收集 Zeek (Bro) 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何使用 Google Security Operations 部署 Zeek (舊稱 Bro) 和 NXLog,以 JSON 格式收集 Zeek 記錄。本文也說明 Zeek 記錄欄位如何對應至 Google Security Operations 整合式資料模型 (UDM) 欄位。
如要瞭解 Google Security Operations 資料擷取作業,請參閱「將資料擷取至 Google Security Operations」。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文資訊適用於具有 BRO_JSON 攝取標籤的剖析器。
事前準備
如要瞭解部署的元件,以便收集 Zeek 記錄,請參閱部署架構。每個客戶的部署作業可能與此表示方式不同,且可能更為複雜。下圖說明如何在 Linux 伺服器上設定 NXLog 代理程式和 Google Security Operations 轉送器,並將記錄資料轉送至 Google Security Operations。
確認 Google Security Operations 剖析器支援的 Zeek 版本。 Google Security Operations 剖析器支援下列 Zeek 版本:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
使用 Zeek 剖析器前,請先參閱先前剖析器與目前 Zeek 剖析器之間的欄位對應變更。在遷移過程中,請確保依附於原始欄位的規則、搜尋、資訊主頁或其他程序,都使用更新後的欄位。
舉例來說,在舊版剖析器中,
server_name欄位會對應至target.hostnameUDM 欄位。在目前的 Zeek 剖析器中,server_name欄位會對應至network.tls.client.server_nameUDM 欄位。如果您遷移至目前的 Zeek 剖析器,並在規則中使用server_name欄位,則必須修改規則,才能使用目前剖析器的network.tls.client.server_nameUDM 欄位。確認 Google Security Operations 剖析器支援的 Zeek 記錄類型。 下表列出 Google Security Operations 剖析器支援的 Zeek 記錄類型:
| 記錄類型 | 說明 |
| 網路通訊協定 | 包括網路通訊協定的記錄檔,例如動態主機設定通訊協定 (DHCP) 和網域名稱系統 (DNS)。 |
| 檔案 | 包括下列記錄檔:檔案分析結果、線上憑證狀態通訊協定 (OCSP)、可攜式執行檔 (PE) 和 X.509 憑證。 |
| NetControl | 包括 NetControl 動作的記錄檔和 OpenFlow 偵錯記錄檔。 |
| 偵測 | 包括智慧資料比對、Zeek 通知、警報串流、簽章比對和追蹤路由偵測的記錄檔。 |
| 網路觀察 | 包括 SSL 憑證的記錄檔、已完成 TCP 交握的主機、Modbus 主要和副本、主機上執行的服務,以及網路上使用的軟體。 |
如果尚未安裝及設定 Zeek,請先完成這些程序。詳情請參閱「Zeek 安裝」。
以 JSON 格式收集 Zeek 記錄。詳情請參閱「以 JSON 格式輸出 Zeek 記錄」。
請確保部署架構中的所有系統都已設定為世界標準時間。
設定 NXLog 和 Google Security Operations 轉送器
- 在執行 Google Security Operations 轉寄站的 Linux 電腦上,下載並安裝 NXLog Community Edition。
- 如要進一步瞭解如何下載 NXLog Community Edition,請參閱 NXLog 說明文件。
- 如要進一步瞭解如何安裝必要的 NXLog 套件和依附元件,請參閱「在 Linux 系統上安裝 NXLog」。
- 為每個 NXLog 執行個體建立設定檔。
使用 NXLog im_file 模組從檔案讀取資料,並將資料行剖析為欄位。以下是 NXLog 設定範例:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>如要使用上述範例設定,請執行下列操作:
- 將
<hostname>和<port>值替換為目的地 Linux 伺服器的相關資訊。 - 為要收集的每個 Zeek 記錄類型新增輸入、輸出和路徑元素。
- 將
設定 Google Security Operations 轉送器,將記錄傳送至 Google Security Operations。詳情請參閱「在 Linux 上安裝及設定轉送器」。以下是轉送站設定範例。
output: url: URL identity: identity: collector_id: COLLECTOR_ID customer_id: CUSTOMER_ID secret_key: | { "type": "service_account", "project_id": "malachite-projectname", "private_key_id": `PRIVATE_KEY_ID`, "private_key": `PRIVATE_KEY`, "client_email":"`SERVICE_ACCOUNT_NAME`@malachite-`PROJECT_ID`.`SERVICE_ACCOUNT_DOMAIN`", "client_id": `CLIENT_ID`, "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/`SERVICSERVICE_ACCOUNT_NAME`%40malachite-`PROJECT_ID`.`SERVICE_ACCOUNT_DOMAIN`", } collectors: - syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60將
PRIVATE_KEY_ID、PRIVATE_KEYSERVICSERVICE_ACCOUNT_NAME、PROJECT_ID、CLIENT_ID、SERVICE_ACCOUNT_DOMAINCUSTOMER_ID、URL、COLLECTOR_ID和CUSTOMER_ID替換為服務帳戶 JSON 檔案中的相應值,您可以從 Google Cloud 平台下載該檔案。啟動 NXLog 服務。
使用 Bindplane 代理程式將記錄轉送至 Google SecOps
- 安裝並設定 Linux 虛擬機器。
- 在 Linux 上安裝及設定 Bindplane 代理程式,將記錄轉寄至 Google SecOps。如要進一步瞭解如何安裝及設定 Bindplane 代理程式,請參閱 Bindplane 代理程式安裝及設定操作說明。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zeek (Bro) 記錄格式
Zeek (Bro) 剖析器支援 JSON 和 SYSLOG+JSON 格式的記錄。
支援的 Zeek (Bro) 範例記錄
JSON
{ "insertId": "1pvsdy2f8v21o8", "jsonPayload": { "message": "Jun 14 07:46:10 dummyhostname systemd[1]: Stopping System Logging Service..." }, "resource": { "type": "gce_instance", "labels": { "project_id": "cl-tpt-dis-awkc-con17-p-922a", "zone": "us-central1-a", "instance_id": "4136884722753789246" } }, "timestamp": "2024-09-03T19:31:32.353129233Z", "labels": { "compute.googleapis.com/resource_name": "dummyostname" }, "logName": "projects/cl-tpt-dis-awkc-con17-p-922a/logs/syslog", "receiveTimestamp": "2024-09-03T19:31:33.388651657Z" }SYSLOG + JSON
<13>1 2021-12-21T23: 51: 25-08: 00 ia-cs-vubro-089 bro_http - - - { "ts": 1640159484.694295, "uid": "CTgT3z1adxn1EMPbmj", "id.orig_h": "198.51.100.27", "id.orig_p": 58729, "id.resp_h": "198.51.100.28", "id.resp_p": 8088, "trans_depth": 2284, "method": "POST", "host": "198.51.100.8", "uri": "/system/gateway", "version": "1.1", "user_agent": "Java/11.0.11", "request_body_len": 304, "response_body_len": 203, "status_code": 200, "status_msg": "OK", "tags": [], "orig_fuids": [ "FefIdu4i8dzFTUONb5" ], "orig_mime_types": [ "application/xml" ], "resp_fuids": [ "Flqz7L3yyQR1eSN4Kf" ], "resp_mime_types": [ "application/xml" ] }
欄位對應參考資料:Zeek 記錄欄位至 UDM 欄位
如要瞭解 Google Security Operations 剖析器如何將 Zeek 記錄欄位對應至 Google Security Operations UDM 事件欄位 (適用於各 Zeek 記錄類型),請參閱下列章節:
網路協定
下表列出網路通訊協定記錄類型中的記錄欄位,以及對應的 UDM 欄位。
| 原始記錄欄位 | 記錄類型 | UDM 欄位 |
|---|---|---|
| ts | conn.log | metadata.event_timestamp |
| uid | conn.log | network.session_id |
| id.orig_h | conn.log | principal.ip |
| id.orig_p | conn.log | principal.port |
| id.resp_h | conn.log | target.ip |
| id.resp_p | conn.log | target.port |
| proto | conn.log | network.ip_protocol |
| service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
| duration | conn.log | network.session_duration |
| orig_bytes | conn.log | network.sent_bytes |
| resp_bytes | conn.log | network.received_bytes |
| conn_state | conn.log | metadata.description |
| local_orig | conn.log | additional.fields.key/value |
| local_resp | conn.log | additional.fields.key/value |
| missed_bytes | conn.log | additional.fields.key/value |
| history | conn.log | additional.fields.key/value |
| orig_pkts | conn.log | additional.fields.key/value |
| orig_ip_bytes | conn.log | additional.fields.key/value |
| resp_pkts | conn.log | additional.fields.key/value |
| resp_ip_bytes | conn.log | additional.fields.key/value |
| tunnel_parents | conn.log | additional.fields.key/value |
| orig_l2_addr | conn.log | additional.fields.key/value |
| resp_l2_addr | conn.log | additional.fields.key/value |
| vlan | conn.log | additional.fields.key/value |
| inner_vlan | conn.log | additional.fields.key/value |
| speculative_service | conn.log | additional.fields.key/value |
| ts | dce_rpc.log | metadata.event_timestamp |
| uid | dce_rpc.log | network.session_id |
| id.orig_h | dce_rpc.log | principal.ip |
| id.orig_p | dce_rpc.log | principal.port |
| id.resp_h | dce_rpc.log | target.ip |
| id.resp_p | dce_rpc.log | target.port |
| rtt | dce_rpc.log | additional.fields.key/value |
| named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
| endpoint | dce_rpc.log | additional.fields.key/value |
| operation | dce_rpc.log | additional.fields.key/value |
| ts | dhcp.log | metadata.event_timestamp |
| uids | dhcp.log | additional.fields.key/value |
| client_addr | dhcp.log | target.ip |
| server_addr | dhcp.log | principal.ip |
| client_port | dhcp.log | target.port |
| server_port | dhcp.log | principal.port |
| mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
| host_name | dhcp.log | network.dhcp.client_hostname |
| client_fqdn | dhcp.log | target.hostname |
| domain | dhcp.log | target.administrative_domain |
| requested_addr | dhcp.log | network.dhcp.requested_address |
| assigned_addr | dhcp.log | network.dhcp.yiaddr |
| lease_time | dhcp.log | network.dhcp.lease_time_seconds |
| client_message | dhcp.log | additional.fields.key/value |
| server_message | dhcp.log | additional.fields.key/value |
| msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
| duration | dhcp.log | network.dhcp.seconds |
| client_chaddr | dhcp.log | network.dhcp.chaddr |
| msg_orig | dhcp.log | additional.fields.key/value |
| client_software | dhcp.log | additional.fields.key/value |
| server_software | dhcp.log | additional.fields.key/value |
| circuit_id | dhcp.log | additional.fields.key/value |
| agent_remote_id | dhcp.log | additional.fields.key/value |
| subscriber_id | dhcp.log | additional.fields.key/value |
| ts | dnp3.log | metadata.event_timestamp |
| uid | dnp3.log | network.session_id |
| id.orig_h | dnp3.log | principal.ip |
| id.orig_p | dnp3.log | principal.port |
| id.resp_h | dnp3.log | target.ip |
| id.resp_p | dnp3.log | target.port |
| fc_request | dnp3.log | additional.fields.key/value |
| fc_reply | dnp3.log | additional.fields.key/value |
| iin | dnp3.log | additional.fields.key/value |
| ts | dns.log | metadata.event_timestamp |
| uid | dns.log | network.session_id |
| id.orig_h | dns.log | principal.ip |
| id.orig_p | dns.log | principal.port |
| id.resp_h | dns.log | target.ip |
| id.resp_p | dns.log | target.port |
| proto | dns.log | network.ip_protocol |
| trans_id | dns.log | network.dns.id |
| rtt | dns.log | additional.fields.key/value |
| query | dns.log | network.dns.questions.name |
| qclass | dns.log | network.dns.questions.class |
| qclass_name | dns.log | additional.fields.key/value |
| qtype | dns.log | network.dns.questions.type |
| qtype_name | dns.log | additional.fields.key/value |
| rcode | dns.log | network,dns.response_code |
| rcode_name | dns.log | additional.fields.key/value |
| AA | dns.log | network.dns.authoritative |
| TC | dns.log | network.dns.truncated |
| RD | dns.log | network.dns.recursion_desired |
| RA | dns.log | network.dns.recursion_available |
| Z | dns.log | additional.fields.key/value |
| answers | dns.log | network.dns.answers.data |
| TTLs | dns.log | network.dns.answers.ttl |
| rejected | dns.log | additional.fields.key/value |
| total_answers | dns.log | additional.fields.key/value |
| total_replies | dns.log | additional.fields.key/value |
| saw_query | dns.log | additional.fields.key/value |
| saw_reply | dns.log | additional.fields.key/value |
| auth | dns.log | network.dns.authority.data |
| addl | dns.log | network.dns.additional.data |
| original_query | dns.log | additional.fields.key/value |
| ts | ftp.log | metadata.event_timestamp |
| uid | ftp.log | network.session_id |
| id.orig_h | ftp.log | principal.ip |
| id.orig_p | ftp.log | principal.port |
| id.resp_h | ftp.log | target.ip |
| id.resp_p | ftp.log | target.port |
| user | ftp.log | principal.user.userid |
| command | ftp.log | network.ftp.command |
| arg | ftp.log | additional.fields.key/value |
| mime_type | ftp.log | src.file.mime_type |
| file_size | ftp.log | src.file.size |
| reply_code | ftp.log | additional.fields.key/value |
| reply_msg | ftp.log | additional.fields.key/value |
| data_channel.passive | ftp.log | additional.fields.key/value |
| data_channel.orig_h | ftp.log | additional.fields.key/value |
| data_channel.resp_h | ftp.log | additional.fields.key/value |
| data_channel.resp_p | ftp.log | additional.fields.key/value |
| cwd | ftp.log | src.file.full_path |
| cmdarg.ts | ftp.log | additional.fields.key/value |
| cmdarg.cmd | ftp.log | additional.fields.key/value |
| cmdarg.arg | ftp.log | additional.fields.key/value |
| cmdarg.seq | ftp.log | additional.fields.key/value |
| pending_commands | ftp.log | additional.fields.key/value |
| passive | ftp.log | additional.fields.key/value |
| capture_password | ftp.log | additional.fields.key/value |
| fuid | ftp.log | additional.fields.key/value |
| last_auth_requested | ftp.log | additional.fields.key/value |
| ts | http.log | metadata.event_timestamp |
| uid | http.log | network.session_id |
| id.orig_h | http.log | principal.ip |
| id.orig_p | http.log | principal.port |
| id.resp_h | http.log | target.ip |
| id.resp_p | http.log | target.port |
| trans_depth | http.log | additional.fields.key/value |
| method | http.log | network.http.method |
| host | http.log | target.hostname |
| uri | http.log | target.url is set to "%{host}%{uri}" |
| referrer | http.log | network.http.referral_url |
| version | http.log | additional.fields.key/value |
| user_agent | http.log | network.http.user_agent |
| origin | http.log | additional.fields.key/value |
| request_body_len | http.log | additional.fields.key/value |
| response_body_len | http.log | additional.fields.key/value |
| status_code | http.log | network.http.response_code |
| status_msg | http.log | additional.fields.key/value |
| info_code | http.log | additional.fields.key/value |
| info_msg | http.log | additional.fields.key/value |
| tags | http.log | additional.fields.key/value |
| username | http.log | principal.user.userid |
| capture_password | http.log | additional.fields.key/value |
| proxied | http.log | additional.fields.key/value |
| range_request | http.log | additional.fields.key/value |
| orig_fuids | http.log | additional.fields.key/value |
| orig_filenames | http.log | additional.fields.key/value |
| orig_mime_types | http.log | additional.fields.key/value |
| resp_fuids | http.log | additional.fields.key/value |
| resp_filenames | http.log | additional.fields.key/value |
| resp_mime_types | http.log | additional.fields.key/value |
| current_entity | http.log | additional.fields.key/value |
| orig_mime_depth | http.log | additional.fields.key/value |
| resp_mime_depth | http.log | additional.fields.key/value |
| client_header_names | http.log | additional.fields.key/value |
| server_header_names | http.log | additional.fields.key/value |
| omniture | http.log | additional.fields.key/value |
| flash_version | http.log | additional.fields.key/value |
| cookie_vars | http.log | additional.fields.key/value |
| uri_vars | http.log | additional.fields.key/value |
| ts | irc.log | metadata.event_timestamp |
| uid | irc.log | network.session_id |
| id.orig_h | irc.log | principal.ip |
| id.orig_p | irc.log | principal.port |
| id.resp_h | irc.log | target.ip |
| id.resp_p | irc.log | target.port |
| nick | irc.log | additional.fields.key/value |
| user | irc.log | principal.user.userid |
| command | irc.log | principal.process.command_line |
| value | irc.log | additional.fields.key/value |
| addl | irc.log | additional.fields.key/value |
| dcc_file_name | irc.log | additional.fields.key/value |
| dcc_file_size | irc.log | src.file.size |
| dcc_mime_type | irc.log | src.file.mime_type |
| fuid | irc.log | additional.fields.key/value |
| ts | kerberos.log | metadata.event_timestamp |
| uid | kerberos.log | network.session_id |
| id.orig_h | kerberos.log | principal.ip |
| id.orig_p | kerberos.log | principal.port |
| id.resp_h | kerberos.log | target.ip |
| id.resp_p | kerberos.log | target.port |
| request_type | kerberos.log | additional.fields.key/value |
| client | kerberos.log | additional.fields.key/value |
| service | kerberos.log | additional.fields.key/value |
| success | kerberos.log | additional.fields.key/value |
| error_code | kerberos.log | additional.fields.key/value |
| error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
| from | kerberos.log | additional.fields.key/value |
| till | kerberos.log | additional.fields.key/value |
| cipher | kerberos.log | network.tls.cipher |
| forwardable | kerberos.log | additional.fields.key/value |
| renewable | kerberos.log | additional.fields.key/value |
| logged | kerberos.log | additional.fields.key/value |
| client_cert.ts | kerberos.log | additional.fields.key/value |
| client_cert.fuid | kerberos.log | additional.fields.key/value |
| client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.conn_uids | kerberos.log | additional.fields.key/value |
| client_cert.source | kerberos.log | additional.fields.key/value |
| client_cert.depth | kerberos.log | additional.fields.key/value |
| client_cert.analyzers | kerberos.log | additional.fields.key/value |
| client_cert.mime_type | kerberos.log | additional.fields.key/value |
| client_cert.filename | kerberos.log | additional.fields.key/value |
| client_cert.duration | kerberos.log | additional.fields.key/value |
| client_cert.local_orig | kerberos.log | additional.fields.key/value |
| client_cert.is_orig | kerberos.log | additional.fields.key/value |
| client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| client_cert.total_bytes | kerberos.log | additional.fields.key/value |
| client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| client_cert.timedout | kerberos.log | additional.fields.key/value |
| client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
| client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
| client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
| client_cert.x509.ts | kerberos.log | additional.fields.key/value |
| client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
| client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
| client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
| client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| client_cert.x509.handle | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| client_cert.x509.cert | kerberos.log | additional.fields.key/value |
| client_cert.extracted | kerberos.log | additional.fields.key/value |
| client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| client_cert.extracted_size | kerberos.log | additional.fields.key/value |
| client_cert.entropy | kerberos.log | additional.fields.key/value |
| client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
| client_cert_fuid | kerberos.log | additional.fields.key/value |
| server_cert.ts | kerberos.log | additional.fields.key/value |
| server_cert.fuid | kerberos.log | additional.fields.key/value |
| server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.conn_uids | kerberos.log | additional.fields.key/value |
| server_cert.source | kerberos.log | additional.fields.key/value |
| server_cert.depth | kerberos.log | additional.fields.key/value |
| server_cert.analyzers | kerberos.log | additional.fields.key/value |
| server_cert.mime_type | kerberos.log | additional.fields.key/value |
| server_cert.filename | kerberos.log | additional.fields.key/value |
| server_cert.duration | kerberos.log | additional.fields.key/value |
| server_cert.local_orig | kerberos.log | additional.fields.key/value |
| server_cert.is_orig | kerberos.log | additional.fields.key/value |
| server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| server_cert.total_bytes | kerberos.log | additional.fields.key/value |
| server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| server_cert.timedout | kerberos.log | additional.fields.key/value |
| server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
| server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
| server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
| server_cert.x509.ts | kerberos.log | additional.fields.key/value |
| server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
| server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
| server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
| server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| server_cert.x509.handle | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| server_cert.x509.cert | kerberos.log | additional.fields.key/value |
| server_cert.extracted | kerberos.log | additional.fields.key/value |
| server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| server_cert.extracted_size | kerberos.log | additional.fields.key/value |
| server_cert.entropy | kerberos.log | additional.fields.key/value |
| server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
| server_cert_fuid | kerberos.log | additional.fields.key/value |
| auth_ticket | kerberos.log | additional.fields.key/value |
| new_ticket | kerberos.log | additional.fields.key/value |
| ts | modbus.log | metadata.event_timestamp |
| uid | modbus.log | network.session_id |
| id.orig_h | modbus.log | principal.ip |
| id.orig_p | modbus.log | principal.port |
| id.resp_h | modbus.log | target.ip |
| id.resp_p | modbus.log | target.port |
| func | modbus.log | additional.fields.key/value |
| exception | modbus.log | additional.fields.key/value |
| track_address | modbus.log | additional.fields.key/value |
| ts | modbus_register_change.log | metadata.event_timestamp |
| uid | modbus_register_change.log | network.session_id |
| id.orig_h | modbus_register_change.log | principal.ip |
| id.orig_p | modbus_register_change.log | principal.port |
| id.resp_h | modbus_register_change.log | target.ip |
| id.resp_p | modbus_register_change.log | target.port |
| register | modbus_register_change.log | additional.fields.key/value |
| old_val | modbus_register_change.log | additional.fields.key/value |
| new_val | modbus_register_change.log | additional.fields.key/value |
| delta | modbus_register_change.log | additional.fields.key/value |
| ts | mysql.log | metadata.event_timestamp |
| uid | mysql.log | network.session_id |
| id.orig_h | mysql.log | principal.ip |
| id.orig_p | mysql.log | principal.port |
| id.resp_h | mysql.log | target.ip |
| id.resp_p | mysql.log | target.port |
| cmd | mysql.log | metadata.description |
| arg | mysql.log | principal.process.command_line |
| success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
| rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
| response | mysql.log | additional.fields.key/value |
| ts | ntlm.log | metadata.event_timestamp |
| uid | ntlm.log | network.session_id |
| id.orig_h | ntlm.log | principal.ip |
| id.orig_p | ntlm.log | principal.port |
| id.resp_h | ntlm.log | target.ip |
| id.resp_p | ntlm.log | target.port |
| username | ntlm.log | principal.user.userid |
| hostname | ntlm.log | principal.hostname |
| domainname | ntlm.log | principal.administrative_domain |
| server_nb_computer_name | ntlm.log | additional.fields.key/value |
| server_dns_computer_name | ntlm.log | target.hostname |
| server_tree_name | ntlm.log | additional.fields.key/value |
| success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
| done | ntlm.log | additional.fields.key/value |
| ts | ntp.log | metadata.event_timestamp |
| uid | ntp.log | network.session_id |
| id.orig_h | ntp.log | principal.ip |
| id.orig_p | ntp.log | principal.port |
| id.resp_h | ntp.log | target.ip |
| id.resp_p | ntp.log | target.port |
| version | ntp.log | additional.fields.key/value |
| mode | ntp.log | additional.fields.key/value |
| stratum | ntp.log | additional.fields.key/value |
| poll | ntp.log | additional.fields.key/value |
| precision | ntp.log | additional.fields.key/value |
| root_delay | ntp.log | additional.fields.key/value |
| root_disp | ntp.log | additional.fields.key/value |
| ref_id | ntp.log | additional.fields.key/value |
| ref_time | ntp.log | additional.fields.key/value |
| org_time | ntp.log | additional.fields.key/value |
| rec_time | ntp.log | additional.fields.key/value |
| xmt_time | ntp.log | additional.fields.key/value |
| num_exts | ntp.log | additional.fields.key/value |
| ts | radius.log | metadata.event_timestamp |
| uid | radius.log | network.session_id |
| id.orig_h | radius.log | principal.ip |
| id.orig_p | radius.log | principal.port |
| id.resp_h | radius.log | target.ip |
| id.resp_p | radius.log | target.port |
| username | radius.log | principal.user.userid |
| mac | radius.log | principal.mac |
| framed_addr | radius.log | additional.fields.key/value |
| tunnel_client | radius.log | additional.fields.key/value |
| connect_info | radius.log | additional.fields.key/value |
| reply_msg | radius.log | additional.fields.key/value |
| result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
| ttl | radius.log | additional.fields.key/value |
| logged | radius.log | additional.fields.key/value |
| ts | rdp.log | metadata.event_timestamp |
| uid | rdp.log | network.session_id |
| id.orig_h | rdp.log | principal.ip |
| id.orig_p | rdp.log | principal.port |
| id.resp_h | rdp.log | target.ip |
| id.resp_p | rdp.log | target.port |
| cookie | rdp.log | principal.user.userid |
| result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| client_channels | rdp.log | additional.fields.key/value |
| keyboard_layout | rdp.log | additional.fields.key/value |
| client_build | rdp.log | principal.asset.platform_software.platform_version |
| client_name | rdp.log | additional.fields.key/value |
| client_dig_product_id | rdp.log | principal.asset.asset_id |
| desktop_width | rdp.log | additional.fields.key/value |
| desktop_height | rdp.log | additional.fields.key/value |
| requested_color_depth | rdp.log | additional.fields.key/value |
| cert_type | rdp.log | additional.fields.key/value |
| cert_count | rdp.log | additional.fields.key/value |
| cert_permanent | rdp.log | additional.fields.key/value |
| encryption_level | rdp.log | additional.fields.key/value |
| encryption_method | rdp.log | additional.fields.key/value |
| analyzer_id | rdp.log | additional.fields.key/value |
| done | rdp.log | additional.fields.key/value |
| ssl | rdp.log | additional.fields.key/value |
| ts | rfb.log | metadata.event_timestamp |
| uid | rfb.log | network.session_id |
| id.orig_h | rfb.log | principal.ip |
| id.orig_p | rfb.log | principal.port |
| id.resp_h | rfb.log | target.ip |
| id.resp_p | rfb.log | target.port |
| client_major_version | rfb.log | additional.fields.key/value |
| client_minor_version | rfb.log | additional.fields.key/value |
| server_major_version | rfb.log | additional.fields.key/value |
| server_minor_version | rfb.log | additional.fields.key/value |
| authentication_method | rfb.log | additional.fields.key/value |
| auth | rfb.log | additional.fields.key/value |
| share_flag | rfb.log | additional.fields.key/value |
| desktop_name | rfb.log | target.asset.hostname |
| width | rfb.log | additional.fields.key/value |
| height | rfb.log | additional.fields.key/value |
| done | rfb.log | additional.fields.key/value |
| ts | sip.log | metadata.event_timestamp |
| uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
| id.orig_h | sip.log | principal.ip |
| id.orig_p | sip.log | principal.port |
| id.resp_h | sip.log | target.ip |
| id.resp_p | sip.log | target.port |
| trans_depth | sip.log | additional.fields.key/value |
| method | sip.log | metadata.description |
| uri | sip.log | about.url |
| date | sip.log | additional.fields.key/value |
| request_from | sip.log | principal.user.userid and principal.user.user_display_name |
| request_to | sip.log | target.user.userid and target.user.user_display_name |
| response_from | sip.log | additional.fields.key/value |
| response_to | sip.log | additional.fields.key/value |
| reply_to | sip.log | additional.fields.key/value |
| call_id | sip.log | network.session_id |
| seq | sip.log | additional.fields.key/value |
| subject | sip.log | additional.fields.key/value |
| request_path | sip.log | additional.fields.key/value |
| response_path | sip.log | additional.fields.key/value |
| user_agent | sip.log | additional.fields.key/value |
| status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
| status_msg | sip.log | security_result.description |
| warning | sip.log | additional.fields.key/value |
| request_body_len | sip.log | network.sent_bytes |
| response_body_len | sip.log | network.received_bytes |
| content_type | sip.log | additional.fields.key/value |
| ts | smb_cmd.log | metadata.event_timestamp |
| uid | smb_cmd.log | network.session_id |
| id.orig_h | smb_cmd.log | principal.ip |
| id.orig_p | smb_cmd.log | principal.port |
| id.resp_h | smb_cmd.log | target.ip |
| id.resp_p | smb_cmd.log | target.port |
| command | smb_cmd.log | principal.process.command_line |
| sub_command | smb_cmd.log | additional.fields.key/value |
| argument | smb_cmd.log | additional.fields.key/value |
| status | smb_cmd.log | additional.fields.key/value |
| rtt | smb_cmd.log | additional.fields.key/value |
| version | smb_cmd.log | metadata.product_version |
| username | smb_cmd.log | principal.user.userid |
| tree | smb_cmd.log | additional.fields.key/value |
| tree_service | smb_cmd.log | additional.fields.key/value |
| smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
| smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
| ts | smb_files.log | metadata.event_timestamp |
| uid | smb_files.log | network.session_id |
| id.orig_h | smb_files.log | principal.ip |
| id.orig_p | smb_files.log | principal.port |
| id.resp_h | smb_files.log | target.ip |
| id.resp_p | smb_files.log | target.port |
| fuid | smb_files.log | additional.fields.key/value |
| action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
| path | smb_files.log | target.file.full_path |
| name | smb_files.log | additional.fields.key/value |
| size | smb_files.log | target.file.size |
| prev_name | smb_files.log | additional.fields.key/value |
| times.modified | smb_files.log | additional.fields.key/value |
| times.modified_raw | smb_files.log | additional.fields.key/value |
| times.accessed | smb_files.log | additional.fields.key/value |
| times.accessed_raw | smb_files.log | additional.fields.key/value |
| times.created | smb_files.log | additional.fields.key/value |
| times.created_raw | smb_files.log | additional.fields.key/value |
| times.changed | smb_files.log | additional.fields.key/value |
| times.changed_raw | smb_files.log | additional.fields.key/value |
| fid | smb_files.log | additional.fields.key/value |
| uuid | smb_files.log | additional.fields.key/value |
| ts | smb_mapping.log | metadata.event_timestamp |
| uid | smb_mapping.log | network.session_id |
| id.orig_h | smb_mapping.log | principal.ip |
| id.orig_p | smb_mapping.log | principal.port |
| id.resp_h | smb_mapping.log | target.ip |
| id.resp_p | smb_mapping.log | target.port |
| path | smb_mapping.log | target.file.full_path |
| service | smb_mapping.log | target.application |
| native_file_system | smb_mapping.log | additional.fields.key/value |
| share_type | smb_mapping.log | target.resource.resource_type |
| ts | smtp.log | metadata.event_timestamp |
| uid | smtp.log | network.session_id |
| id.orig_h | smtp.log | principal.ip |
| id.orig_p | smtp.log | principal.port |
| id.resp_h | smtp.log | target.ip |
| id.resp_p | smtp.log | target.port |
| trans_depth | smtp.log | additional.fields.key/value |
| helo | smtp.log | additional.fields.key/value |
| mailfrom | smtp.log | additional.fields.key/value |
| rcptto | smtp.log | additional.fields.key/value |
| date | smtp.log | additional.fields.key/value |
| from | smtp.log | network.email.from |
| to | smtp.log | email.to |
| cc | smtp.log | network.email.cc |
| reply_to | smtp.log | email.reply_to |
| msg_id | smtp.log | email.mail_id |
| in_reply_to | smtp.log | additional.fields.key/value |
| subject | smtp.log | email.subject |
| x_originating_ip | smtp.log | additional.fields.key/value |
| first_received | smtp.log | additional.fields.key/value |
| second_received | smtp.log | additional.fields.key/value |
| last_reply | smtp.log | additional.fields.key/value |
| path | smtp.log | additional.fields.key/value |
| user_agent | smtp.log | additional.fields.key/value |
| tls | smtp.log | network.tls.established |
| process_received_from | smtp.log | additional.fields.key/value |
| has_client_activity | smtp.log | additional.fields.key/value |
| process_smtp_headers | smtp.log | additional.fields.key/value |
| entity.filename | smtp.log | additional.fields.key/value |
| entity.excerpt | smtp.log | additional.fields.key/value |
| fuids | smtp.log | additional.fields.key/value |
| is_webmail | smtp.log | additional.fields.key/value |
| ts | snmp.log | metadata.event_timestamp |
| uid | snmp.log | network.session_id |
| id.orig_h | snmp.log | principal.ip |
| id.orig_p | snmp.log | principal.port |
| id.resp_h | snmp.log | target.ip |
| id.resp_p | snmp.log | target.port |
| duration | snmp.log | network.session_duration |
| version | snmp.log | metadata.product_version |
| community | snmp.log | network.community_id |
| get_requests | snmp.log | additional.fields.key/value |
| get_bulk_requests | snmp.log | additional.fields.key/value |
| get_responses | snmp.log | additional.fields.key/value |
| set_requests | snmp.log | additional.fields.key/value |
| display_string | snmp.log | metadata.description |
| up_since | snmp.log | additional.fields.key/value |
| ts | socks.log | metadata.event_timestamp |
| uid | socks.log | network.session_id |
| id.orig_h | socks.log | principal.ip |
| id.orig_p | socks.log | principal.port |
| id.resp_h | socks.log | target.ip |
| id.resp_p | socks.log | target.port |
| version | socks.log | additional.fields.key/value |
| user | socks.log | principal.user.userid |
| status | socks.log | additional.fields.key/value |
| request.host | socks.log | principal.hostname |
| request.name | socks.log | additional.fields.key/value |
| request_p | socks.log | additional.fields.key/value |
| bound.host | socks.log | additional.fields.key/value |
| bound.name | socks.log | additional.fields.key/value |
| bound_p | socks.log | additional.fields.key/value |
| capture_password | socks.log | additional.fields.key/value |
| ts | ssh.log | metadata.event_timestamp |
| uid | ssh.log | network.session_id |
| id.orig_h | ssh.log | principal.ip |
| id.orig_p | ssh.log | principal.port |
| id.resp_h | ssh.log | target.ip |
| id.resp_p | ssh.log | target.port |
| version | ssh.log | metadata.product_version |
| auth_success | ssh.log | additional.fields.key/value |
| auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
| direction | ssh.log | network.direction |
| client | ssh.log | principal.platform_version |
| server | ssh.log | target.platform_version |
| cipher_alg | ssh.log | additional.fields.key/value |
| mac_alg | ssh.log | additional.fields.key/value |
| compression_alg | ssh.log | additional.fields.key/value |
| kex_alg | ssh.log | additional.fields.key/value |
| host_key_alg | ssh.log | additional.fields.key/value |
| host_key | ssh.log | additional.fields.key/value |
| logged | ssh.log | additional.fields.key/value |
| capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
| capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
| capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
| capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
| capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
| capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
| capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
| capabilities.is_server | ssh.log | additional.fields.key/value |
| analyzer_id | ssh.log | additional.fields.key/value |
| remote_location.country_code | ssh.log | additional.fields.key/value |
| remote_location.region | ssh.log | target.asset.location.country_or_region |
| remote_location.city | ssh.log | target.asset.location.city |
| remote_location.latitude | ssh.log | additional.fields.key/value |
| remote_location.longitude | ssh.log | additional.fields.key/value |
| ts | ssl.log | metadata.event_timestamp |
| uid | ssl.log | metadata.product_log_id |
| id.orig_h | ssl.log | principal.ip |
| id.orig_p | ssl.log | principal.port |
| id.resp_h | ssl.log | target.ip |
| id.resp_p | ssl.log | target.port |
| version_num | ssl.log | additional.fields.key/value |
| version | ssl.log | network.tls.version |
| cipher | ssl.log | network.tls.cipher |
| curve | ssl.log | network.tls.curve |
| server_name | ssl.log | network.tls.client.server_name |
| session_id | ssl.log | network.session_id |
| resumed | ssl.log | network.tls.resumed |
| client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
| client_key_exchange_seen | ssl.log | additional.fields.key/value |
| client_psk_seen | ssl.log | additional.fields.key/value |
| last_alert | ssl.log | additional.fields.key/value |
| next_protocol | ssl.log | network.tls.next_protocol |
| analyzer_id | ssl.log | additional.fields.key/value |
| established | ssl.log | network.tls.established |
| logged | ssl.log | additional.fields.key/value |
| ssl_history | ssl.log | additional.fields.key/value |
| cert_chain_fps | ssl.log | additional.fields.key/value |
| client_cert_chain_fps | ssl.log | additional.fields.key/value |
| subject | ssl.log | network.tls.server.certificate.subject |
| issuer | ssl.log | network.tls.server.certificate.issuer |
| client_subject | ssl.log | network.tls.client.certificate.subject |
| client_issuer | ssl.log | network.tls.client.certificate.issuer |
| sni_matches_cert | ssl.log | additional.fields.key/value |
| server_depth | ssl.log | additional.fields.key/value |
| client_depth | ssl.log | additional.fields.key/value |
| always_raise_x509_events | ssl.log | additional.fields.key/value |
| last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
| last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
| originator_heartbeats | ssl.log | additional.fields.key/value |
| responder_heartbeats | ssl.log | additional.fields.key/value |
| heartbleed_detected | ssl.log | additional.fields.key/value |
| enc_appdata_packages | ssl.log | additional.fields.key/value |
| enc_appdata_bytes | ssl.log | additional.fields.key/value |
| server_version | ssl.log | additional.fields.key/value |
| client_version | ssl.log | additional.fields.key/value |
| client_ciphers | ssl.log | network.tls.client.supported_ciphers |
| ssl_client_exts | ssl.log | additional.fields.key/value |
| ssl_server_exts | ssl.log | additional.fields.key/value |
| ticket_lifetime_hint | ssl.log | additional.fields.key/value |
| dh_param_size | ssl.log | additional.fields.key/value |
| point_formats | ssl.log | additional.fields.key/value |
| client_curves | ssl.log | additional.fields.key/value |
| orig_alpn | ssl.log | additional.fields.key/value |
| client_supported_versions | ssl.log | additional.fields.key/value |
| server_supported_version | ssl.log | additional.fields.key/value |
| psk_key_exchange_modes | ssl.log | additional.fields.key/value |
| client_key_share_groups | ssl.log | additional.fields.key/value |
| server_key_share_group | ssl.log | additional.fields.key/value |
| client_comp_methods | ssl.log | additional.fields.key/value |
| comp_method | ssl.log | additional.fields.key/value |
| sigalgs | ssl.log | additional.fields.key/value |
| hashalgs | ssl.log | additional.fields.key/value |
| validation_status | ssl.log | additional.fields.key/value |
| validation_code | ssl.log | additional.fields.key/value |
| valid_chain | ssl.log | additional.fields.key/value |
| ocsp_status | ssl.log | additional.fields.key/value |
| ocsp_response | ssl.log | additional.fields.key/value |
| valid_scts | ssl.log | additional.fields.key/value |
| invalid_scts | ssl.log | additional.fields.key/value |
| valid_ct_logs | ssl.log | additional.fields.key/value |
| valid_ct_operators | ssl.log | additional.fields.key/value |
| valid_ct_operators_list | ssl.log | additional.fields.key/value |
| ct_proofs | ssl.log | additional.fields.key/value |
| notary.first_seen | ssl.log | additional.fields.key/value |
| notary.last_seen | ssl.log | additional.fields.key/value |
| notary.times_seen | ssl.log | additional.fields.key/value |
| notary.valid | ssl.log | additional.fields.key/value |
| ts | syslog.log | metadata.event_timestamp |
| uid | syslog.log | network.session_id |
| id.orig_h | syslog.log | principal.ip |
| id.orig_p | syslog.log | principal.port |
| id.resp_h | syslog.log | target.ip |
| id.resp_p | syslog.log | target.port |
| proto | syslog.log | network.ip_protocol |
| facility | syslog.log | additional.fields.key/value |
| severity | syslog.log | security_result.severity_details |
| message | syslog.log | metadata.description |
| ts | tunnel.log | metadata.event_timestamp |
| uid | tunnel.log | network.session_id |
| id.orig_h | tunnel.log | principal.ip |
| id.orig_p | tunnel.log | principal.port |
| id.resp_h | tunnel.log | target.ip |
| id.resp_p | tunnel.log | target.port |
| tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
| action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
檔案
下表列出檔案記錄類型的記錄欄位,以及對應的 UDM 欄位。
| 原始記錄欄位 | 記錄類型 | UDM 欄位 |
|---|---|---|
| ts | files.log | metadata.event_timestamp |
| fuid | files.log | metadata.product_log_id |
| tx_hosts | files.log | principal.ip |
| rx_hosts | files.log | target.ip |
| conn_uids | files.log | additional.fields.key/value |
| source | files.log | network.application_protocol
target.file.full_path |
| depth | files.log | additional.fields.key/value |
| analyzers | files.log | additional.fields.key/value |
| mime_type | files.log | target.file.mime_type |
| filename | files.log | target.file.full_path |
| duration | files.log | additional.fields.key/value |
| local_orig | files.log | additional.fields.key/value |
| is_orig | files.log | additional.fields.key/value |
| seen_bytes | files.log | target.file.size |
| total_bytes | files.log | additional.fields.key/value |
| missing_bytes | files.log | additional.fields.key/value |
| overflow_bytes | files.log | additional.fields.key/value |
| timedout | files.log | additional.fields.key/value |
| parent_fuid | files.log | additional.fields.key/value |
| md5 | files.log | target.file.md5 |
| sha1 | files.log | target.file.sha1 |
| sha256 | files.log | target.file.sha256 |
| md5 | files.log | network.tls.client.certificate.md5 |
| sha1 | files.log | network.tls.client.certificate.sha1 |
| sha256 | files.log | network.tls.client.certificate.sha256 |
| md5 | files.log | network.tls.server.certificate.md5 |
| sha1 | files.log | network.tls.server.certificate.sha1 |
| sha256 | files.log | network.tls.server.certificate.sha256 |
| x509 | files.log | additional.fields.key/value
This field is a nested field. |
| extracted | files.log | additional.fields.key/value |
| extracted_cutoff | files.log | additional.fields.key/value |
| extracted_size | files.log | additional.fields.key/value |
| entropy | files.log | additional.fields.key/value |
| ts | ocsp.log | metadata.event_timestamp |
| id | ocsp.log | metadata.product_log_id |
| hashAlgorithm | ocsp.log | additional.fields.key/value |
| issuerNameHash | ocsp.log | additional.fields.key/value |
| issuerKeyHash | ocsp.log | additional.fields.key/value |
| serialNumber | ocsp.log | tls.server.certificate.serial |
| certStatus | ocsp.log | additional.fields.key/value |
| revoketime | ocsp.log | network.tls.server.certificate.not_after |
| revokereason | ocsp.log | security_result.summary |
| thisUpdate | ocsp.log | additional.fields.key/value |
| nextUpdate | ocsp.log | additional.fields.key/value |
| ts | pe.log | metadata.event_timestamp |
| id | pe.log | metadata.product_log_id |
| machine | pe.log | target.resource.resource_subtype |
| compile_ts | pe.log | additional.fields.key/value |
| os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
| subsystem | pe.log | target.application |
| is_exe | pe.log | additional.fields.key/value |
| is_64bit | pe.log | additional.fields.key/value |
| uses_aslr | pe.log | additional.fields.key/value |
| uses_dep | pe.log | additional.fields.key/value |
| uses_code_integrity | pe.log | additional.fields.key/value |
| uses_seh | pe.log | additional.fields.key/value |
| has_import_table | pe.log | additional.fields.key/value |
| has_export_table | pe.log | additional.fields.key/value |
| has_cert_table | pe.log | additional.fields.key/value |
| has_debug_data | pe.log | additional.fields.key/value |
| section_names | pe.log | additional.fields.key/value |
| ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
| fingerprint | x509.log | additional.fields.key/value |
| certificate.version | x509.log | network.tls.server.certificate.version |
| certificate.serial | x509.log | network.tls.server.certificate.serial |
| certificate.subject | x509.log | network.tls.server.certificate.subject |
| certificate.issuer | x509.log | network.tls.server.certificate.issuer |
| certificate.cn | x509.log | target.hostname |
| certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
| certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
| certificate.key_alg | x509.log | additional.fields.key/value |
| certificate.sig_alg | x509.log | additional.fields.key/value |
| certificate.key_type | x509.log | additional.fields.key/value |
| certificate.key_length | x509.log | additional.fields.key/value |
| certificate.exponent | x509.log | additional.fields.key/value |
| certificate.curve | x509.log | network.tls.curve |
| handle | x509.log | additional.fields.key/value |
| extensions.name | x509.log | additional.fields.key/value |
| extensions.short_name | x509.log | additional.fields.key/value |
| extensions.oid | x509.log | additional.fields.key/value |
| extensions.critical | x509.log | additional.fields.key/value |
| extensions.value | x509.log | additional.fields.key/value |
| san.dns | x509.log | additional.fields.key/value |
| san.uri | x509.log | additional.fields.key/value |
| san.email | x509.log | additional.fields.key/value |
| san.ip | x509.log | additional.fields.key/value |
| san.other_fields | x509.log | additional.fields.key/value |
| basic_constraints.ca | x509.log | additional.fields.key/value |
| basic_constraints.path_len | x509.log | additional.fields.key/value |
| extensions_cache | x509.log | additional.fields.key/value |
| host_cert | x509.log | additional.fields.key/value |
| client_cert | x509.log | additional.fields.key/value |
| deduplication_index.fingerprint | x509.log | additional.fields.key/value |
| deduplication_index.host_cert | x509.log | additional.fields.key/value |
| deduplication_index.client_cert | x509.log | additional.fields.key/value |
| always_raise_x509_events | x509.log | additional.fields.key/value |
| cert | x509.log | additional.fields.key/value |
Netcontrol
下表列出 netcontrol 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| 原始記錄欄位 | 記錄類型 | UDM 欄位 |
|---|---|---|
| ts | netcontrol.log | metadata.event_timestamp |
| rule_id | netcontrol.log | security_result.rule_id |
| category | netcontrol.log | security_result.category_details |
| cmd | netcontrol.log | additional.fields.key/value |
| state | netcontrol.log | additional.fields.key/value |
| action | netcontrol.log | security_result.action_details |
| target | netcontrol.log | additional.fields.key/value |
| entity_type | netcontrol.log | additional.fields.key/value |
| entity | netcontrol.log | security_result.summary |
| mod | netcontrol.log | additional.fields.key/value |
| msg | netcontrol.log | security_result.description |
| priority | netcontrol.log | security_result.priority_details |
| expire | netcontrol.log | additional.fields.key/value |
| location | netcontrol.log | additional.fields.key/value |
| plugin | netcontrol.log | additional.fields.key/value |
| ts | netcontrol_drop.log | metadata.event_timestamp |
| rule_id | netcontrol_drop.log | security_result.rule_id |
| orig_h | netcontrol_drop.log | principal.ip |
| orig_p | netcontrol_drop.log | principal.port |
| resp_h | netcontrol_drop.log | target.ip |
| resp_p | netcontrol_drop.log | target.port |
| expire | netcontrol_drop.log | additional.fields.key/value |
| location | netcontrol_drop.log | additional.fields.key/value |
| ts | netcontrol_shunt.log | metadata.event_timestamp |
| rule_id | netcontrol_shunt.log | security_result.rule_id |
| f.src_h | netcontrol_shunt.log | principal.ip |
| f.src_p | netcontrol_shunt.log | principal.port |
| f.dst_h | netcontrol_shunt.log | target.ip |
| f.dst_p | netcontrol_shunt.log | target.port |
| expire | netcontrol_shunt.log | additional.fields.key/value |
| location | netcontrol_shunt.log | additional.fields.key/value |
| ts | netcontrol_catch_release.log | metadata.event_timestamp |
| rule_id | netcontrol_catch_release.log | security_result.rule_id |
| ip | netcontrol_catch_release.log | target.ip |
| action | netcontrol_catch_release.log | security_result.action_details |
| block_interval | netcontrol_catch_release.log | additional.fields.key/value |
| watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
| blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
| watched_until | netcontrol_catch_release.log | additional.fields.key/value |
| num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
| location | netcontrol_catch_release.log | additional.fields.key/value |
| message | netcontrol_catch_release.log | security_result.description |
| ts | openflow.log | metadata.event_timestamp |
| dpid | openflow.log | additional.fields.key/value |
| match.in_port | openflow.log | additional.fields.key/value |
| match.dl_src | openflow.log | additional.fields.key/value |
| match.dl_dst | openflow.log | additional.fields.key/value |
| match.dl_vlan | openflow.log | additional.fields.key/value |
| match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
| match.dl_type | openflow.log | additional.fields.key/value |
| match.nw_tos | openflow.log | additional.fields.key/value |
| match.nw_proto | openflow.log | additional.fields.key/value |
| match.nw_src | openflow.log | additional.fields.key/value |
| match.nw_dst | openflow.log | additional.fields.key/value |
| match.tp_src | openflow.log | additional.fields.key/value |
| match.tp_dst | openflow.log | additional.fields.key/value |
| flow_mod.cookie | openflow.log | additional.fields.key/value |
| flow_mod.table_id | openflow.log | additional.fields.key/value |
| flow_mod.command | openflow.log | additional.fields.key/value |
| flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
| flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
| flow_mod.priority | openflow.log | additional.fields.key/value |
| flow_mod.out_port | openflow.log | additional.fields.key/value |
| flow_mod.flags | openflow.log | additional.fields.key/value |
| flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
偵測
下表列出偵測記錄類型的記錄欄位,以及對應的 UDM 欄位。
| 原始記錄欄位 | 記錄類型 | UDM 欄位 |
|---|---|---|
| ts | intel.log | metadata.event_timestamp |
| uid | intel.log | network.session_id |
| id.orig_h | intel.log | principal.ip |
| id.orig_p | intel.log | principal.port |
| id.resp_h | intel.log | target.ip |
| id.resp_p | intel.log | target.port |
| seen.indicator | intel.log | additional.fields.key/value |
| seen.indicator_type | intel.log | additional.fields.key/value |
| seen.host | intel.log | additional.fields.key/value |
| seen.where | intel.log | additional.fields.key/value |
| seen.node | intel.log | additional.fields.key/value |
| seen.conn.id.orig_h | intel.log | additional.fields.key/value |
| seen.conn.id.orig_p | intel.log | additional.fields.key/value |
| seen.conn.id.resp_h | intel.log | additional.fields.key/value |
| seen.conn.id.resp_p | intel.log | additional.fields.key/value |
| seen.conn.orig.size | intel.log | network.sent_bytes |
| seen.conn.orig.state | intel.log | additional.fields.key/value |
| seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
| seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.resp.size | intel.log | network.received_bytes |
| seen.conn.resp.state | intel.log | additional.fields.key/value |
| seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
| seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.start_time | intel.log | additional.fields.key/value |
| seen.conn.duration | intel.log | network.session_duration |
| seen.conn.service | intel.log | additional.fields.key/value |
| seen.conn.history | intel.log | metadata.description |
| seen.conn.uid | intel.log | network.session_id |
| seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
| seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
| seen.conn.vlan | intel.log | additional.fields.key/value |
| seen.conn.inner_vlan | intel.log | additional.fields.key/value |
| seen.conn.dpd_state | intel.log | additional.fields.key/value |
| seen.conn.removal_hooks | intel.log | additional.fields.key/value |
| seen.conn.extract_orig | intel.log | additional.fields.key/value |
| seen.conn.extract_resp | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
| seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
| seen.conn.http_state.pending | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
| seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
| seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
| seen.conn.known_services_done | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
| seen.conn.speculative_service | intel.log | additional.fields.key/value |
| seen.uid | intel.log | additional.fields.key/value |
| seen.f.id | intel.log | additional.fields.key/value |
| seen.f.parent_id | intel.log | additional.fields.key/value |
| seen.f.source | intel.log | target.file.full_path |
| seen.f.is_orig | intel.log | additional.fields.key/value |
| seen.f.conns | intel.log | additional.fields.key/value |
| seen.f.last_active | intel.log | additional.fields.key/value |
| seen.f.seen_bytes | intel.log | additional.fields.key/value |
| seen.f.total_bytes | intel.log | additional.fields.key/value |
| seen.f.missing_bytes | intel.log | additional.fields.key/value |
| seen.f.overflow_bytes | intel.log | additional.fields.key/value |
| seen.f.timeout_interval | intel.log | additional.fields.key/value |
| seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
| seen.f.bof_buffer | intel.log | additional.fields.key/value |
| seen.f.u2_events | intel.log | additional.fields.key/value |
| seen.fuid | intel.log | additional.fields.key/value |
| matched | intel.log | additional.fields.key/value |
| sources | intel.log | additional.fields.key/value |
| fuid | intel.log | additional.fields.key/value |
| file_mime_type | intel.log | target.file.mime_type |
| file_desc | intel.log | additional.fields.key/value |
| cif.tags | intel.log | additional.fields.key/value |
| cif.confidence | intel.log | additional.fields.key/value |
| cif.source | intel.log | additional.fields.key/value |
| cif.description | intel.log | additional.fields.key/value |
| cif.firstseen | intel.log | additional.fields.key/value |
| cif.lastseen | intel.log | additional.fields.key/value |
| ts | notice.log | metadata.event_timestamp |
| uid | notice.log | network.session_id |
| id.orig_h | notice.log | principal.ip |
| id.orig_p | notice.log | principal.port |
| id.resp_h | notice.log | target.ip |
| id.resp_p | notice.log | target.port |
| conn.id.orig_h | notice.log | additional.fields.key/value |
| conn.id.orig_p | notice.log | additional.fields.key/value |
| conn.id.resp_h | notice.log | additional.fields.key/value |
| conn.id.resp_p | notice.log | additional.fields.key/value |
| conn.orig.size | notice.log | network.sent_bytes |
| conn.orig.state | notice.log | additional.fields.key/value |
| conn.orig.num_pkts | notice.log | additional.fields.key/value |
| conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.orig.flow_label | notice.log | additional.fields.key/value |
| conn.orig.l2_addr | notice.log | additional.fields.key/value |
| conn.resp.size | notice.log | network.received_bytes |
| conn.resp.state | notice.log | additional.fields.key/value |
| conn.resp.num_pkts | notice.log | additional.fields.key/value |
| conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.resp.flow_label | notice.log | additional.fields.key/value |
| conn.resp.l2_addr | notice.log | additional.fields.key/value |
| conn.start_time | notice.log | additional.fields.key/value |
| conn.duration | notice.log | network.session_duration |
| conn.service | notice.log | additional.fields.key/value |
| conn.history | notice.log | metadata.description |
| conn.uid | notice.log | network.session_id |
| conn.tunnel.queued | notice.log | additional.fields.key/value |
| conn.tunnel.dispatched | notice.log | additional.fields.key/value |
| conn.vlan | notice.log | additional.fields.key/value |
| conn.inner_vlan | notice.log | additional.fields.key/value |
| conn.dpd_state.violations | notice.log | additional.fields.key/value |
| conn.removal_hooks | notice.log | additional.fields.key/value |
| conn.extract_orig | notice.log | additional.fields.key/value |
| conn.extract_resp | notice.log | additional.fields.key/value |
| conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
| conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
| conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
| conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
| conn.thresholds.duration | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_backing | notice.log | additional.fields.key/value |
| conn.dns_state.pending_query | notice.log | additional.fields.key/value |
| conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
| conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
| conn.ftp_data_reuse | notice.log | additional.fields.key/value |
| conn.http_state.pending | notice.log | additional.fields.key/value |
| conn.http_state.current_request | notice.log | additional.fields.key/value |
| conn.http_state.current_response | notice.log | additional.fields.key/value |
| conn.http_state.trans_depth | notice.log | additional.fields.key/value |
| conn.sip_state.pending | notice.log | additional.fields.key/value |
| conn.sip_state.current_request | notice.log | additional.fields.key/value |
| conn.sip_state.current_response | notice.log | additional.fields.key/value |
| conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
| conn.smb_state.fid_map | notice.log | additional.fields.key/value |
| conn.smb_state.tid_map | notice.log | additional.fields.key/value |
| conn.smb_state.uid_map | notice.log | additional.fields.key/value |
| conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
| conn.smb_state.recent_files | notice.log | additional.fields.key/value |
| conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
| conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
| conn.known_services_done | notice.log | additional.fields.key/value |
| mqtt.ts | notice.log | additional.fields.key/value |
| mqtt.uid | notice.log | additional.fields.key/value |
| mqtt.id | notice.log | additional.fields.key/value |
| mqtt.proto_name | notice.log | additional.fields.key/value |
| mqtt.proto_version | notice.log | additional.fields.key/value |
| mqtt.client_id | notice.log | additional.fields.key/value |
| mqtt.connect_status | notice.log | additional.fields.key/value |
| mqtt.will_topic | notice.log | additional.fields.key/value |
| mqtt.will_payload | notice.log | additional.fields.key/value |
| conn.mqtt_state.publish | notice.log | additional.fields.key/value |
| conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
| conn.speculative_service | notice.log | additional.fields.key/value |
| iconn.orig_h | notice.log | additional.fields.key/value |
| iconn.resp_h | notice.log | additional.fields.key/value |
| iconn.itype | notice.log | additional.fields.key/value |
| iconn.icode | notice.log | additional.fields.key/value |
| iconn.len | notice.log | additional.fields.key/value |
| iconn.hlim | notice.log | additional.fields.key/value |
| iconn.v6 | notice.log | additional.fields.key/value |
| f.id | notice.log | additional.fields.key/value |
| f.parent_id | notice.log | additional.fields.key/value |
| f.source | notice.log | target.file.full_path |
| f.is_orig | notice.log | additional.fields.key/value |
| f.conns | notice.log | additional.fields.key/value |
| f.last_active | notice.log | additional.fields.key/value |
| f.seen_bytes | notice.log | additional.fields.key/value |
| f.total_bytes | notice.log | additional.fields.key/value |
| f.missing_bytes | notice.log | additional.fields.key/value |
| f.overflow_bytes | notice.log | additional.fields.key/value |
| f.timeout_interval | notice.log | additional.fields.key/value |
| f.bof_buffer_size | notice.log | additional.fields.key/value |
| f.bof_buffer | notice.log | additional.fields.key/value |
| f.u2_events | notice.log | additional.fields.key/value |
| fuid | notice.log | additional.fields.key/value |
| file_mime_type | notice.log | target.file.mime_type |
| file_desc | notice.log | additional.fields.key/value |
| proto | notice.log | network.ip_protocol |
| note | notice.log | security_result.description |
| msg | notice.log | security_result.summary |
| sub | notice.log | additional.fields.key/value |
| src | notice.log | principal.ip |
| dst | notice.log | target.ip |
| p | notice.log | target.port |
| n | notice.log | additional.fields.key/value |
| peer_name | notice.log | additional.fields.key/value |
| peer_descr | notice.log | additional.fields.key/value |
| actions | notice.log | security_result.action_details |
| email_dest | notice.log | network.email.to (repeated) |
| email_body_sections | notice.log | network.email.subject (repeated) |
| email_delay_tokens | notice.log | additional.fields.key/value |
| identifier | notice.log | additional.fields.key/value |
| suppress_for | notice.log | additional.fields.key/value |
| remote_location.country_code | notice.log | additional.fields.key/value |
| remote_location.region | notice.log | principal.asset.location.country_or_region |
| remote_location.city | notice.log | principal.asset.location.city |
| remote_location.latitude | notice.log | additional.fields.key/value |
| remote_location.longitude | notice.log | additional.fields.key/value |
| dropped | notice.log | security_result.action_details |
| ts | signatures.log | metadata.event_timestamp |
| uid | signatures.log | network.session_id |
| src_addr | signatures.log | principal.ip |
| src_port | signatures.log | principal.port |
| dst_addr | signatures.log | target.ip |
| dst_port | signatures.log | target.port |
| note | signatures.log | security_result.summary |
| sig_id | signatures.log | additional.fields.key/value |
| event_msg | signatures.log | metadata.description |
| sub_msg | signatures.log | additional.fields.key/value |
| sig_count | signatures.log | additional.fields.key/value |
| host_count | signatures.log | additional.fields.key/value |
| ts | traceroute.log | metadata.event_timestamp |
| src | traceroute.log | principal.ip |
| dst | traceroute.log | target.ip |
| proto | traceroute.log | network.ip_protocol |
網路觀察
下表列出網路觀察記錄類型的記錄欄位,以及對應的 UDM 欄位。
| 原始記錄欄位 | 記錄類型 | UDM 欄位 |
|---|---|---|
| ts | known_certs.log | metadata.event_timestamp |
| host | known_certs.log | principal.ip |
| port_num | known_certs.log | principal.port |
| subject | known_certs.log | network.tls.client.certificate.subject |
| issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
| serial | known_certs.log | network.tls.client.certificate.serial |
| ts | known_hosts.log | metadata.event_timestamp |
| host | known_hosts.log | principal.ip |
| ts | known_modbus.log | metadata.event_timestamp |
| host | known_modbus.log | principal.ip |
| device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
| ts | known_services.log | metadata.event_timestamp |
| host | known_services.log | principal.ip |
| port_num | known_services.log | principal.port |
| port_proto | known_services.log | network.ip_protocol |
| service | known_services.log | target.application |
| ts | software.log | metadata.event_timestamp |
| host | software.log | principal.ip |
| host_p | software.log | principal.port |
| software_type | software.log | principal.resource.resource_subtype |
| name | software.log | principal.resource.name |
| version.major | software.log | additional.fields.key/value |
| version.minor | software.log | additional.fields.key/value |
| version.minor2 | software.log | additional.fields.key/value |
| version.minor3 | software.log | additional.fields.key/value |
| version.addl | software.log | additional.fields.key/value |
| unparsed_version | software.log | additional.fields.key/value |
| force_log | software.log | additional.fields.key/value |
| url | software.log | metadata.url_back_to_product |
欄位對應參考資料:事件 ID 對應至 UDM 事件類型
如要瞭解剖析器如何將記錄名稱對應至 UDM 事件類型,請參閱下列章節:
網路協定
下表列出網路通訊協定記錄類型的記錄名稱,以及對應的 UDM 事件類型。
| 記錄檔名稱 | 說明 | UDM 事件類型 |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
| dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
| dhcp.log | DHCP leases | NETWORK_DHCP |
| dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
| dns.log | DNS activity | NETWORK_DNS |
| ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
| http.log | HTTP requests and replies | NETWORK_HTTP |
| irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
| kerberos.log | Kerberos | NETWORK_CONNECTION |
| modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
| modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
| mysql.log | MySQL | NETWORK_UNCATEGORIZED |
| ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
| ntp.log | Network Time Protocol | NETWORK_CONNECTION |
| radius.log | RADIUS authentication attempts | USER_LOGIN |
| rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
| rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
| sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
| smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
| smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
| smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
| smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
| snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
| socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
| ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
| ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
| syslog.log | Syslog messages | NETWORK_CONNECTION |
| tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
檔案
下表列出檔案記錄類型的記錄名稱,以及對應的 UDM 事件類型。
| 記錄檔名稱 | 說明 | UDM 事件類型 |
|---|---|---|
| files.log | File analysis results | NETWORK_UNCATEGORIZED |
| ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
| pe.log | Portable Executable (PE) | GENERIC_EVENT |
| x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
下表列出 netcontrol 記錄類型的記錄名稱,以及對應的 UDM 事件類型。
| 記錄檔名稱 | 說明 | UDM 事件類型 |
|---|---|---|
| netcontrol.log | NetControl actions | GENERIC_EVENT |
| netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
| netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
| netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
| openflow.log | OpenFlow debug log | GENERIC_EVENT |
偵測
下表列出偵測記錄類型的記錄名稱,以及對應的 UDM 事件類型。
| 記錄檔名稱 | 說明 | UDM 事件類型 |
|---|---|---|
| intel.log | Intelligence data matches | GENERIC_EVENT |
| notice.log | Zeek notices | NETWORK_CONNECTION |
| notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
| signatures.log | Signature matches | GENERIC_EVENT |
| traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
網路觀察
下表列出網路觀察記錄類型的記錄名稱,以及對應的 UDM 事件類型。
| 記錄檔名稱 | 說明 | UDM 事件類型 |
|---|---|---|
| known_certs.log | SSL certificates | GENERIC_EVENT |
| known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
| known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
| known_services.log | Services running on hosts | GENERIC_EVENT |
| software.log | Software used on the network | GENERIC_EVENT |
後續步驟
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。