" => "file" } } } + # file.extension + grok { + id => "grok_zeek_files_fileext_ecs" + match => { "[file][name]" => [ "%{GREEDYDATA}\.%{DATA:[file][extension]}" ] } + } + } + + if ([file][path]) { + if (![file][directory]) and (![file][path]) { + # ECS - file.path -> file.file and file.name, if present and not already populated + grok { + id => "grok_zeek_files_filename_ecs" + match => { "[file][path]" => [ "%{GREEDYDATA:[file][directory]}[\\\/]%{DATA:[file][name]}" ] } } } } - # User agents ####################################################################################################### - # collect all user agents under the parent [zeek][user_agent] array - if ([zeek_gquic][user_agent]) { mutate { id => "mutate_add_field_metadata_useragent_gquic" - add_field => { "[@metadata][generic_user_agent]" => "%{[zeek_gquic][user_agent]}" } } } - if ([zeek_http][user_agent]) { mutate { id => "mutate_add_field_metadata_useragent_http" - add_field => { "[@metadata][generic_user_agent]" => "%{[zeek_http][user_agent]}" } } } - if ([zeek_sip][user_agent]) { mutate { id => "mutate_add_field_metadata_useragent_sip" - add_field => { "[@metadata][generic_user_agent]" => "%{[zeek_sip][user_agent]}" } } } - if ([zeek_smtp][user_agent]) { mutate { id => "mutate_add_field_metadata_useragent_smtp" - add_field => { "[@metadata][generic_user_agent]" => "%{[zeek_smtp][user_agent]}" } } } - if ([@metadata][generic_user_agent]) { - mutate { id => "mutate_add_field_zeek_user_agent" - add_field => { "[zeek][user_agent]" => "%{[@metadata][generic_user_agent]}" } } + # if we have a network protocol as a "source" field for zeek files.log, also store in protocols + if ([zeek][files][source]) and + (![network][protocol]) and + ([zeek][files][source] !~ /^( "mutate_merge_zeek_files_source_network_protocol" + merge => { "[network][protocol]" => "[zeek][files][source]" } } + mutate { id => "mutate_lowercase_zeek_files_source_network_protocol" + lowercase => [ "[network][protocol]" ] } + mutate { id => "mutate_merge_zeek_files_source_application" + merge => { "[network][application]" => "[network][protocol]" } } + mutate { id => "mutate_merge_zeek_files_source_protocol" + merge => { "[protocol]" => "[network][protocol]" } } } + # User agents ####################################################################################################### + # ECS -> various -> user_agent.original (https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html) + # - TODO: potentially more parsing could be done for user agent strings (.name, .device.name, .version) + if ([zeek][gquic][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_gquic" + merge => { "[user_agent][original]" => "[zeek][gquic][user_agent]" } } } + if ([zeek][http][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_http" + merge => { "[user_agent][original]" => "[zeek][http][user_agent]" } } } + if ([zeek][sip][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_sip" + merge => { "[user_agent][original]" => "[zeek][sip][user_agent]" } } } + if ([zeek][smtp][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_smtp" + merge => { "[user_agent][original]" => "[zeek][smtp][user_agent]" } } } + + # Hashes ############################################################################################################ + # ECS - various -> related.hash (accumulate all hash/fingerprint fields into related.hash) + if ([zeek][files][md5]) { mutate { id => "mutate_merge_field_related_hash_files_md5" + merge => { "[related][hash]" => "[zeek][files][md5]" } } } + if ([zeek][files][sha1]) { mutate { id => "mutate_merge_field_related_hash_files_sha1" + merge => { "[related][hash]" => "[zeek][files][sha1]" } } } + if ([zeek][files][sha256]) { mutate { id => "mutate_merge_field_related_hash_files_sha256" + merge => { "[related][hash]" => "[zeek][files][sha256]" } } } + if ([zeek][ssh][hassh]) { mutate { id => "mutate_merge_field_related_hash_ssh_hassh" + merge => { "[related][hash]" => "[zeek][ssh][hassh]" } } } + if ([zeek][ssh][hasshServer]) { mutate { id => "mutate_merge_field_related_hash_ssh_hasshServer" + merge => { "[related][hash]" => "[zeek][ssh][hasshServer]" } } } + if ([zeek][ssl][ja3]) { mutate { id => "mutate_merge_field_related_hash_ssl_ja3" + merge => { "[related][hash]" => "[zeek][ssl][ja3]" } } } + if ([zeek][ssl][ja3s]) { mutate { id => "mutate_merge_field_related_hash_zeek_ssl_ja3s" + merge => { "[related][hash]" => "[zeek][ssl][ja3s]" } } } + if ([zeek][x509][fingerprint]) { mutate { id => "mutate_merge_field_related_hash_zeek_x509_fingerprint" + merge => { "[related][hash]" => "[zeek][x509][fingerprint]" } } } + + # IP addresses ###################################################################################################### + # ECS - various -> related.ip (all IP-type fields get rolled up into related.ip) + if ([zeek][dhcp][assigned_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_dhcp_assigned_ip" + merge => { "[related][ip]" => "[zeek][dhcp][assigned_ip]" } } } + if ([zeek][dhcp][requested_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_dhcp_requested_ip" + merge => { "[related][ip]" => "[zeek][dhcp][requested_ip]" } } } + if ([zeek][files][rx_hosts]) { mutate { id => "mutate_merge_field_related_ip_zeek_files_rx_hosts" + merge => { "[related][ip]" => "[zeek][files][rx_hosts]" } } } + if ([zeek][files][tx_hosts]) { mutate { id => "mutate_merge_field_related_ip_zeek_files_tx_hosts" + merge => { "[related][ip]" => "[zeek][files][tx_hosts]" } } } + if ([zeek][ftp][data_channel_orig_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_ftp_data_channel_orig_h" + merge => { "[related][ip]" => "[zeek][ftp][data_channel_orig_h]" } } } + if ([zeek][ftp][data_channel_resp_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_ftp_data_channel_resp_h" + merge => { "[related][ip]" => "[zeek][ftp][data_channel_resp_h]" } } } + if ([zeek][notice][dst]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_dst" + merge => { "[related][ip]" => "[zeek][notice][dst]" } } } + if ([zeek][notice][src]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_src" + merge => { "[related][ip]" => "[zeek][notice][src]" } } } + if ([zeek][radius][framed_addr]) { mutate { id => "mutate_merge_field_related_ip_zeek_radius_framed_addr" + merge => { "[related][ip]" => "[zeek][radius][framed_addr]" } } } + if ([zeek][smtp][path]) { mutate { id => "mutate_merge_field_related_ip_zeek_smtp_path" + merge => { "[related][ip]" => "[zeek][smtp][path]" } } } + if ([zeek][smtp][x_originating_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_smtp_x_originating_ip" + merge => { "[related][ip]" => "[zeek][smtp][x_originating_ip]" } } } + if ([zeek][socks][bound_host]) { mutate { id => "mutate_merge_field_related_ip_zeek_socks_bound_host" + merge => { "[related][ip]" => "[zeek][socks][bound_host]" } } } + if ([zeek][socks][request_host]) { mutate { id => "mutate_merge_field_related_ip_zeek_socks_request_host" + merge => { "[related][ip]" => "[zeek][socks][request_host]" } } } + if ([zeek][stun_nat][wan_addr]) { mutate { id => "mutate_merge_field_related_ip_zeek_stun_nat_wan_addr" + merge => { "[related][ip]" => "[zeek][stun_nat][wan_addr]" } } } + if ([zeek][stun_nat][lan_addr]) { mutate { id => "mutate_merge_field_related_ip_zeek_stun_nat_lan_addr" + merge => { "[related][ip]" => "[zeek][stun_nat][lan_addr]" } } } } \ No newline at end of file diff --git a/logstash/pipelines/zeek/13_zeek_convert.conf b/logstash/pipelines/zeek/13_zeek_convert.conf index d8f20f29f..d2386ce23 100644 --- a/logstash/pipelines/zeek/13_zeek_convert.conf +++ b/logstash/pipelines/zeek/13_zeek_convert.conf @@ -3,335 +3,331 @@ filter { # set data types for fields that belong to various zeek logs # todo - # "[zeek_ecat_dev_info][fmmucnt]" => "integer" - # "[zeek_ecat_dev_info][smcount]" => "integer" + # "[zeek][ecat_dev_info][fmmucnt]" => "integer" + # "[zeek][ecat_dev_info][smcount]" => "integer" mutate { id => "mutate_convert_zeek_bulk" convert => { - "[zeek_bacnet][invoke_id]" => "integer" - "[zeek_bacnet_discovery][instance_number]" => "integer" - "[zeek_bacnet_discovery][range_low]" => "integer" - "[zeek_bacnet_discovery][range_high]" => "integer" - "[zeek_bacnet_property][instance_number]" => "integer" - "[zeek_bacnet_property][array_index]" => "integer" - "[zeek_bsap_ip_header][type_name]" => "integer" - "[zeek_bsap_ip_rdb][data_len]" => "integer" - "[zeek_bsap_ip_rdb][header_size]" => "integer" - "[zeek_bsap_ip_rdb][mes_seq]" => "integer" - "[zeek_bsap_ip_rdb][node_status]" => "integer" - "[zeek_bsap_ip_rdb][res_seq]" => "integer" - "[zeek_bsap_ip_rdb][sequence]" => "integer" - "[zeek_bsap_serial_header][ctl]" => "integer" - "[zeek_bsap_serial_header][dadd]" => "integer" - "[zeek_bsap_serial_header][nsb]" => "integer" - "[zeek_bsap_serial_header][sadd]" => "integer" - "[zeek_bsap_serial_header][seq]" => "integer" - "[zeek_bsap_serial_rdb_ext][nsb]" => "integer" - "[zeek_bsap_serial_rdb_ext][seq]" => "integer" - "[zeek_cip][cip_sequence_count]" => "integer" - "[zeek_cip_identity][device_type_id]" => "integer" - "[zeek_cip_identity][encapsulation_version]" => "integer" - "[zeek_cip_identity][product_code]" => "integer" - "[zeek_cip_identity][socket_port]" => "integer" - "[zeek_cip_identity][vendor_id]" => "integer" - "[zeek_cip_io][data_length]" => "integer" - "[zeek_cip_io][sequence_number]" => "integer" - "[zeek_conn][duration]" => "float" - "[zeek_dce_rpc][rtt]" => "float" - "[zeek_dhcp][duration]" => "float" - "[zeek_dnp3_control][index_number]" => "integer" - "[zeek_dnp3_control][execute_count]" => "integer" - "[zeek_dnp3_control][on_time]" => "integer" - "[zeek_dnp3_control][off_time]" => "integer" - "[zeek_dnp3_objects][object_count]" => "integer" - "[zeek_dnp3_objects][range_high]" => "integer" - "[zeek_dnp3_objects][range_low]" => "integer" - "[zeek_dns][rtt]" => "float" - "[zeek_ecat_log_address][length]" => "integer" - "[zeek_enip][length]" => "integer" - "[zeek_ipsec][maj_ver]" => "integer" - "[zeek_ipsec][min_ver]" => "integer" - "[zeek_ipsec][exchange_type]" => "integer" - "[zeek_ipsec][ke_dh_groups]" => "integer" - "[zeek_ipsec][proposals]" => "integer" - "[zeek_ipsec][length]" => "integer" - "[zeek_ldap][version]" => "integer" - "[zeek_ldap_search][result_count]" => "integer" - "[zeek_modbus_detailed][unit_id]" => "integer" - "[zeek_modbus_detailed][address]" => "integer" - "[zeek_modbus_detailed][quantity]" => "integer" - "[zeek_modbus_mask_write_register][unit_id]" => "integer" - "[zeek_modbus_mask_write_register][address]" => "integer" - "[zeek_modbus_mask_write_register][and_mask]" => "integer" - "[zeek_modbus_mask_write_register][or_mask]" => "integer" - "[zeek_modbus_read_write_multiple_registers][unit_id]" => "integer" - "[zeek_modbus_read_write_multiple_registers][write_start_address]" => "integer" - "[zeek_modbus_read_write_multiple_registers][read_start_address]" => "integer" - "[zeek_modbus_read_write_multiple_registers][read_quantity]" => "integer" - "[zeek_modbus_register][delta]" => "float" - "[zeek_modbus_register][new_val]" => "integer" - "[zeek_modbus_register][old_val]" => "integer" - "[zeek_modbus_register][register]" => "integer" - "[zeek_mqtt_publish][payload_len]" => "integer" - "[zeek_mqtt_subscribe][granted_qos_level]" => "integer" - "[zeek_mqtt_subscribe][qos_levels]" => "integer" - "[zeek_ntp][num_exts]" => "integer" - "[zeek_ntp][poll]" => "float" - "[zeek_ntp][precision]" => "float" - "[zeek_ntp][root_delay]" => "float" - "[zeek_ntp][root_disp]" => "float" - "[zeek_ntp][version]" => "integer" - "[zeek_s7comm][item_count]" => "integer" - "[zeek_signatures][host_count]" => "integer" - "[zeek_signatures][signature_count]" => "integer" - "[zeek_smb_cmd][rtt]" => "float" - "[zeek_smb_files][data_len_req]" => "integer" - "[zeek_smb_files][data_len_rsp]" => "integer" - "[zeek_smb_files][data_offset_req]" => "integer" - "[zeek_stun_nat][wan_port]" => "integer" - "[zeek_tftp][size]" => "integer" - "[zeek_tftp][block_sent]" => "integer" - "[zeek_tftp][block_acked]" => "integer" - "[zeek_tftp][error_code]" => "integer" - "[zeek_wireguard][sender_index]" => "integer" - "[zeek_wireguard][receiver_index]" => "integer" + "[zeek][bacnet][invoke_id]" => "integer" + "[zeek][bacnet_discovery][instance_number]" => "integer" + "[zeek][bacnet_discovery][range_low]" => "integer" + "[zeek][bacnet_discovery][range_high]" => "integer" + "[zeek][bacnet_property][instance_number]" => "integer" + "[zeek][bacnet_property][array_index]" => "integer" + "[zeek][bsap_ip_header][type_name]" => "integer" + "[zeek][bsap_ip_rdb][data_len]" => "integer" + "[zeek][bsap_ip_rdb][header_size]" => "integer" + "[zeek][bsap_ip_rdb][mes_seq]" => "integer" + "[zeek][bsap_ip_rdb][node_status]" => "integer" + "[zeek][bsap_ip_rdb][res_seq]" => "integer" + "[zeek][bsap_ip_rdb][sequence]" => "integer" + "[zeek][bsap_serial_header][ctl]" => "integer" + "[zeek][bsap_serial_header][dadd]" => "integer" + "[zeek][bsap_serial_header][nsb]" => "integer" + "[zeek][bsap_serial_header][sadd]" => "integer" + "[zeek][bsap_serial_header][seq]" => "integer" + "[zeek][bsap_serial_rdb_ext][nsb]" => "integer" + "[zeek][bsap_serial_rdb_ext][seq]" => "integer" + "[zeek][cip][cip_sequence_count]" => "integer" + "[zeek][cip_identity][device_type_id]" => "integer" + "[zeek][cip_identity][encapsulation_version]" => "integer" + "[zeek][cip_identity][product_code]" => "integer" + "[zeek][cip_identity][socket_port]" => "integer" + "[zeek][cip_identity][vendor_id]" => "integer" + "[zeek][cip_io][data_length]" => "integer" + "[zeek][cip_io][sequence_number]" => "integer" + "[zeek][conn][duration]" => "float" + "[zeek][dce_rpc][rtt]" => "float" + "[zeek][dhcp][duration]" => "float" + "[zeek][dnp3_control][index_number]" => "integer" + "[zeek][dnp3_control][execute_count]" => "integer" + "[zeek][dnp3_control][on_time]" => "integer" + "[zeek][dnp3_control][off_time]" => "integer" + "[zeek][dnp3_objects][object_count]" => "integer" + "[zeek][dnp3_objects][range_high]" => "integer" + "[zeek][dnp3_objects][range_low]" => "integer" + "[zeek][dns][rtt]" => "float" + "[zeek][ecat_log_address][length]" => "integer" + "[zeek][enip][length]" => "integer" + "[zeek][ipsec][maj_ver]" => "integer" + "[zeek][ipsec][min_ver]" => "integer" + "[zeek][ipsec][exchange_type]" => "integer" + "[zeek][ipsec][ke_dh_groups]" => "integer" + "[zeek][ipsec][proposals]" => "integer" + "[zeek][ipsec][length]" => "integer" + "[zeek][ldap][version]" => "integer" + "[zeek][ldap_search][result_count]" => "integer" + "[zeek][modbus_detailed][unit_id]" => "integer" + "[zeek][modbus_detailed][address]" => "integer" + "[zeek][modbus_detailed][quantity]" => "integer" + "[zeek][modbus_mask_write_register][unit_id]" => "integer" + "[zeek][modbus_mask_write_register][address]" => "integer" + "[zeek][modbus_mask_write_register][and_mask]" => "integer" + "[zeek][modbus_mask_write_register][or_mask]" => "integer" + "[zeek][modbus_read_write_multiple_registers][unit_id]" => "integer" + "[zeek][modbus_read_write_multiple_registers][write_start_address]" => "integer" + "[zeek][modbus_read_write_multiple_registers][read_start_address]" => "integer" + "[zeek][modbus_read_write_multiple_registers][read_quantity]" => "integer" + "[zeek][mqtt_publish][payload_len]" => "integer" + "[zeek][mqtt_subscribe][granted_qos_level]" => "integer" + "[zeek][mqtt_subscribe][qos_levels]" => "integer" + "[zeek][ntp][num_exts]" => "integer" + "[zeek][ntp][poll]" => "float" + "[zeek][ntp][precision]" => "float" + "[zeek][ntp][root_delay]" => "float" + "[zeek][ntp][root_disp]" => "float" + "[zeek][ntp][version]" => "integer" + "[zeek][s7comm][item_count]" => "integer" + "[zeek][signatures][host_count]" => "integer" + "[zeek][signatures][signature_count]" => "integer" + "[zeek][smb_cmd][rtt]" => "float" + "[zeek][smb_files][data_len_req]" => "integer" + "[zeek][smb_files][data_len_rsp]" => "integer" + "[zeek][smb_files][data_offset_req]" => "integer" + "[zeek][stun_nat][wan_port]" => "integer" + "[zeek][tftp][size]" => "integer" + "[zeek][tftp][block_sent]" => "integer" + "[zeek][tftp][block_acked]" => "integer" + "[zeek][tftp][error_code]" => "integer" + "[zeek][wireguard][sender_index]" => "integer" + "[zeek][wireguard][receiver_index]" => "integer" } } # convert all zeek "time" types (minus zeek.ts, which was done earlier) # https://docs.zeek.org/en/current/script-reference/types.html#type-time - if ([zeek_kerberos][from]) { - if ([zeek_kerberos][from] == "0.000000") { + if ([zeek][kerberos][from]) { + if ([zeek][kerberos][from] == "0.000000") { mutate { id => "mutate_remove_field_zeek_kerberos_from_zero" - remove_field => [ "[zeek_kerberos][from]" ] } + remove_field => [ "[zeek][kerberos][from]" ] } } else { date { id => "date_zeek_kerberos_from" - match => [ "[zeek_kerberos][from]", "UNIX" ] - target => "[zeek_kerberos][from]" + match => [ "[zeek][kerberos][from]", "UNIX" ] + target => "[zeek][kerberos][from]" } } } - if ([zeek_kerberos][till]) { - if ([zeek_kerberos][till] == "0.000000") { + if ([zeek][kerberos][till]) { + if ([zeek][kerberos][till] == "0.000000") { mutate { id => "mutate_remove_field_zeek_kerberos_till_zero" - remove_field => [ "[zeek_kerberos][till]" ] } + remove_field => [ "[zeek][kerberos][till]" ] } } else { date { id => "date_zeek_kerberos_till" - match => [ "[zeek_kerberos][till]", "UNIX" ] - target => "[zeek_kerberos][till]" + match => [ "[zeek][kerberos][till]", "UNIX" ] + target => "[zeek][kerberos][till]" } } } - if ([zeek_ntp][org_time]) { - if ([zeek_ntp][org_time] == "0.000000") { + if ([zeek][ntp][org_time]) { + if ([zeek][ntp][org_time] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ntp_org_time_zero" - remove_field => [ "[zeek_ntp][org_time]" ] } + remove_field => [ "[zeek][ntp][org_time]" ] } } else { date { id => "date_zeek_ntp_org_time" - match => [ "[zeek_ntp][org_time]", "UNIX" ] - target => "[zeek_ntp][org_time]" + match => [ "[zeek][ntp][org_time]", "UNIX" ] + target => "[zeek][ntp][org_time]" } } } - if ([zeek_ntp][rec_time]) { - if ([zeek_ntp][rec_time] == "0.000000") { + if ([zeek][ntp][rec_time]) { + if ([zeek][ntp][rec_time] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ntp_rec_time_zero" - remove_field => [ "[zeek_ntp][rec_time]" ] } + remove_field => [ "[zeek][ntp][rec_time]" ] } } else { date { id => "date_zeek_ntp_rec_time" - match => [ "[zeek_ntp][rec_time]", "UNIX" ] - target => "[zeek_ntp][rec_time]" + match => [ "[zeek][ntp][rec_time]", "UNIX" ] + target => "[zeek][ntp][rec_time]" } } } - if ([zeek_ntp][ref_time]) { - if ([zeek_ntp][ref_time] == "0.000000") { + if ([zeek][ntp][ref_time]) { + if ([zeek][ntp][ref_time] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ntp_ref_time_zero" - remove_field => [ "[zeek_ntp][ref_time]" ] } + remove_field => [ "[zeek][ntp][ref_time]" ] } } else { date { id => "date_zeek_ntp_ref_time" - match => [ "[zeek_ntp][ref_time]", "UNIX" ] - target => "[zeek_ntp][ref_time]" + match => [ "[zeek][ntp][ref_time]", "UNIX" ] + target => "[zeek][ntp][ref_time]" } } } - if ([zeek_ntp][xmt_time]) { - if ([zeek_ntp][xmt_time] == "0.000000") { + if ([zeek][ntp][xmt_time]) { + if ([zeek][ntp][xmt_time] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ntp_xmt_time_zero" - remove_field => [ "[zeek_ntp][xmt_time]" ] } + remove_field => [ "[zeek][ntp][xmt_time]" ] } } else { date { id => "date_zeek_ntp_xmt_time" - match => [ "[zeek_ntp][xmt_time]", "UNIX" ] - target => "[zeek_ntp][xmt_time]" + match => [ "[zeek][ntp][xmt_time]", "UNIX" ] + target => "[zeek][ntp][xmt_time]" } } } - if ([zeek_ocsp][revoketime]) { - if ([zeek_ocsp][revoketime] == "0.000000") { + if ([zeek][ocsp][revoketime]) { + if ([zeek][ocsp][revoketime] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ocsp_revoketime_zero" - remove_field => [ "[zeek_ocsp][revoketime]" ] } + remove_field => [ "[zeek][ocsp][revoketime]" ] } } else { date { id => "date_zeek_ocsp_revoketime" - match => [ "[zeek_ocsp][revoketime]", "UNIX" ] - target => "[zeek_ocsp][revoketime]" + match => [ "[zeek][ocsp][revoketime]", "UNIX" ] + target => "[zeek][ocsp][revoketime]" } } } - if ([zeek_ocsp][thisUpdate]) { - if ([zeek_ocsp][thisUpdate] == "0.000000") { + if ([zeek][ocsp][thisUpdate]) { + if ([zeek][ocsp][thisUpdate] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ocsp_thisUpdate_zero" - remove_field => [ "[zeek_ocsp][thisUpdate]" ] } + remove_field => [ "[zeek][ocsp][thisUpdate]" ] } } else { date { id => "date_zeek_ocsp_thisUpdate" - match => [ "[zeek_ocsp][thisUpdate]", "UNIX" ] - target => "[zeek_ocsp][thisUpdate]" + match => [ "[zeek][ocsp][thisUpdate]", "UNIX" ] + target => "[zeek][ocsp][thisUpdate]" } } } - if ([zeek_ocsp][nextUpdate]) { - if ([zeek_ocsp][nextUpdate] == "0.000000") { + if ([zeek][ocsp][nextUpdate]) { + if ([zeek][ocsp][nextUpdate] == "0.000000") { mutate { id => "mutate_remove_field_zeek_ocsp_nextUpdate_zero" - remove_field => [ "[zeek_ocsp][nextUpdate]" ] } + remove_field => [ "[zeek][ocsp][nextUpdate]" ] } } else { date { id => "date_zeek_ocsp_nextUpdate" - match => [ "[zeek_ocsp][nextUpdate]", "UNIX" ] - target => "[zeek_ocsp][nextUpdate]" + match => [ "[zeek][ocsp][nextUpdate]", "UNIX" ] + target => "[zeek][ocsp][nextUpdate]" } } } - if ([zeek_pe][compile_ts]) { - if ([zeek_pe][compile_ts] == "0.000000") { + if ([zeek][pe][compile_ts]) { + if ([zeek][pe][compile_ts] == "0.000000") { mutate { id => "mutate_remove_field_zeek_pe_compile_ts_zero" - remove_field => [ "[zeek_pe][compile_ts]" ] } + remove_field => [ "[zeek][pe][compile_ts]" ] } } else { date { id => "date_zeek_pe_compile_ts" - match => [ "[zeek_pe][compile_ts]", "UNIX" ] - target => "[zeek_pe][compile_ts]" + match => [ "[zeek][pe][compile_ts]", "UNIX" ] + target => "[zeek][pe][compile_ts]" } } } - if ([zeek_smb_files][times_accessed]) { - if ([zeek_smb_files][times_accessed] == "0.000000") { + if ([zeek][smb_files][times_accessed]) { + if ([zeek][smb_files][times_accessed] == "0.000000") { mutate { id => "mutate_remove_field_zeek_smb_files_times_accessed_zero" - remove_field => [ "[zeek_smb_files][times_accessed]" ] } + remove_field => [ "[zeek][smb_files][times_accessed]" ] } } else { date { id => "date_zeek_smb_files_times_accessed" - match => [ "[zeek_smb_files][times_accessed]", "UNIX" ] - target => "[zeek_smb_files][times_accessed]" + match => [ "[zeek][smb_files][times_accessed]", "UNIX" ] + target => "[zeek][smb_files][times_accessed]" } } } - if ([zeek_smb_files][times_changed]) { - if ([zeek_smb_files][times_changed] == "0.000000") { + if ([zeek][smb_files][times_changed]) { + if ([zeek][smb_files][times_changed] == "0.000000") { mutate { id => "mutate_remove_field_zeek_smb_files_times_changed_zero" - remove_field => [ "[zeek_smb_files][times_changed]" ] } + remove_field => [ "[zeek][smb_files][times_changed]" ] } } else { date { id => "date_zeek_smb_files_times_changed" - match => [ "[zeek_smb_files][times_changed]", "UNIX" ] - target => "[zeek_smb_files][times_changed]" + match => [ "[zeek][smb_files][times_changed]", "UNIX" ] + target => "[zeek][smb_files][times_changed]" } } } - if ([zeek_smb_files][times_created]) { - if ([zeek_smb_files][times_created] == "0.000000") { + if ([zeek][smb_files][times_created]) { + if ([zeek][smb_files][times_created] == "0.000000") { mutate { id => "mutate_remove_field_zeek_smb_files_times_created_zero" - remove_field => [ "[zeek_smb_files][times_created]" ] } + remove_field => [ "[zeek][smb_files][times_created]" ] } } else { date { id => "date_zeek_smb_files_times_created" - match => [ "[zeek_smb_files][times_created]", "UNIX" ] - target => "[zeek_smb_files][times_created]" + match => [ "[zeek][smb_files][times_created]", "UNIX" ] + target => "[zeek][smb_files][times_created]" } } } - if ([zeek_smb_files][times_modified]) { - if ([zeek_smb_files][times_modified] == "0.000000") { + if ([zeek][smb_files][times_modified]) { + if ([zeek][smb_files][times_modified] == "0.000000") { mutate { id => "mutate_remove_field_zeek_smb_files_times_modified_zero" - remove_field => [ "[zeek_smb_files][times_modified]" ] } + remove_field => [ "[zeek][smb_files][times_modified]" ] } } else { date { id => "date_zeek_smb_files_times_modified" - match => [ "[zeek_smb_files][times_modified]", "UNIX" ] - target => "[zeek_smb_files][times_modified]" + match => [ "[zeek][smb_files][times_modified]", "UNIX" ] + target => "[zeek][smb_files][times_modified]" } } } - if ([zeek_smb_files][ts]) { - if ([zeek_smb_files][ts] == "0.000000") { + if ([zeek][smb_files][ts]) { + if ([zeek][smb_files][ts] == "0.000000") { mutate { id => "mutate_remove_field_zeek_smb_files_ts_zero" - remove_field => [ "[zeek_smb_files][ts]" ] } + remove_field => [ "[zeek][smb_files][ts]" ] } } else { date { id => "date_zeek_smb_files_ts" - match => [ "[zeek_smb_files][ts]", "UNIX" ] - target => "[zeek_smb_files][ts]" + match => [ "[zeek][smb_files][ts]", "UNIX" ] + target => "[zeek][smb_files][ts]" } } } - if ([zeek_snmp][up_since]) { - if ([zeek_snmp][up_since] == "0.000000") { + if ([zeek][snmp][up_since]) { + if ([zeek][snmp][up_since] == "0.000000") { mutate { id => "mutate_remove_field_zeek_snmp_up_since_zero" - remove_field => [ "[zeek_snmp][up_since]" ] } + remove_field => [ "[zeek][snmp][up_since]" ] } } else { date { id => "date_zeek_snmp_up_since" - match => [ "[zeek_snmp][up_since]", "UNIX" ] - target => "[zeek_snmp][up_since]" + match => [ "[zeek][snmp][up_since]", "UNIX" ] + target => "[zeek][snmp][up_since]" } } } - if ([zeek_x509][certificate_not_valid_after]) { - if ([zeek_x509][certificate_not_valid_after] == "0.000000") { + if ([zeek][x509][certificate_not_valid_after]) { + if ([zeek][x509][certificate_not_valid_after] == "0.000000") { mutate { id => "mutate_remove_field_zeek_x509_certificate_not_valid_after_zero" - remove_field => [ "[zeek_x509][certificate_not_valid_after]" ] } + remove_field => [ "[zeek][x509][certificate_not_valid_after]" ] } } else { date { id => "date_zeek_x509_certificate_not_valid_after" - match => [ "[zeek_x509][certificate_not_valid_after]", "UNIX" ] - target => "[zeek_x509][certificate_not_valid_after]" + match => [ "[zeek][x509][certificate_not_valid_after]", "UNIX" ] + target => "[zeek][x509][certificate_not_valid_after]" } } } - if ([zeek_x509][certificate_not_valid_before]) { - if ([zeek_x509][certificate_not_valid_before] == "0.000000") { + if ([zeek][x509][certificate_not_valid_before]) { + if ([zeek][x509][certificate_not_valid_before] == "0.000000") { mutate { id => "mutate_remove_field_zeek_x509_certificate_not_valid_before_zero" - remove_field => [ "[zeek_x509][certificate_not_valid_before]" ] } + remove_field => [ "[zeek][x509][certificate_not_valid_before]" ] } } else { date { id => "date_zeek_x509_certificate_not_valid_before" - match => [ "[zeek_x509][certificate_not_valid_before]", "UNIX" ] - target => "[zeek_x509][certificate_not_valid_before]" + match => [ "[zeek][x509][certificate_not_valid_before]", "UNIX" ] + target => "[zeek][x509][certificate_not_valid_before]" } } } diff --git a/logstash/pipelines/zeek/19_severity.conf b/logstash/pipelines/zeek/19_severity.conf new file mode 100644 index 000000000..4ba822848 --- /dev/null +++ b/logstash/pipelines/zeek/19_severity.conf @@ -0,0 +1,91 @@ +# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. + +filter { + + # see malcolm_severity.yaml for mappings to severity scores + + mutate { + id => "mutate_add_field_env_logstash_severity_scoring_zeek" + add_field => { "[@metadata][ENV_LOGSTASH_SEVERITY_SCORING_ZEEK]" => "${LOGSTASH_SEVERITY_SCORING:false}" } + } + if ([@metadata][ENV_LOGSTASH_SEVERITY_SCORING_ZEEK] == "true") { + + # connection states of interest (see conn_states.yaml) + # https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info + # https://docs.zeek.org/en/master/logs/conn.html + if ([zeek][conn][conn_state]) { + if ([zeek][conn][conn_state] == "S0") { + mutate { id => "mutate_add_field_severity_item_conn_s0" + add_field => { "[event][severity_tags]" => "Connection attempt, no reply" } } + } else if ([zeek][conn][conn_state] == "REJ") { + mutate { id => "mutate_add_field_severity_item_conn_rej" + add_field => { "[event][severity_tags]" => "Connection attempt rejected" } } + } else if ([zeek][conn][conn_state] == "RSTO") { + mutate { id => "mutate_add_field_severity_item_conn_rsto" + add_field => { "[event][severity_tags]" => "Connection aborted (originator)" } } + } else if ([zeek][conn][conn_state] == "RSTR") { + mutate { id => "mutate_add_field_severity_item_conn_rstr" + add_field => { "[event][severity_tags]" => "Connection aborted (responder)" } } + } + } + + # tunneled/VPN traffic + if ([event][dataset] == "tunnel") { + mutate { id => "mutate_add_field_severity_item_tunnel" + add_field => { "[event][severity_tags]" => "Tunneled traffic" } } + } + + # assign severity to notice based on category + if ([zeek][notice]) { + if ([zeek][notice][category] == "ATTACK") { + mutate { id => "mutate_add_field_severity_notice_mitre_attack" + add_field => { "[event][severity_tags]" => "MITRE ATT&CK framework technique" } } + } else if ([zeek][notice][category] == "Scan") { + mutate { id => "mutate_add_field_severity_notice_scan" + add_field => { "[event][severity_tags]" => "Notice (scan)" } } + } else if (([zeek][notice][category] == "FTP") or + ([zeek][notice][category] == "HTTP") or + ([zeek][notice][category] == "HTTPATTACKS") or + ([zeek][notice][category] == "SSL")) { + mutate { id => "mutate_add_field_severity_notice_protocol" + add_field => { "[event][severity_tags]" => "Notice (protocol)" } } + } else if (([zeek][notice][category] =~ /^CVE/) or + ([zeek][notice][category] == "EternalSafety") or + ([zeek][notice][category] == "Ripple20") or + ([zeek][notice][category] == "Zerologon")) { + mutate { id => "mutate_add_field_severity_notice_vuln" + add_field => { "[event][severity_tags]" => "Notice (vulnerability)" } } + } else { + mutate { id => "mutate_add_field_severity_notice_other" + add_field => { "[event][severity_tags]" => "Notice (other)" } } + } + } + + # weird logs get one score at the moment + if ([zeek][weird]) { + mutate { id => "mutate_add_field_severity_weird_other" + add_field => { "[event][severity_tags]" => "Weird" } } + } + + # assign score to signatures based on engine + if ([zeek][signatures]) { + if ('Capa' in [zeek][signatures][engine]) { + mutate { id => "mutate_add_field_severity_signatures_capa" + add_field => { "[event][severity_tags]" => "Signature (capa)" } } + } else if ('ClamAV' in [zeek][signatures][engine]) { + mutate { id => "mutate_add_field_severity_signatures_clamav" + add_field => { "[event][severity_tags]" => "Signature (ClamAV)" } } + } else if ('Yara' in [zeek][signatures][engine]) { + mutate { id => "mutate_add_field_severity_signatures_yara" + add_field => { "[event][severity_tags]" => "Signature (YARA)" } } + } else { + mutate { id => "mutate_add_field_severity_signatures_other" + add_field => { "[event][severity_tags]" => "Signature" } } + } + } + + # ruby_calculate_final_severity_score will be performed in the enrichment stage of severity calculation + + } # LOGSTASH_SEVERITY_SCORING env check + +} # filter diff --git a/logstash/pipelines/zeek/20_zeek_to_ecs.conf b/logstash/pipelines/zeek/20_zeek_to_ecs.conf deleted file mode 100644 index d9909bab0..000000000 --- a/logstash/pipelines/zeek/20_zeek_to_ecs.conf +++ /dev/null @@ -1,691 +0,0 @@ -filter { - - # Map zeek fields to ECS where possible (see https://github.com/idaholab/Malcolm/issues/16) - # For now I will add fields rather than rename them. This will preserve backwards compatibility - # but the records will be somewhat bigger. I'll have to address what (if anything) to do with upgrades. - - # - # Some fields (particularly AS and GEO fields) don't exist at this point in the pipeline, as they - # are added during enrichment. In that case, I will make a note of it here and handle it in - # ./pipelines/enrichment/20_enriched_to_ecs.conf: - # - # Autonomous System and Geo are handled after enrichment in 20_enriched_to_ecs.conf - # πŸ—Ή Autonomous System - Fields describing an Autonomous System (Internet routing prefix). - https://www.elastic.co/guide/en/ecs/current/ecs-as.html - # πŸ—Ή Geo - Fields describing a location. - https://www.elastic.co/guide/en/ecs/current/ecs-geo.html - # - # Risk/severity/priority/whatever will be done *after* enrichment based on normalized fields - # - event.severity, event.risk_score and event.risk_score_norm - # - # TODO: certain other fields that I'm already normalizing for arkime could maybe be moved out of - # here into enriched_to_ecs in the enrichment pipeline, but that kind of depends on what things - # look like when we add more data sources in the future, or if arkime tackles ECS, etc. - # - - # for now don't do anything unles an env explicitly enables it - mutate { - id => "mutate_add_field_env_logstash_zeek_to_ecs" - add_field => { "[@metadata][ENV_LOGSTASH_ZEEK_TO_ECS]" => "${LOGSTASH_TO_ECS:false}" } - } - if ([@metadata][ENV_LOGSTASH_ZEEK_TO_ECS] == "true") { - - # I will mark these ☐ off with a πŸ—Ή or πŸ—· as I address them or decide they don't need adressing - - # πŸ—Ή Network - Fields describing the communication path over which the event happened. - https://www.elastic.co/guide/en/ecs/current/ecs-network.html - - # network.direction handled during enrichment pipeline - # network.name handled during enrichment pipeline - # network.type handled during enrichment pipeline - # TODO: some of these done here should probably be done after enrichment, too - - # network.application and network.protocol (TODO: what's the difference as far as my logs go) - if ([zeek][service]) { - mutate { id => "mutate_add_field_ecs_network_application" - add_field => { "[network][application]" => "%{[zeek][service]}" } } - mutate { id => "mutate_add_field_ecs_network_protocol" - add_field => { "[network][protocol]" => "%{[zeek][service]}" } } - } - - # network.iana_number - if ([ipProtocol]) { mutate { id => "mutate_add_field_ecs_network_iana_number" - add_field => { "[network][iana_number]" => "%{[ipProtocol]}" } } } - - # network.transport - if ([zeek][proto]) { mutate { id => "mutate_add_field_ecs_network_transport" - add_field => { "[network][transport]" => "%{[zeek][proto]}" } } } - - # ☐ Destination - Fields about the destination side of a network connection, used with source. - https://www.elastic.co/guide/en/ecs/current/ecs-destination.html - # ☐ Source - Fields about the source side of a network connection, used with destination. - https://www.elastic.co/guide/en/ecs/current/ecs-source.html - # - These should be handled in the original parsing (in 11_zeek_logs.conf), are there other fields? - - # πŸ—Ή Client - Fields about the client side of a network connection, used with server. - https://www.elastic.co/guide/en/ecs/current/ecs-client.html - # as Arkime uses source/destination for network stuff (vs. client/server) we're doing that as well for zeek logs - - # client.domain - if ([zeek][orig_hostname]) { mutate { id => "mutate_add_field_ecs_client_domain_orig_hostname" - add_field => { "[client][domain]" => "%{[zeek][orig_hostname]}" } } } - else if ([zeek_dhcp][host_name]) { mutate { id => "mutate_add_field_ecs_client_domain_dhcp_host_name" - add_field => { "[client][domain]" => "%{[zeek_dhcp][host_name]}" } } } - else if ([zeek_dhcp][domain]) { mutate { id => "mutate_add_field_ecs_client_domain_dhcp_domain" - add_field => { "[client][domain]" => "%{[zeek_dhcp][domain]}" } } } - else if ([zeek_ntlm][host]) { mutate { id => "mutate_add_field_ecs_client_domain_ntlm_host_name" - add_field => { "[client][domain]" => "%{[zeek_ntlm][host]}" } } } - else if ([zeek_ntlm][domain]) { mutate { id => "mutate_add_field_ecs_client_domain_ntlm_domain" - add_field => { "[client][domain]" => "%{[zeek_ntlm][domain]}" } } } - - # πŸ—Ή Server - Fields about the server side of a network connection, used with client. - https://www.elastic.co/guide/en/ecs/current/ecs-server.html - # as Arkime uses source/destination for network stuff (vs. client/server) we're doing that as well for zeek logs - - # server.domain - if ([zeek][resp_hostname]) { mutate { id => "mutate_add_field_ecs_server_domain_resp_hostname" - add_field => { "[server][domain]" => "%{[zeek][resp_hostname]}" } } } - - # ☐ Event - Fields breaking down the event details. - https://www.elastic.co/guide/en/ecs/current/ecs-event.html - - # event.action from zeek.action - if ([zeek][action]) { mutate { id => "mutate_add_field_ecs_event_action" - add_field => { "[event][action]" => "%{[zeek][action]}" } } } - - # event.dataset from zeek.logtype - mutate { id => "mutate_add_field_ecs_event_dataset" - add_field => { "[event][dataset]" => "zeek.%{[zeek][logType]}" } } - - # event.duration - if ([zeek_conn][duration]) { - # convert duration (floating-point seconds) to nanoseconds - ruby { - id => "ruby_zeek_duration_to_ecs_event_duration" - code => "event.set('[event][duration]', (1000000000 * event.get('[zeek_conn][duration]').to_f).round(0))" - } - } - - # for event.start/event.end, we'll the arkime firstPacket/lastPacket field as we already did the math - if ([firstPacket]) { mutate { id => "mutate_add_field_ecs_event_start" - add_field => { "[event][start]" => "%{[firstPacket]}" } } } - if ([lastPacket]) { mutate { id => "mutate_add_field_ecs_event_end" - add_field => { "[event][end]" => "%{[lastPacket]}" } } } - - # UIDs and FUIDs constitude unique IDs - if ([zeek][uid]) { mutate { id => "mutate_add_field_ecs_id_uid" - merge => { "[event][id]" => "[zeek][uid]" } } } - if ([zeek][fuid]) { mutate { id => "mutate_add_field_ecs_id_fuid" - merge => { "[event][id]" => "[zeek][fuid]" } } } - - # event.provider - if (![event][provider]) { mutate { id => "mutate_add_field_event_provider_zeek" - add_field => { "[event][provider]" => "zeek" } } } - - # event.kind - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-kind.html - if ([zeek_notice]) or ([zeek_signatures]) or ([zeek_weird]) { - mutate { id => "mutate_add_field_ecs_event_kind_alert" - add_field => { "[event][kind]" => "alert" } } - } else { - mutate { id => "mutate_add_field_ecs_event_kind_event" - add_field => { "[event][kind]" => "event" } } - } - - # event.category - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html - translate { - id => "translate_zeek_ecs_event_category" - field => "[zeek][logType]" - destination => "[event][category]" - dictionary_path => "/etc/zeek_log_ecs_categories.yaml" - } - - # TODO: this gets very granular and varies wildly per protocol, not sure I can translate these 100% from zeek.action and zeek.result - # event.type - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html - # event.outcome - https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html - # Eeesh, this is a swag... - # if ([zeek][result]) { - # ruby { - # id => "ruby_ecs_event_outcome_zeek_result" - # code => " - # event.get('[zeek][result]').each { |zeekResult| - # zeekResult.downcase! - # if zeekResult =~ /(abo?rt|bad|busy|close|conflict|crit|declin|denied|deny|disabl|discon|down|err|exceed|exhaust|expir|fail|forbid|illeg|imposs|inappr|incorr|insuff|interrupt|misdirected|nak|no[ _-]*such|overload|problem|refus|reject|terminat|timeout|violat|wrong|(im|dis|mis|un|un|not)[ _-]*(avail|allow|assign|auth|deciph|process|permit|found|support|exist|enough|implem|known|ok|okay|reach|respond|consist|access|satis|succes|valid|want)|too[ _-]*(large|long|small|short|early|late|many|few))/ - # event.set('[event][outcome]', 'failure') - # break - # elsif zeekResult =~ /(ok|okay|success|ack|complet|correct|good|ready|finish|valid)/ - # event.set('[event][outcome]', 'success') - # break - # end - # } - # " - # } - # } - - # ☐ DNS - Fields describing DNS queries and answers. - https://www.elastic.co/guide/en/ecs/current/ecs-dns.html - if ([zeek_dns]) { - - # dns.resolved_ip - if ([dns][ip]) { mutate { id => "mutate_merge_ecs_dhs_resolved_ip" - merge => { "[dns][resolved_ip]" => "[dns][ip]" } } } - - # dns.answers and dns.type:answer - if ([zeek_dns][answers]) { - ruby { - id => "ruby_zeek_dns_answers_to_ecs" - code => ' - event.set("[dns][answers]", [Array(event.get("[zeek_dns][answers]")), Array(event.get("[zeek_dns][TTLs]"))].transpose.map{ |d| Hash[[:data, :ttl].zip(d)] }) - '} - mutate { id => "mutate_add_field_ecs_dns_type_answer" - add_field => { "[dns][type]" => "answer" } } - } - - # dns.op_code - if ([dns][opcode]) { mutate { id => "mutate_add_field_ecs_dns_opcode" - add_field => { "[dns][op_code]" => "%{[dns][opcode]}" } } } - - # dns.question.class - if ([zeek_dns][qclass_name]) { mutate { id => "mutate_add_field_ecs_dns_qclass" - add_field => { "[dns][question][class]" => "%{[zeek_dns][qclass_name]}" } } } - - # dns.question.type - if ([zeek_dns][qtype_name]) { mutate { id => "mutate_add_field_ecs_dns_qtype" - add_field => { "[dns][question][type]" => "%{[zeek_dns][qtype_name]}" } } } - - # dns.question.name and dns.type:query - if ([zeek_dns][query]) { - mutate { id => "mutate_add_field_ecs_dns_query" - add_field => { "[dns][question][name]" => "%{[zeek_dns][query]}" } } - if (![dns][type]) { mutate { id => "mutate_add_field_ecs_dns_type_query" - add_field => { "[dns][type]" => "query" } } } - } - - if ([dns][type]) { - # dns.header_flags - if ([zeek][AA] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_aa" - add_field => { "[dns][header_flags]" => "AA" } } } - if ([zeek][TC] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_tc" - add_field => { "[dns][header_flags]" => "TC" } } } - if ([zeek][RD] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_rd" - add_field => { "[dns][header_flags]" => "RD" } } } - if ([zeek][RA] == "T") { mutate { id => "mutate_add_field_ecs_dns_header_flag_ra" - add_field => { "[dns][header_flags]" => "RA" } } } - } - - # dns.response_code - if ([zeek_dns][rcode_name]) { mutate { id => "mutate_add_field_ecs_dns_response_code" - add_field => { "[dns][response_code]" => "%{[zeek_dns][rcode_name]}" } } } - - # dns.id - if ([zeek_dns][trans_id]) { mutate { id => "mutate_add_field_ecs_dns_id" - add_field => { "[dns][id]" => "%{[zeek_dns][trans_id]}" } } } - - # TODO: domain stuff (dns.question.registered_domain, dns.question.subdomain, dns.question.top_level_domain) - # perhaps use something like https://github.com/plutonbacon/logstash-filter-publicsuffix - } - - # πŸ—Ή File - Fields describing files. - https://www.elastic.co/guide/en/ecs/current/ecs-file.html - - if ([zeek_files]) { - - # file.type - mutate { id => "mutate_add_field_ecs_file_type" - add_field => { "[file][type]" => "file" } } - - # file.directory, file.name, file.path - if ([zeek_files][filename]) { - mutate { id => "mutate_add_field_ecs_file_path" - add_field => { "[file][path]" => "%{[zeek_files][filename]}" } } - grok { - id => "grok_zeek_files_filename_ecs" - match => { "[zeek_files][filename]" => [ "%{GREEDYDATA:[file][directory]}[\\\/]%{DATA:[file][name]}" ] } - } - } - - # file.mime_type - if ([zeek_files][mime_type]) { mutate { id => "mutate_add_field_ecs_files_mime_type" - add_field => { "[file][mime_type]" => "%{[zeek_files][mime_type]}" } } } - - # file.size - if ([zeek_files][total_bytes]) { mutate { id => "mutate_add_field_ecs_files_size" - add_field => { "[file][size]" => "%{[zeek_files][total_bytes]}" } } } - - # πŸ—Ή Hash - Hashes, usually file hashes. - https://www.elastic.co/guide/en/ecs/current/ecs-hash.html - # file.hash.md5,sha1,sha256 - if ([zeek_files][md5]) { mutate { id => "mutate_add_field_ecs_files_hash_md5" - add_field => { "[file][hash][md5]" => "%{[zeek_files][md5]}" } } } - if ([zeek_files][sha1]) { mutate { id => "mutate_add_field_ecs_files_hash_sha1" - add_field => { "[file][hash][sha1]" => "%{[zeek_files][sha1]}" } } } - if ([zeek_files][sha256]) { mutate { id => "mutate_add_field_ecs_files_hash_sha256" - add_field => { "[file][hash][sha256]" => "%{[zeek_files][sha256]}" } } } - } - - if ([zeek_smb_files]) { - - # from smb_files, file.created,accessed,ctime,mtime,size - if ([zeek_smb_files][times_created]) { mutate { id => "mutate_add_field_ecs_smb_created" - add_field => { "[file][created]" => "%{[zeek_smb_files][times_created]}" } } } - - if ([zeek_smb_files][times_accessed]) { mutate { id => "mutate_add_field_ecs_smb_accessed" - add_field => { "[file][accessed]" => "%{[zeek_smb_files][times_accessed]}" } } } - - if ([zeek_smb_files][times_changed]) { mutate { id => "mutate_add_field_ecs_smb_changed" - add_field => { "[file][ctime]" => "%{[zeek_smb_files][times_changed]}" } } } - - if ([zeek_smb_files][times_modified]) { mutate { id => "mutate_add_field_ecs_smb_modified" - add_field => { "[file][mtime]" => "%{[zeek_smb_files][times_modified]}" } } } - - if ([zeek_smb_files][size]) { mutate { id => "mutate_add_field_ecs_smb_size" - add_field => { "[file][size]" => "%{[zeek_smb_files][size]}" } } } - - # file.name from smb_files.name - if (![file][name]) and ([zeek_smb_files][name]) { - mutate { id => "mutate_add_field_ecs_file_smb_files_name" - add_field => { "[file][name]" => "%{[zeek_smb_files][name]}" } } - } - } - - # file.directory from zeek_smb_files.smb_path - if ([@metadata][smb_path]) { - if (![file][type]) { mutate { id => "mutate_add_field_ecs_file_type_smb_path" - add_field => { "[file][type]" => "file" } } } - - mutate { id => "mutate_add_field_ecs_file_directory_from_smb" - add_field => { "[file][directory]" => "%{[@metadata][smb_path]}" } } - } - - # file.path from file.directory and file.name, if present and not already populated - if ([file][directory]) and (![file][path]) { - if ([file][name]) { - mutate { id => "mutate_add_field_ecs_path_from_dir_and_name" - add_field => { "[file][path]" => "%{[file][directory]}/%{[file][name]}" } } - } else { - mutate { id => "mutate_add_field_ecs_path_from_dir_only" - add_field => { "[file][path]" => "%{[file][directory]}" } } - } - } - - if ([file][name]) { - if (![file][type]) { mutate { id => "mutate_add_field_ecs_file_type_name" - add_field => { "[file][type]" => "file" } } } - - # file.extension - grok { - id => "grok_zeek_files_fileext_ecs" - match => { "[file][name]" => [ "%{GREEDYDATA}\.%{DATA:[file][extension]}" ] } - } - } - - # πŸ—Ή HTTP - Fields describing an HTTP request. - https://www.elastic.co/guide/en/ecs/current/ecs-http.html - if ([zeek_http]) { - - if ([zeek_http][request_body_len]) { mutate { id => "mutate_add_field_ecs_http_request_body_bytes" - add_field => { "[http][request][body][bytes]" => "%{[zeek_http][request_body_len]}" } } } - - if ([zeek_http][method]) { mutate { id => "mutate_add_field_ecs_http_request_method" - add_field => { "[http][request][method]" => "%{[zeek_http][method]}" } } } - - if ([zeek_http][referrer]) { mutate { id => "mutate_add_field_ecs_http_request_referrer" - add_field => { "[http][request][referrer]" => "%{[zeek_http][referrer]}" } } } - - if ([zeek_http][response_body_len]) { mutate { id => "mutate_add_field_ecs_http_response_body_bytes" - add_field => { "[http][response][body][bytes]" => "%{[zeek_http][response_body_len]}" } } } - - if ([zeek_http][status_code]) { mutate { id => "mutate_add_field_ecs_http_response_status_cocde" - add_field => { "[http][response][status_cocde]" => "%{[zeek_http][status_code]}" } } } - - if ([zeek_http][version]) { mutate { id => "mutate_add_field_ecs_http_version" - add_field => { "[http][version]" => "%{[zeek_http][version]}" } } } - - # ☐ URL - Fields that let you store URLs in various forms. - https://www.elastic.co/guide/en/ecs/current/ecs-url.html - # todo: handle URIs from other protocols (SIP, FTP, ...) - if ([zeek_http][uri]) or ([zeek_http][host]) { - ruby { - id => "ruby_ecs_uri_parse_from_zeek_http" - init => "require 'uri'" - code => " - scheme = 'http' - user = event.get('[zeek][user]') - password = event.get('[zeek][password]') - host = event.get('[zeek_http][host]') - port = event.get('[zeek][resp_p]') - uri = event.get('[zeek_http][uri]') - ext = (uri.nil? || !(uri.include? '/')) ? nil : File.extname(uri).partition('.').last.split(/[\?#]/)[0] - fragment = uri.nil? ? nil : uri.partition('#').last - query = uri.nil? ? nil : uri.partition('?').last - event.set('[url][scheme]', scheme) - event.set('[url][original]', scheme + '://' + (host.nil? ? '' : host) + (uri.nil? ? '' : uri)) - event.set('[url][full]', scheme + '://' + (user.nil? ? '' : Array(user).first) + (password.nil? ? '' : ':' + password) + ((user.nil? && password.nil?) ? '' : '@') + (host.nil? ? '' : host) + (port.nil? ? '' : ':' + port) + (uri.nil? ? '' : uri)) - event.set('[url][domain]', host) unless host.nil? - event.set('[url][extension]', ext) unless ext.nil? || ext.empty? - event.set('[url][fragment]', fragment) unless fragment.nil? || fragment.empty? - event.set('[url][password]', password) unless password.nil? - event.set('[url][path]', uri) unless uri.nil? - event.set('[url][port]', port) unless port.nil? - event.set('[url][query]', query) unless query.nil? || query.empty? - event.set('[url][user]', Array(user).first) unless user.nil? - " - # TODO: domain stuff (url.registered_domain, url.top_level_domain) - # perhaps use something like https://github.com/plutonbacon/logstash-filter-publicsuffix - } - } - } - - # πŸ—Ή Related - Fields meant to facilitate pivoting around a piece of data. - https://www.elastic.co/guide/en/ecs/current/ecs-related.html - - # related.user (zeek.user is already the array we want) - if ([zeek][user]) { mutate { id => "mutate_merge_field_related_zeek_user" - merge => { "[related][user]" => "[zeek][user]" } } } - - # related.hash (accumulate all hash/fingerprint fields into related.hash) - if ([zeek_files][md5]) { mutate { id => "mutate_merge_field_related_hash_files_md5" - merge => { "[related][hash]" => "[zeek_files][md5]" } } } - if ([zeek_files][sha1]) { mutate { id => "mutate_merge_field_related_hash_files_sha1" - merge => { "[related][hash]" => "[zeek_files][sha1]" } } } - if ([zeek_files][sha256]) { mutate { id => "mutate_merge_field_related_hash_files_sha256" - merge => { "[related][hash]" => "[zeek_files][sha256]" } } } - if ([zeek_ssh][hassh]) { mutate { id => "mutate_merge_field_related_hash_ssh_hassh" - merge => { "[related][hash]" => "[zeek_ssh][hassh]" } } } - if ([zeek_ssh][hasshServer]) { mutate { id => "mutate_merge_field_related_hash_ssh_hasshServer" - merge => { "[related][hash]" => "[zeek_ssh][hasshServer]" } } } - if ([zeek_ssl][ja3]) { mutate { id => "mutate_merge_field_related_hash_ssl_ja3" - merge => { "[related][hash]" => "[zeek_ssl][ja3]" } } } - if ([zeek_ssl][ja3s]) { mutate { id => "mutate_merge_field_related_hash_zeek_ssl_ja3s" - merge => { "[related][hash]" => "[zeek_ssl][ja3s]" } } } - - # related.ip (all IP-type fields get rolled up into related.ip) - if ([zeek][destination_geo][ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_destination_geo_ip" - merge => { "[related][ip]" => "[zeek][destination_geo][ip]" } } } - if ([zeek][orig_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_orig_h" - merge => { "[related][ip]" => "[zeek][orig_h]" } } } - if ([zeek][resp_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_resp_h" - merge => { "[related][ip]" => "[zeek][resp_h]" } } } - if ([zeek][source_geo][ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_source_geo_ip" - merge => { "[related][ip]" => "[zeek][source_geo][ip]" } } } - if ([zeek_dhcp][assigned_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_dhcp_assigned_ip" - merge => { "[related][ip]" => "[zeek_dhcp][assigned_ip]" } } } - if ([zeek_dhcp][requested_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_dhcp_requested_ip" - merge => { "[related][ip]" => "[zeek_dhcp][requested_ip]" } } } - if ([zeek_enip_list_identity][device_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_enip_list_identity_device_ip" - merge => { "[related][ip]" => "[zeek_enip_list_identity][device_ip]" } } } - if ([zeek_files][rx_hosts]) { mutate { id => "mutate_merge_field_related_ip_zeek_files_rx_hosts" - merge => { "[related][ip]" => "[zeek_files][rx_hosts]" } } } - if ([zeek_files][tx_hosts]) { mutate { id => "mutate_merge_field_related_ip_zeek_files_tx_hosts" - merge => { "[related][ip]" => "[zeek_files][tx_hosts]" } } } - if ([zeek_ftp][data_channel_orig_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_ftp_data_channel_orig_h" - merge => { "[related][ip]" => "[zeek_ftp][data_channel_orig_h]" } } } - if ([zeek_ftp][data_channel_resp_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_ftp_data_channel_resp_h" - merge => { "[related][ip]" => "[zeek_ftp][data_channel_resp_h]" } } } - if ([zeek_notice][dst]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_dst" - merge => { "[related][ip]" => "[zeek_notice][dst]" } } } - if ([zeek_notice][src]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_src" - merge => { "[related][ip]" => "[zeek_notice][src]" } } } - if ([zeek_radius][framed_addr]) { mutate { id => "mutate_merge_field_related_ip_zeek_radius_framed_addr" - merge => { "[related][ip]" => "[zeek_radius][framed_addr]" } } } - if ([zeek_smtp][path]) { mutate { id => "mutate_merge_field_related_ip_zeek_smtp_path" - merge => { "[related][ip]" => "[zeek_smtp][path]" } } } - if ([zeek_smtp][x_originating_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_smtp_x_originating_ip" - merge => { "[related][ip]" => "[zeek_smtp][x_originating_ip]" } } } - if ([zeek_socks][bound_host]) { mutate { id => "mutate_merge_field_related_ip_zeek_socks_bound_host" - merge => { "[related][ip]" => "[zeek_socks][bound_host]" } } } - if ([zeek_socks][request_host]) { mutate { id => "mutate_merge_field_related_ip_zeek_socks_request_host" - merge => { "[related][ip]" => "[zeek_socks][request_host]" } } } - if ([zeek_x509][san_ip]) { mutate { id => "mutate_merge_field_related_ip_zeek_x509_san_ip" - merge => { "[related][ip]" => "[zeek_x509][san_ip]" } } } - if ([related][ip]) { - ruby { - id => "ruby_related_ip_uniq" - path => "/usr/share/logstash/malcolm-ruby/make_unique_array.rb" - script_params => { - "field" => "[related][ip]" - } - } - } - - # πŸ—Ή Rule - Fields to capture details about rules used to generate alerts or other notable events. - https://www.elastic.co/guide/en/ecs/current/ecs-rule.html - # - signatures - # - engine - >rule.author - # - signature_id -> rule.name - # - event_msg -> rule.description - # - notice - # - category -> rule.category, rule.author (mapped), rule.reference (mapped), rule.license (mapped) - # - sub_category -> rule.name - # - weird - # - name -> rule.name - - if ([zeek_signatures]) { - if ([zeek_signatures][engine]) { mutate { id => "mutate_merge_field_ecs_rule_author_signatures_engine" - merge => { "[rule][author]" => "[zeek_signatures][engine]" } } } - - if ([zeek_signatures][signature_id]) { mutate { id => "mutate_add_field_ecs_rule_id_signature_name" - merge => { "[rule][name]" => "[zeek_signatures][signature_id]" } } } - - if ([zeek_signatures][event_msg]) { mutate { id => "mutate_add_field_ecs_rule_id_signature_event_msg" merge => { "[rule][description]" => "[zeek_signatures][event_msg]" } } } - } - - if ([zeek_notice]) { - - mutate { id => "mutate_add_field_ecs_rule_ruleset_notice_zeek" - add_field => { "[rule][ruleset]" => "Zeek Notices" } } - - if ([zeek_notice][category]) { mutate { id => "mutate_add_field_ecs_rule_category_notice_category" - add_field => { "[rule][category]" => "%{[zeek_notice][category]}" } } } - - if ([zeek_notice][sub_category]) { mutate { id => "mutate_add_field_ecs_rule_category_notice_sub_category" - add_field => { "[rule][name]" => "%{[zeek_notice][sub_category]}" } } } - - translate { - id => "translate_zeek_notice_author" - field => "[zeek_notice][category]" - destination => "[@metadata][zeek_noticed_mapped_author]" - dictionary_path => "/etc/notice_authors.yaml" - fallback => "Zeek" - } - if ([@metadata][zeek_noticed_mapped_author]) { - mutate { id => "mutate_merge_zeek_noticed_mapped_author" - merge => { "[rule][author]" => "[@metadata][zeek_noticed_mapped_author]" } } - } - - translate { - id => "translate_zeek_notice_reference" - field => "[zeek_notice][category]" - destination => "[@metadata][zeek_noticed_mapped_reference]" - dictionary_path => "/etc/notice_reference.yaml" - fallback => "https://docs.zeek.org/en/current/zeek-noticeindex.html" - } - if ([@metadata][zeek_noticed_mapped_reference]) { - mutate { id => "mutate_merge_zeek_noticed_mapped_reference" - merge => { "[rule][reference]" => "[@metadata][zeek_noticed_mapped_reference]" } } - } - - translate { - id => "translate_zeek_notice_license" - field => "[zeek_notice][category]" - destination => "[@metadata][zeek_noticed_mapped_license]" - dictionary_path => "/etc/notice_license.yaml" - fallback => "https://raw.githubusercontent.com/zeek/zeek/master/COPYING" - } - if ([@metadata][zeek_noticed_mapped_license]) { - mutate { id => "mutate_merge_zeek_noticed_mapped_license" - merge => { "[rule][license]" => "[@metadata][zeek_noticed_mapped_license]" } } - } - - } - - if ([zeek_weird][name]) { - mutate { id => "mutate_add_field_ecs_rule_author_zeek_weird" - add_field => { "[rule][author]" => "Zeek" } } - mutate { id => "mutate_add_field_ecs_rule_ruleset_zeek_weird" - add_field => { "[rule][ruleset]" => "Zeek Weird Logs" } } - mutate { id => "mutate_add_field_ecs_rule_reference_zeek_weird" - add_field => { "[rule][reference]" => "https://docs.zeek.org/en/current/scripts/base/frameworks/notice/weird.zeek.html" } } - mutate { id => "mutate_add_field_ecs_rule_name_weird_name" - add_field => { "[rule][name]" => "%{[zeek_weird][name]}" } } - } - - # πŸ—Ή Threat - Fields to classify events and alerts according to a threat taxonomy. - https://www.elastic.co/guide/en/ecs/current/ecs-threat.html - if ([zeek_notice]) { - - if ([zeek_notice][category] == "ATTACK") { - - # populate threat information for MITRE ATT&CK notices from mitre-attack/bzar plugin - mutate { id => "mutate_add_field_ecs_threat_framework_mitre_attack" - add_field => { "[threat][framework]" => "MITRE ATT&CK" } } - - if ([zeek_notice][sub_category]) { - mutate { id => "mutate_add_field_ecs_threat_tactic_name_mitre" - add_field => { "[threat][tactic][name]" => "%{[zeek_notice][sub_category]}" } } - mutate { id => "mutate_gsub_ecs_threat_tactic_name_notice_sub" - gsub => [ "[threat][tactic][name]", "_,", " " ] } - translate { - id => "translate_zeek_mitre_attack_tactic_name_to_id" - field => "[zeek_notice][sub_category]" - destination => "[threat][tactic][id]" - dictionary_path => "/etc/mitre_attack_tactic_ids.yaml" - } - translate { - id => "translate_zeek_mitre_attack_tactic_name_to_reference" - field => "[zeek_notice][sub_category]" - destination => "[threat][tactic][reference]" - dictionary_path => "/etc/mitre_attack_tactic_reference.yaml" - fallback => "https://attack.mitre.org/tactics/enterprise/" - } - } - - if ([zeek_notice][sub]) and ([zeek_notice][sub] =~ /^T/) { - # eg., T1077 Windows Admin Shares + T1105 Remote File Copy - ruby { - id => "ruby_ecs_threat_technique_from_attack" - code => " - idArray = Array.new - nameArray = Array.new - event.get('[zeek_notice][sub]').split('+').each do |technique| - id, name = technique.strip.match(/(^T.*?)\s+(.+$)/).captures - idArray.push(id) unless id.nil? - nameArray.push(name) unless name.nil? - end - event.set('[threat][technique][id]', idArray) - event.set('[threat][technique][name]', nameArray) - event.set('[threat][technique][reference]', idArray.clone.map(&:clone).map{|x| x.prepend('https://attack.mitre.org/techniques/')}) - " - } - } - - } else if ([zeek_notice][category] == "EternalSafety") { - # populate threat information for EternalSafety from 0xl3x1/zeek-EternalSafety plugin - mutate { id => "mutate_add_field_ecs_threat_framework_eternal_safety" - add_field => { "[threat][framework]" => "EternalSafety" } } - if ([zeek_notice][sub_category]) { mutate { id => "mutate_add_field_ecs_threat_technique_name_eternal" - add_field => { "[threat][technique][name]" => "%{[zeek_notice][sub_category]}" } } } - if ([rule][reference]) { mutate { id => "mutate_add_field_ecs_threat_technique_reference_eternal" - add_field => { "[threat][technique][reference]" => "%{[rule][reference]}" } } } - } - - } - - # πŸ—Ή TLS - Fields describing a TLS connection. - https://www.elastic.co/guide/en/ecs/current/ecs-tls.html - if ([zeek_ssl]) { - - if ([zeek_ssl][ssl_version]) { - # turn TLSv10, TLSv13, TSLv12, etc. to 'tls' and '1.2', etc. - # TODO: tls.cipher already exists as a Arkime field, will this conflict/duplicate that? - # EDIT: it won't duplicate it, but it will replace it. I guess that's okay for now. - ruby { - id => "ruby_ecs_ssl_version_parse" - code => " - verMatch = event.get('[zeek_ssl][ssl_version]').tr('.', '').match(/(.+)\s*[v-]\s*([\d\.]+)/i) - verParts = verMatch.nil? ? nil : verMatch.captures - unless verParts.nil? - event.set('[tls][version_protocol]', verParts[0].downcase) - event.set('[tls][version]', verParts[1].split(//).join('.')) - end - " - } - } - - if ([zeek_ssl][established]) { mutate { id => "mutate_add_field_ecs_zeek_tls_established" - add_field => { "[tls][established]" => "%{[zeek_ssl][established]}" } } } - - if ([zeek_ssl][resumed]) { mutate { id => "mutate_add_field_ecs_zeek_tls_resumed" - add_field => { "[tls][resumed]" => "%{[zeek_ssl][resumed]}" } } } - - if ([zeek_ssl][next_protocol]) { - mutate { id => "mutate_add_field_ecs_zeek_tls_next_protocol" - add_field => { "[tls][next_protocol]" => "%{[zeek_ssl][next_protocol]}" } } - mutate { id => "mutate_lowercase_field_ecs_zeek_tls_next_protocol" - lowercase => [ "[tls][next_protocol]" ] } - } - - # TODO: tls.cipher already exists as a Arkime field, will this conflict/duplicate that? - # EDIT: apparently it does duplicate the value, so I'm commenting this out for now... - #if ([zeek_ssl][cipher]) { mutate { id => "mutate_add_field_ecs_zeek_tls_cipher" - # add_field => { "[tls][cipher]" => "%{[zeek_ssl][cipher]}" } } } - - if ([zeek_ssl][curve]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_curve" - add_field => { "[tls][curve]" => "%{[zeek_ssl][curve]}" } } } - - if ([zeek_ssl][ja3]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_ja3" - add_field => { "[tls][client][ja3]" => "%{[zeek_ssl][ja3]}" } } } - - if ([zeek_ssl][client_issuer_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_issuer_full" - add_field => { "[tls][client][issuer]" => "%{[zeek_ssl][client_issuer_full]}" } } } - - if ([zeek_ssl][client_subject_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_client_subject_full" - add_field => { "[tls][client][subject]" => "%{[zeek_ssl][client_subject_full]}" } } } - - if ([zeek_ssl][server_name]) { - mutate { id => "mutate_add_field_ecs_zeek_tls_client_server_name" - add_field => { "[tls][client][server_name]" => "%{[zeek_ssl][server_name]}" } } - mutate { id => "mutate_add_field_ecs_zeek_tls_client_server_name_destination_domain" - add_field => { "[destination][domain]" => "%{[zeek_ssl][server_name]}" } } - } - - if ([zeek_ssl][issuer_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_issuer_full" - add_field => { "[tls][server][issuer]" => "%{[zeek_ssl][issuer_full]}" } } } - - if ([zeek_ssl][ja3s]) { mutate { id => "mutate_add_field_ecs_zeek_tls_server_ja3s" - add_field => { "[tls][server][ja3s]" => "%{[zeek_ssl][ja3s]}" } } } - - if ([zeek_ssl][subject_full]) { mutate { id => "mutate_add_field_ecs_zeek_tls_subject_full" - add_field => { "[tls][server][subject]" => "%{[zeek_ssl][subject_full]}" } } } - } - - # ☐ User agent - Fields to describe a browser user_agent string. - https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html - # - TODO: potentially more parsing could be done for user agent strings (.name, .device.name, .version) - if ([zeek][user_agent]) { mutate { id => "mutate_merge_field_zeek_original_user_agent" - merge => { "[user_agent][original]" => "[zeek][user_agent]" } } } - - # ☐ Agent - Fields about the monitoring agent. - https://www.elastic.co/guide/en/ecs/current/ecs-agent.html - # - agent will be set for logs coming from a sensor (hedgehog) - # - double-check agent set for local Malcolm filebeat Zeek logs to ensure it's set correctly, too - # ☐ Observer - Fields describing an entity observing the event from outside the host. - https://www.elastic.co/guide/en/ecs/current/ecs-observer.html - # - anything useful we could get here from either Malcolm or Hedgehog? - - # ☐ Error - Fields about errors of any kind. - https://www.elastic.co/guide/en/ecs/current/ecs-error.html - # - There could be a lot of cases where there are errors, do we lump them all in here? we'd need to idenfity - # instances of error, error_msg, reply, status code, etc... - # ☐ User - Fields to describe the user relevant to the event. - https://www.elastic.co/guide/en/ecs/current/ecs-user.html - # - a *lot* of the details ECS wants for the user (client, destination, email, domain, etc.) aren't provided by Zeek - # also, it appears that there is an issue with type mismatch between Arkime's "user" field and ECS "user.name", etc. - # ☐ Vulnerability - Fields to describe the vulnerability relevant to an event. - https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html - # - There are some CVE zeek plugins, they may be mappable to this (?) - # ☐ VLAN - Fields to describe observed VLAN information. - https://www.elastic.co/guide/en/ecs/current/ecs-vlan.html - # - conflicts with Arkime's VLAN field: - # Can't merge a non object mapping [vlan] with an object mapping [vlan]", "caused_by"=>{"type"=>"illegal_argument_exception", - # "reason"=>"Can't merge a non object mapping [vlan] with an object mapping [vlan] - - # πŸ—· Base - All fields defined directly at the top level - https://www.elastic.co/guide/en/ecs/current/ecs-base.html - # πŸ—· Cloud - Fields about the cloud resource. - https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html - # πŸ—· Code Signature - These fields contain information about binary code signatures. - https://www.elastic.co/guide/en/ecs/current/ecs-code_signature.html - # πŸ—· Container - Fields describing the container that generated this event. - https://www.elastic.co/guide/en/ecs/current/ecs-container.html - # πŸ—· DLL - These fields contain information about code libraries dynamically loaded into processes. - https://www.elastic.co/guide/en/ecs/current/ecs-dll.html - # πŸ—· ECS - Meta-information specific to ECS. - https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html - # πŸ—· Group - User's group relevant to the event. - https://www.elastic.co/guide/en/ecs/current/ecs-group.html - # πŸ—· Host - Fields describing the relevant computing instance. - https://www.elastic.co/guide/en/ecs/current/ecs-host.html - # πŸ—· Interface - Fields to describe observer interface information. - https://www.elastic.co/guide/en/ecs/current/ecs-interface.html - # πŸ—· Log - Details about the event's logging mechanism. - https://www.elastic.co/guide/en/ecs/current/ecs-log.html - # πŸ—· Operating System - OS fields contain information about the operating system. - https://www.elastic.co/guide/en/ecs/current/ecs-os.html - # πŸ—· Organization - Fields describing the organization or company the event is associated with. - https://www.elastic.co/guide/en/ecs/current/ecs-organization.html - # πŸ—· Package - These fields contain information about an installed software package. - https://www.elastic.co/guide/en/ecs/current/ecs-package.html - # - I almost mapped "software" to this but it doesn't really line up (installed packages vs. software network traffic observed) - # πŸ—· PE Header - These fields contain Windows Portable Executable (PE) metadata. - https://www.elastic.co/guide/en/ecs/current/ecs-pe.html - # - You would think zeek_pe would line up here, but this is just header stuff specific to windows executables and there's not much that lines up - # πŸ—· Process - These fields contain information about a process. - https://www.elastic.co/guide/en/ecs/current/ecs-process.html - # πŸ—· Registry - Fields related to Windows Registry operations. - https://www.elastic.co/guide/en/ecs/current/ecs-registry.html - # πŸ—· Service - Fields describing the service for or from which the data was collected. - https://www.elastic.co/guide/en/ecs/current/ecs-service.html - # πŸ—· Tracing - Fields related to distributed tracing. - https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html - - } # end if ENV_LOGSTASH_ZEEK_TO_ECS - -} diff --git a/logstash/ruby/ics_mac_lookup.rb b/logstash/ruby/mac_lookup.rb similarity index 60% rename from logstash/ruby/ics_mac_lookup.rb rename to logstash/ruby/mac_lookup.rb index 8e15d4bfd..2e74258a7 100644 --- a/logstash/ruby/ics_mac_lookup.rb +++ b/logstash/ruby/mac_lookup.rb @@ -6,28 +6,50 @@ def register(params) @source = params["source"] @target = params["target"] if File.exist?(params["map_path"]) - @macmap = Hash.new + @macarray = Array.new YAML.load(File.read(params["map_path"])).each do |mac| - _low = mac_string_to_integer(mac['low']) - _high = mac_string_to_integer(mac['high']) - @macmap[(_low.._high)] = mac['name'] + @macarray.push([mac_string_to_integer(mac['low']), mac_string_to_integer(mac['high']), mac['name']]) end + # Array.bsearch only works on a sorted array + @macarray.sort_by! { |k| [k[0], k[1]]} else - @macmap = nil + @macarray = nil end + @macregex = Regexp.new(/\A([0-9a-fA-F]{2}[-:.]){5}([0-9a-fA-F]{2})\z/) end def filter(event) _mac = event.get("#{@source}") - if _mac.nil? or @macmap.nil? + if _mac.nil? or @macarray.nil? return [event] end - if /\A([0-9a-fA-F]{2}[-:.]){5}([0-9a-fA-F]{2})\z/.match?(_mac) - _macint = mac_string_to_integer(_mac) - _name = @macmap.find{|key, value| key === _macint}&.[](1) - event.set("#{@target}", _name) unless _name.nil? + _names = Array.new + + case _mac + when String + if @macregex.match?(_mac) + _macint = mac_string_to_integer(_mac) + _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)} + _names.push(_vendor[2]) unless _vendor.nil? + end + when Array + _mac.each do |_addr| + if @macregex.match?(_addr) + _macint = mac_string_to_integer(_addr) + _vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)} + _names.push(_vendor[2]) unless _vendor.nil? + end + end end + + _names = _names.uniq + if _names.length > 1 + event.set("#{@target}", _names) + elsif _names.length > 0 + event.set("#{@target}", _names.first) + end + [event] end diff --git a/logstash/scripts/ip-to-segment-logstash.py b/logstash/scripts/ip-to-segment-logstash.py index c72f7b5ec..1478a70e5 100755 --- a/logstash/scripts/ip-to-segment-logstash.py +++ b/logstash/scripts/ip-to-segment-logstash.py @@ -1,10 +1,8 @@ -#!/usr/bin/env python2 +#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. -from __future__ import print_function - import sys import os import re @@ -33,19 +31,6 @@ def eprint(*args, **kwargs): print(*args, file=sys.stderr, **kwargs) -################################################################################################### -# recursively convert unicode strings to utf-8 strings -def byteify(input): - if isinstance(input, dict): - return {byteify(key): byteify(value) - for key, value in input.iteritems()} - elif isinstance(input, list): - return [byteify(element) for element in input] - elif isinstance(input, unicode): - return input.encode('utf-8') - else: - return input - ################################################################################################### # main def main(): @@ -81,7 +66,7 @@ def main(): try: tmpMixedEntries = json.load(open(inFile, 'r')) if isinstance(tmpMixedEntries, list): - mixedEntries.extend(byteify(tmpMixedEntries)); + mixedEntries.extend(tmpMixedEntries); except: pass @@ -123,7 +108,7 @@ def main(): networkList = [] for ip in ''.join(values[0].split()).split(','): try: - networkList.append(str(ipaddress.ip_network(unicode(ip))).lower() if ('/' in ip) else str(ipaddress.ip_address(unicode(ip))).lower()) + networkList.append(str(ipaddress.ip_network(ip)).lower() if ('/' in ip) else str(ipaddress.ip_address(ip)).lower()) except ValueError: eprint('"{}" is not a valid IP address, ignoring'.format(ip)) segmentName = values[1] @@ -156,7 +141,7 @@ def main(): for addr in ''.join(values[0].split()).split(','): try: # see if it's an IP address - addressList.append(str(ipaddress.ip_address(unicode(addr))).lower()) + addressList.append(str(ipaddress.ip_address(addr)).lower()) except ValueError: # see if it's a MAC address if re.match(macAddrRegex, addr): @@ -194,7 +179,7 @@ def main(): if (entry[JSON_MAP_KEY_TYPE] == JSON_MAP_TYPE_SEGMENT): # potentially interpret address as a CIDR-formatted subnet try: - networkList.append(str(ipaddress.ip_network(unicode(addr))).lower() if ('/' in addr) else str(ipaddress.ip_address(unicode(addr))).lower()) + networkList.append(str(ipaddress.ip_network(addr)).lower() if ('/' in addr) else str(ipaddress.ip_address(addr)).lower()) except ValueError: eprint('"{}" is not a valid IP address, ignoring'.format(addr)) @@ -202,7 +187,7 @@ def main(): # should be an IP or MAC address try: # see if it's an IP address - addressList.append(str(ipaddress.ip_address(unicode(addr))).lower()) + addressList.append(str(ipaddress.ip_address(addr)).lower()) except ValueError: # see if it's a MAC address if re.match(macAddrRegex, addr): @@ -219,7 +204,7 @@ def main(): # go through the lists of segments/hosts, which will now be organized by required tag first, then # segment/host name, then the list of addresses - for tag, nameMaps in tagListMap.iteritems(): + for tag, nameMaps in tagListMap.items(): print("", file=outFile) # if a tag name is specified, print the IF statement verifying the tag's presence @@ -228,55 +213,52 @@ def main(): try: # for the host names(s) to be checked, create two filters, one for source IP|MAC and one for dest IP|MAC - for hostName, addrList in nameMaps[HOST_LIST_IDX].iteritems(): + for hostName, addrList in nameMaps[HOST_LIST_IDX].items(): # ip addresses mapped to hostname ipList = list(set([a for a in addrList if not a.startswith('_')])) if (len(ipList) >= 1): - for source in ['orig', 'resp']: + for source in ['source', 'destination']: filterId += 1 - fieldName = "{}_h".format(source) - newFieldName = "{}_hostname".format(source) + newFieldName = "".join([f"[{x}]" for x in [source, "hostname"]]) print("", file=outFile) - print(' if ([zeek][{}]) and ({}) {{ '.format(fieldName, ' or '.join(['([zeek][{}] == "{}")'.format(fieldName, ip) for ip in ipList])), file=outFile) + print(' if ([{}][ip]) and ({}) {{ '.format(source, ' or '.join(['([{}][ip] == "{}")'.format(source, ip) for ip in ipList])), file=outFile) print(' mutate {{ id => "mutate_add_autogen_{}_ip_hostname_{}"'.format(source, filterId), file=outFile) - print(' add_field => {{ "[zeek][{}]" => "{}" }}'.format(newFieldName, hostName), file=outFile) + print(' add_field => {{ "{}" => "{}" }}'.format(newFieldName, hostName), file=outFile) print(" }", file=outFile) print(" }", file=outFile) - addedFields.add("[zeek][{}]".format(newFieldName)) + addedFields.add(newFieldName) # mac addresses mapped to hostname macList = list(set([a for a in addrList if a.startswith('_')])) if (len(macList) >= 1): - for source in ['orig', 'resp']: + for source in ['source', 'destination']: filterId += 1 - fieldName = "{}_l2_addr".format(source) - newFieldName = "{}_hostname".format(source) + newFieldName = "".join([f"[{x}]" for x in [source, "hostname"]]) print("", file=outFile) - print(' if ([zeek][{}]) and ({}) {{ '.format(fieldName, ' or '.join(['([zeek][{}] == "{}")'.format(fieldName, mac[1:]) for mac in macList])), file=outFile) + print(' if ([{}][mac]) and ({}) {{ '.format(source, ' or '.join(['([{}][mac] == "{}")'.format(source, mac[1:]) for mac in macList])), file=outFile) print(' mutate {{ id => "mutate_add_autogen_{}_mac_hostname_{}"'.format(source, filterId), file=outFile) - print(' add_field => {{ "[zeek][{}]" => "{}" }}'.format(newFieldName, hostName), file=outFile) + print(' add_field => {{ "{}" => "{}" }}'.format(newFieldName, hostName), file=outFile) print(" }", file=outFile) print(" }", file=outFile) - addedFields.add("[zeek][{}]".format(newFieldName)) + addedFields.add(newFieldName) # for the segment(s) to be checked, create two cidr filters, one for source IP and one for dest IP - for segmentName, ipList in nameMaps[SEGMENT_LIST_IDX].iteritems(): + for segmentName, ipList in nameMaps[SEGMENT_LIST_IDX].items(): ipList = list(set(ipList)) - for source in ['orig', 'resp']: + for source in ['source', 'destination']: filterId += 1 # ip addresses/ranges mapped to network segment names - fieldName = "{}_h".format(source) - newFieldName = "{}_segment".format(source) + newFieldName = "".join([f"[{x}]" for x in [source, "segment"]]) print("", file=outFile) - print(" if ([zeek][{}]) {{ cidr {{".format(fieldName), file=outFile) + print(" if ([{}][ip]) {{ cidr {{".format(source), file=outFile) print(' id => "cidr_autogen_{}_segment_{}"'.format(source, filterId), file=outFile) - print(' address => [ "%{{[zeek][{}]}}" ]'.format(fieldName), file=outFile) + print(' address => [ "%{{[{}][ip]}}" ]'.format(source), file=outFile) print(' network => [ {} ]'.format(', '.join('"{}"'.format(ip) for ip in ipList)), file=outFile) print(' add_tag => [ "{}" ]'.format(segmentName), file=outFile) - print(' add_field => {{ "[zeek][{}]" => "{}" }}'.format(newFieldName, segmentName), file=outFile) + print(' add_field => {{ "{}" => "{}" }}'.format(newFieldName, segmentName), file=outFile) print(" } }", file=outFile) - addedFields.add("[zeek][{}]".format(newFieldName)) + addedFields.add("{}".format(newFieldName)) finally: # if a tag name is specified, close the IF statement verifying the tag's presence @@ -289,8 +271,8 @@ def main(): if addedFields: print("", file=outFile) print(' # deduplicate any added fields', file=outFile) - for field in list(itertools.product(['orig', 'resp'], ['hostname', 'segment'])): - newFieldName = "[zeek][{}_{}]".format(field[0], field[1]) + for field in list(itertools.product(['source', 'destination'], ['hostname', 'segment'])): + newFieldName = newFieldName = "".join([f"[{x}]" for x in [field[0], "field[1]"]]) if newFieldName in addedFields: print("", file=outFile) print(' if ({}) {{ '.format(newFieldName), file=outFile) diff --git a/logstash/scripts/ja3_build_list.py b/logstash/scripts/ja3_build_list.py index 76c7e5fb3..5c451ee9b 100755 --- a/logstash/scripts/ja3_build_list.py +++ b/logstash/scripts/ja3_build_list.py @@ -1,8 +1,6 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # -*- coding: utf-8 -*- -from __future__ import print_function - import argparse import datetime import hashlib @@ -19,15 +17,11 @@ ################################################################################################### debug = False -PY3 = (sys.version_info.major >= 3) scriptName = os.path.basename(__file__) scriptPath = os.path.dirname(os.path.realpath(__file__)) origPath = os.getcwd() ################################################################################################### -if not PY3: - if hasattr(__builtins__, 'raw_input'): input = raw_input - try: FileNotFoundError except NameError: @@ -93,10 +87,7 @@ def main(): tmpMap.update(json.loads(fingerprint)) for key in keys: values.append('-'.join([str(int(x, 0)) for x in tmpMap[key].split()])) - if PY3: - ja3Map[hashlib.md5(','.join(values).encode()).hexdigest()].extend(tmpMap['desc'].strip('"').strip("'").split(' / ')) - else: - ja3Map[hashlib.md5(','.join(values)).hexdigest()].extend(tmpMap['desc'].strip('"').strip("'").split(' / ')) + ja3Map[hashlib.md5(','.join(values).encode()).hexdigest()].extend(tmpMap['desc'].strip('"').strip("'").split(' / ')) except Exception as e: eprint('"{}" raised for "{}"'.format(str(e), fingerprint)) except Exception as e: @@ -141,16 +132,15 @@ def main(): except Exception as e: eprint('"{}" raised for "{}"'.format(str(e), fingerprint)) + # todo: https://sslbl.abuse.ch/ja3-fingerprints/ + finalMap = dict() for k, v in ja3Map.items(): if (len(k) == 32) and all(c in string.hexdigits for c in k): finalMap[k] = list(set([element.strip('"').strip("'").strip() for element in v])) with open(args.output, 'w+') as outfile: - if PY3: - yaml.dump(finalMap, outfile) - else: - yaml.safe_dump(finalMap, outfile, default_flow_style=False) + yaml.dump(finalMap, outfile) if __name__ == '__main__': main() diff --git a/malcolm-iso/.dockerignore b/malcolm-iso/.dockerignore new file mode 100644 index 000000000..3330995e1 --- /dev/null +++ b/malcolm-iso/.dockerignore @@ -0,0 +1,3 @@ +** +!/*.log +!/*.iso \ No newline at end of file diff --git a/malcolm-iso/Dockerfile b/malcolm-iso/Dockerfile new file mode 100644 index 000000000..96aa3a597 --- /dev/null +++ b/malcolm-iso/Dockerfile @@ -0,0 +1,21 @@ +FROM ghcr.io/mmguero/qemu-live-iso:latest + +# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. + +LABEL maintainer="malcolm@inl.gov" +LABEL org.opencontainers.image.authors='malcolm@inl.gov' +LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' +LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/main/README.md' +LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm' +LABEL org.opencontainers.image.vendor='Cybersecurity and Infrastructure Security Agency' +LABEL org.opencontainers.image.title='malcolmnetsec/malcolm' +LABEL org.opencontainers.image.description='Malcolm network traffic analysis tool suite ISO in qemu' + +ARG QEMU_CPU=4 +ARG QEMU_RAM=4096 +ENV QEMU_CPU $QEMU_CPU +ENV QEMU_RAM $QEMU_RAM + +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} https://raw.githubusercontent.com/cisagov/Malcolm/main/docs/images/icon/favicon.ico /image/favicon.ico +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} malcolm-*.log /image/ +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} malcolm-*.iso /image/live.iso diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 676789920..c9afd7f5b 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -130,8 +130,8 @@ if [ -d "$WORKDIR" ]; then echo "ID_LIKE=\"debian\"" >> "$MALCOLM_DEST_DIR"/.os-info echo "HOME_URL=\"https://malcolm.fyi\"" >> "$MALCOLM_DEST_DIR"/.os-info echo "DOCUMENTATION_URL=\"https://malcolm.fyi/documentation/\"" >> "$MALCOLM_DEST_DIR"/.os-info - echo "SUPPORT_URL=\"https://github.com/cisagov\"" >> "$MALCOLM_DEST_DIR"/.os-info - echo "BUG_REPORT_URL=\"https://github.com/cisagov/malcolm/issues\"" >> "$MALCOLM_DEST_DIR"/.os-info + echo "SUPPORT_URL=\"https://github.com/cisagov\"" >> "$MALCOLM_DEST_DIR"/.os-info + echo "BUG_REPORT_URL=\"https://github.com/idaholab/malcolm/issues\"" >> "$MALCOLM_DEST_DIR"/.os-info # copy shared scripts and some branding stuff mkdir -p ./config/includes.chroot/usr/local/bin/ @@ -167,7 +167,7 @@ if [ -d "$WORKDIR" ]; then --debian-installer live \ --debian-installer-distribution $IMAGE_DISTRIBUTION \ --debian-installer-gui false \ - --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ + --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ --distribution $IMAGE_DISTRIBUTION \ --image-name "$IMAGE_NAME" \ --iso-application "$IMAGE_NAME" \ diff --git a/scripts/beats/windows_vm_example/Malcolm_Windows_Forwarder_Download_and_Config.ps1 b/scripts/beats/windows_vm_example/Malcolm_Windows_Forwarder_Download_and_Config.ps1 index b8e62369b..7fc9ef49c 100644 --- a/scripts/beats/windows_vm_example/Malcolm_Windows_Forwarder_Download_and_Config.ps1 +++ b/scripts/beats/windows_vm_example/Malcolm_Windows_Forwarder_Download_and_Config.ps1 @@ -1,5 +1,5 @@ # configure a windows host to forward auditbeat and winlogbeat logs -# to Malcolm (see https://github.com/cisagov/Malcolm/tree/main/scripts/beats) +# to Malcolm (see https://github.com/idaholab/Malcolm/tree/main/scripts/beats) $beatversion = "7.6.2" @@ -25,7 +25,7 @@ function Uninstall-Beat { # # - Download $beat-$beatversion-windows-x86_64.zip from artifacts.elastic.co # - Unzip to C:\Program Files\beat -# - Download sample config for $beat from cisagov/Malcolm to C:\Program Files\beat +# - Download sample config for $beat from idaholab/Malcolm to C:\Program Files\beat # function Download-Beat { param( [string]$beat ) @@ -37,13 +37,13 @@ function Download-Beat { ((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace 'ProgramData','Program Files') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1" ((Get-Content -path "C:\\Program Files\\$beat\\install-service-$beat.ps1" -Raw) -replace ' -path',' --path') | Set-Content -Path "C:\\Program Files\\$beat\\install-service-$beat.ps1" - Invoke-WebRequest -UseBasicParsing -OutFile "C:\\Program Files\\$beat\\$beat.yml" -Uri https://raw.githubusercontent.com/cisagov/Malcolm/main/scripts/beats/windows_vm_example/$beat.yml + Invoke-WebRequest -UseBasicParsing -OutFile "C:\\Program Files\\$beat\\$beat.yml" -Uri https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/beats/windows_vm_example/$beat.yml (Get-Content "C:\\Program Files\\$beat\\$beat.yml") | Set-Content "C:\\Program Files\\$beat\\$beat.yml" } ################################################################################ # Connectivity boilerplate to add to the sample .yml files downloaded from -# cisagov/Malcolm +# idaholab/Malcolm # $beat_boilerplate = @' diff --git a/scripts/build.sh b/scripts/build.sh index 1faef7bd6..04329cc3f 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -94,9 +94,9 @@ FILES_IN_IMAGES=( "/var/www/upload/js/jquery.fileupload.js;file-upload" "/opt/freq_server/freq_server.py;freq" "/var/www/htadmin/index.php;htadmin" - "/usr/share/logstash/config/oui-logstash.txt;logstash" "/etc/ip_protocol_numbers.yaml;logstash" "/etc/ja3.yaml;logstash" + "/etc/vendor_macs.yaml;logstash" "/opt/arkime/etc/GeoLite2-ASN.mmdb;arkime" "/opt/arkime/etc/GeoLite2-Country.mmdb;arkime" "/opt/arkime/etc/ipv4-address-space.csv;arkime" diff --git a/scripts/control.py b/scripts/control.py index dd96ef763..9c4f7baa5 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -374,8 +374,8 @@ def stop(wipe=False): osEnv['TMPDIR'] = MalcolmTmpPath if wipe: - # attempt to DELETE _template/zeek_template in Elasticsearch - err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'exec', 'arkime', 'bash', '-c', 'curl -fs --output /dev/null -H"Content-Type: application/json" -XDELETE "http://$ES_HOST:$ES_PORT/_template/zeek_template"'], env=osEnv, debug=args.debug) + # attempt to DELETE _template/malcolm_template in Elasticsearch + err, out = run_process([dockerComposeBin, '-f', args.composeFile, 'exec', 'arkime', 'bash', '-c', 'curl -fs --output /dev/null -H"Content-Type: application/json" -XDELETE "http://$ES_HOST:$ES_PORT/_template/malcolm_template"'], env=osEnv, debug=args.debug) # if stop.sh is being called with wipe.sh (after the docker-compose file) # then also remove named and anonymous volumes (not external volumes, of course) diff --git a/scripts/install.py b/scripts/install.py index 047cfe680..666c67fe6 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -1000,7 +1000,7 @@ def tweak_system_files(self): ['[Manager]', 'DefaultLimitNOFILE=65535:65535', 'DefaultLimitMEMLOCK=infinity']), - ConfigLines(['bionic', 'cosmic', 'disco', 'eoan', 'focal', 'groovy', 'stretch', 'buster', 'bullseye', 'sid', 'fedora'], + ConfigLines(['bionic', 'cosmic', 'disco', 'eoan', 'focal', 'groovy', 'hirsute', 'impish', 'jammy', 'stretch', 'buster', 'bookworm', 'bullseye', 'sid', 'fedora'], '/etc/security/limits.d/limits.conf', '', '/etc/security/limits.d/limits.conf increases the allowed maximums for file handles and memlocked segments', diff --git a/sensor-iso/.dockerignore b/sensor-iso/.dockerignore new file mode 100644 index 000000000..3330995e1 --- /dev/null +++ b/sensor-iso/.dockerignore @@ -0,0 +1,3 @@ +** +!/*.log +!/*.iso \ No newline at end of file diff --git a/sensor-iso/Dockerfile b/sensor-iso/Dockerfile new file mode 100644 index 000000000..74967681f --- /dev/null +++ b/sensor-iso/Dockerfile @@ -0,0 +1,21 @@ +FROM ghcr.io/mmguero/qemu-live-iso:latest + +# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. + +LABEL maintainer="malcolm@inl.gov" +LABEL org.opencontainers.image.authors='malcolm@inl.gov' +LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' +LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/main/sensor-iso/README.md' +LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm' +LABEL org.opencontainers.image.vendor='Cybersecurity and Infrastructure Security Agency' +LABEL org.opencontainers.image.title='malcolmnetsec/hedgehog' +LABEL org.opencontainers.image.description='Hedgehog Linux network sensor live image in qemu' + +ARG QEMU_CPU=4 +ARG QEMU_RAM=4096 +ENV QEMU_CPU $QEMU_CPU +ENV QEMU_RAM $QEMU_RAM + +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} https://raw.githubusercontent.com/cisagov/Malcolm/main/sensor-iso/docs/logo/favicon.ico /image/favicon.ico +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} hedgehog-*.log /image/ +ADD --chown=${DEFAULT_UID}:${DEFAULT_GID} hedgehog-*.iso /image/live.iso diff --git a/sensor-iso/README.md b/sensor-iso/README.md index 7b0b76f1f..27e7c664d 100644 --- a/sensor-iso/README.md +++ b/sensor-iso/README.md @@ -416,10 +416,12 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-3.4.0.iso" +Finished, created "/sensor-build/hedgehog-4.0.0.iso" … ``` +Alternately, if you have forked Malcolm on GitHub, [workflow files](../.github/workflows/) are provided which contain instructions for GitHub to build the docker images and Hedgehog and [Malcolm](https://github.com/cisagov/Malcolm) installer ISOs, specifically [`sensor-iso-build-docker-wrap-push-ghcr.yml`](../.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml) for the Hedgehog ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded. + # Appendix B - Configuring SSH access SSH access to the sensor’s non-privileged sensor account is only available using secure key-based authentication which can be enabled by adding a public SSH key to the **/home/sensor/.ssh/authorized_keys** file as illustrated below: diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index 07699d8af..7bf89a4de 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -104,8 +104,8 @@ if [ -d "$WORKDIR" ]; then echo "ID_LIKE=\"debian\"" >> ./config/includes.chroot/opt/sensor/.os-info echo "HOME_URL=\"https://malcolm.fyi\"" >> ./config/includes.chroot/opt/sensor/.os-info echo "DOCUMENTATION_URL=\"https://malcolm.fyi/hedgehog/\"" >> ./config/includes.chroot/opt/sensor/.os-info - echo "SUPPORT_URL=\"https://github.com/cisagov\"" >> ./config/includes.chroot/opt/sensor/.os-info - echo "BUG_REPORT_URL=\"https://github.com/cisagov/malcolm/issues\"" >> ./config/includes.chroot/opt/sensor/.os-info + echo "SUPPORT_URL=\"https://github.com/cisagov\"" >> ./config/includes.chroot/opt/sensor/.os-info + echo "BUG_REPORT_URL=\"https://github.com/idaholab/malcolm/issues\"" >> ./config/includes.chroot/opt/sensor/.os-info # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc. mkdir -p "$SCRIPT_PATH/arkime/etc" @@ -176,7 +176,7 @@ if [ -d "$WORKDIR" ]; then --debian-installer live \ --debian-installer-distribution $IMAGE_DISTRIBUTION \ --debian-installer-gui false \ - --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ + --debootstrap-options "--include=apt-transport-https,bc,ca-certificates,gnupg,debian-archive-keyring,fasttrack-archive-keyring,jq,openssl --no-merged-usr" \ --distribution $IMAGE_DISTRIBUTION \ --image-name "$IMAGE_NAME" \ --iso-application "$IMAGE_NAME" \ diff --git a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot index e07cf3195..619b66e4e 100755 --- a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot +++ b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot @@ -24,6 +24,9 @@ fi # other sensor-specific initialization prior to starting capture/forwarding jobs /usr/local/bin/sensor-init.sh +# enable firewall +/usr/sbin/ufw --force enable + # run supervisor of capture-related services as non-privileged user if [ -f /opt/sensor/sensor_ctl/supervisor.sh ]; then ( getent passwd 1000 >/dev/null 2>&1 ) && sudo -H -u '#1000' /opt/sensor/sensor_ctl/supervisor.sh diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index df8de2690..b66d6add3 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -14,6 +14,8 @@ UFW_ALLOW_RULES=( for i in ${UFW_ALLOW_RULES[@]}; do ufw allow "$i" done +# will re-enable on boot +/usr/sbin/ufw --force disable # performance parameters for networking, disk, etc. cat << 'EOF' >> /etc/sysctl.conf diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index de671feb2..54029331d 100644 --- a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -128,4 +128,5 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif +redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; diff --git a/sensor-iso/docs/logo/favicon.ico b/sensor-iso/docs/logo/favicon.ico new file mode 100644 index 000000000..1c2605661 Binary files /dev/null and b/sensor-iso/docs/logo/favicon.ico differ diff --git a/shared/bin/manuf-oui-parse.py b/shared/bin/manuf-oui-parse.py new file mode 100755 index 000000000..410a186b1 --- /dev/null +++ b/shared/bin/manuf-oui-parse.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import argparse +import manuf +import os +import re +import requests +import sys +import tempfile +import yaml + +DEFAULT_MANUF_URL="https://gitlab.com/wireshark/wireshark/raw/master/manuf" +padded_mac_low = '00:00:00:00:00:00' +padded_mac_high = 'FF:FF:FF:FF:FF:FF' +mac_pattern = re.compile(r"[-:\.]") + +################################################################################################### +debug = False +scriptName = os.path.basename(__file__) +scriptPath = os.path.dirname(os.path.realpath(__file__)) +origPath = os.getcwd() + +################################################################################################### +# print to stderr +def eprint(*args, **kwargs): + print(*args, file=sys.stderr, **kwargs) + +################################################################################################### +# convenient boolean argument parsing +def str2bool(v): + if v.lower() in ('yes', 'true', 't', 'y', '1'): + return True + elif v.lower() in ('no', 'false', 'f', 'n', '0'): + return False + else: + raise argparse.ArgumentTypeError('Boolean value expected.') + +def strip_mac(mac): + return mac_pattern.sub("", mac) + +def bits_left(mac_str): + return 48 - 4 * len(strip_mac(mac_str)) + +################################################################################################### +# main +def main(): + global debug + + parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} '.format(scriptName)) + parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output") + parser.add_argument('-i', '--input', required=False, dest='input', metavar='', type=str, default=DEFAULT_MANUF_URL, help='Input file or URL') + parser.add_argument('-o', '--output', required=True, dest='output', metavar='', type=str, default='', help='Output file') + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + exit(2) + + debug = args.debug + if debug: + eprint(os.path.join(scriptPath, scriptName)) + eprint("Arguments: {}".format(sys.argv[1:])) + eprint("Arguments: {}".format(args)) + else: + sys.tracebacklimit = 0 + + if args.input.lower().startswith('http') and not os.path.isfile(args.input): + tmpf = tempfile.NamedTemporaryFile(delete=True, suffix=".txt") + r = requests.get(args.input) + with open(tmpf.name, 'wb') as f: + f.write(r.content) + args.input = tmpf.name + + companies = [] + + for k, v in manuf.MacParser(manuf_name=args.input)._masks.items(): + macLow = ':'.join('{:02x}'.format(x) for x in (k[1] << k[0]).to_bytes(6, byteorder = 'big')) + macHigh = ':'.join('{:02x}'.format(x) for x in ((k[1] << k[0]) | (int("ffffffffffff", 16) >> (48 - k[0]))).to_bytes(6, byteorder = 'big')) + companies.append({'name': v.manuf_long, + 'low': macLow, + 'high': str(macHigh), + }) + + companies.sort(key=lambda x: (x['low'], x['high'])) + with open(args.output, 'w+') as outfile: + yaml.dump(companies, outfile, allow_unicode=True ) + +if __name__ == '__main__': + main() diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index 5a9f4d7bb..7ba112495 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -81,6 +81,7 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/CVE-2020-16898" "https://github.com/corelight/CVE-2021-31166" "https://github.com/corelight/CVE-2021-41773" + "https://github.com/corelight/CVE-2021-42292" "https://github.com/corelight/pingback" "https://github.com/corelight/SIGRed" "https://github.com/corelight/zeek-community-id" diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index de671feb2..54029331d 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -128,4 +128,5 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif +redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F;