Recopila registros de Zeek (Bro)
Se admite en los siguientes países:
Google SecOps
SIEM
En este documento, se describe cómo puedes implementar Zeek (anteriormente Bro) y NXLog con Google Security Operations para recopilar registros de Zeek en formato JSON. En este documento, también se explica cómo los campos de registro de Zeek se asignan a los campos del modelo de datos unificado (UDM) de Google Security Operations.
Para obtener una descripción general de la transferencia de datos a Google Security Operations, consulta Transferencia de datos a Google Security Operations.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado del UDM. La información de este documento se aplica al analizador con la etiqueta de transferencia BRO_JSON.
Antes de comenzar
Para comprender los componentes que se implementan para recopilar registros de Zeek, revisa la arquitectura de implementación. Cada implementación de cliente puede diferir de esta representación y ser más compleja. En el siguiente diagrama, se muestra cómo puedes configurar un agente de NXLog y un reenviador de Google Security Operations en un servidor Linux y reenviar datos de registro a Google Security Operations.
Verifica las versiones de Zeek que admite el analizador de Google Security Operations. El analizador de Operaciones de seguridad de Google admite las siguientes versiones de Zeek:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Antes de usar el analizador de Zeek, revisa los cambios en las asignaciones de campos entre el analizador anterior y el analizador de Zeek actual. Como parte de la migración, asegúrate de que las reglas, las búsquedas, los paneles y otros procesos que dependen de los campos originales usen los campos actualizados.
Por ejemplo, en la versión anterior del analizador, el campo
server_namese asigna al campo UDMtarget.hostname. En el analizador de Zeek actual, el camposerver_namese asigna al campo de UDMnetwork.tls.client.server_name. Si migras al analizador de Zeek actual y usas el camposerver_nameen tus reglas, debes modificarlas para usar el campo UDMnetwork.tls.client.server_namedel analizador actual.Verifica los tipos de registros de Zeek que admite el analizador de Google Security Operations. En la siguiente tabla, se enumeran los tipos de registros de Zeek que admite el analizador de Google Security Operations:
| Tipo de registro | Descripción |
| Protocolos de red | Incluye archivos de registro de protocolos de red, como el protocolo de configuración dinámica de host (DHCP) y el sistema de nombres de dominio (DNS). |
| Archivos | Incluye los siguientes archivos de registro: resultados del análisis de archivos, Protocolo de estado de certificados en línea (OCSP), ejecutable portátil (PE) y certificado X.509. |
| NetControl | Incluye archivos de registro de acciones de NetControl y registros de depuración de OpenFlow. |
| Detección | Incluye archivos de registro de coincidencias de datos de inteligencia, avisos de Zeek, flujo de alarmas, coincidencias de firmas y detección de traceroute. |
| Observaciones de la red | Incluye archivos de registro de certificados SSL, hosts que completaron el protocolo de enlace TCP, réplicas y principales de Modbus, servicios que se ejecutan en hosts y software que se usa en la red. |
Si aún no lo hiciste, instala y configura Zeek. Para obtener más información, consulta Instalación de Zeek.
Recopila registros de Zeek en formato JSON. Para obtener más información, consulta Cómo generar registros de Zeek en formato JSON.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados con la zona horaria UTC.
Configura el reenviador de NXLog y Google Security Operations
- Descarga e instala NXLog Community Edition en la máquina Linux en la que se ejecuta el servidor de reenvío de Google Security Operations.
- Para obtener más información sobre cómo descargar NXLog Community Edition, consulta la documentación de NXLog.
- Para obtener más información sobre la instalación de los paquetes y las dependencias de NXLog necesarios, consulta Cómo instalar NXLog en un sistema Linux.
- Crea un archivo de configuración para cada instancia de NXLog.
Usa el módulo im_file de NXLog para leer el archivo y analizar las líneas en campos. Este es un ejemplo de configuración de NXLog:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>Para usar la configuración del ejemplo anterior, haz lo siguiente:
- Reemplaza los valores
<hostname>y<port>por información sobre el servidor Linux de destino. - Agrega elementos de entrada, salida y ruta para cada tipo de registro de Zeek que desees recopilar.
- Reemplaza los valores
Configura el reenviador de Google Security Operations para enviar registros a Google Security Operations. Para obtener más información, consulta Cómo instalar y configurar el reenviador en Linux. Este es un ejemplo de configuración de reenvío.
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60Inicia el servicio NXLog.
Referencia de asignación de campos: Zeek registra campos en campos de UDM
Para comprender cómo el analizador de Google Security Operations asigna campos de registro de Zeek a campos de eventos de la UDM de Google Security Operations para cada tipo de registro de Zeek, consulta las siguientes secciones:
Protocolos de red
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de protocolos de red y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | conn.log | metadata.event_timestamp |
| uid | conn.log | network.session_id |
| id.orig_h | conn.log | principal.ip |
| id.orig_p | conn.log | principal.port |
| id.resp_h | conn.log | target.ip |
| id.resp_p | conn.log | target.port |
| proto | conn.log | network.ip_protocol |
| service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
| duration | conn.log | network.session_duration |
| orig_bytes | conn.log | network.sent_bytes |
| resp_bytes | conn.log | network.received_bytes |
| conn_state | conn.log | metadata.description |
| local_orig | conn.log | additional.fields.key/value |
| local_resp | conn.log | additional.fields.key/value |
| missed_bytes | conn.log | additional.fields.key/value |
| history | conn.log | additional.fields.key/value |
| orig_pkts | conn.log | additional.fields.key/value |
| orig_ip_bytes | conn.log | additional.fields.key/value |
| resp_pkts | conn.log | additional.fields.key/value |
| resp_ip_bytes | conn.log | additional.fields.key/value |
| tunnel_parents | conn.log | additional.fields.key/value |
| orig_l2_addr | conn.log | additional.fields.key/value |
| resp_l2_addr | conn.log | additional.fields.key/value |
| vlan | conn.log | additional.fields.key/value |
| inner_vlan | conn.log | additional.fields.key/value |
| speculative_service | conn.log | additional.fields.key/value |
| ts | dce_rpc.log | metadata.event_timestamp |
| uid | dce_rpc.log | network.session_id |
| id.orig_h | dce_rpc.log | principal.ip |
| id.orig_p | dce_rpc.log | principal.port |
| id.resp_h | dce_rpc.log | target.ip |
| id.resp_p | dce_rpc.log | target.port |
| rtt | dce_rpc.log | additional.fields.key/value |
| named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
| endpoint | dce_rpc.log | additional.fields.key/value |
| operation | dce_rpc.log | additional.fields.key/value |
| ts | dhcp.log | metadata.event_timestamp |
| uids | dhcp.log | additional.fields.key/value |
| client_addr | dhcp.log | target.ip |
| server_addr | dhcp.log | principal.ip |
| client_port | dhcp.log | target.port |
| server_port | dhcp.log | principal.port |
| mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
| host_name | dhcp.log | network.dhcp.client_hostname |
| client_fqdn | dhcp.log | target.hostname |
| domain | dhcp.log | target.administrative_domain |
| requested_addr | dhcp.log | network.dhcp.requested_address |
| assigned_addr | dhcp.log | network.dhcp.yiaddr |
| lease_time | dhcp.log | network.dhcp.lease_time_seconds |
| client_message | dhcp.log | additional.fields.key/value |
| server_message | dhcp.log | additional.fields.key/value |
| msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
| duration | dhcp.log | network.dhcp.seconds |
| client_chaddr | dhcp.log | network.dhcp.chaddr |
| msg_orig | dhcp.log | additional.fields.key/value |
| client_software | dhcp.log | additional.fields.key/value |
| server_software | dhcp.log | additional.fields.key/value |
| circuit_id | dhcp.log | additional.fields.key/value |
| agent_remote_id | dhcp.log | additional.fields.key/value |
| subscriber_id | dhcp.log | additional.fields.key/value |
| ts | dnp3.log | metadata.event_timestamp |
| uid | dnp3.log | network.session_id |
| id.orig_h | dnp3.log | principal.ip |
| id.orig_p | dnp3.log | principal.port |
| id.resp_h | dnp3.log | target.ip |
| id.resp_p | dnp3.log | target.port |
| fc_request | dnp3.log | additional.fields.key/value |
| fc_reply | dnp3.log | additional.fields.key/value |
| iin | dnp3.log | additional.fields.key/value |
| ts | dns.log | metadata.event_timestamp |
| uid | dns.log | network.session_id |
| id.orig_h | dns.log | principal.ip |
| id.orig_p | dns.log | principal.port |
| id.resp_h | dns.log | target.ip |
| id.resp_p | dns.log | target.port |
| proto | dns.log | network.ip_protocol |
| trans_id | dns.log | network.dns.id |
| rtt | dns.log | additional.fields.key/value |
| query | dns.log | network.dns.questions.name |
| qclass | dns.log | network.dns.questions.class |
| qclass_name | dns.log | additional.fields.key/value |
| qtype | dns.log | network.dns.questions.type |
| qtype_name | dns.log | additional.fields.key/value |
| rcode | dns.log | network,dns.response_code |
| rcode_name | dns.log | additional.fields.key/value |
| AA | dns.log | network.dns.authoritative |
| TC | dns.log | network.dns.truncated |
| RD | dns.log | network.dns.recursion_desired |
| RA | dns.log | network.dns.recursion_available |
| Z | dns.log | additional.fields.key/value |
| answers | dns.log | network.dns.answers.data |
| TTLs | dns.log | network.dns.answers.ttl |
| rejected | dns.log | additional.fields.key/value |
| total_answers | dns.log | additional.fields.key/value |
| total_replies | dns.log | additional.fields.key/value |
| saw_query | dns.log | additional.fields.key/value |
| saw_reply | dns.log | additional.fields.key/value |
| auth | dns.log | network.dns.authority.data |
| addl | dns.log | network.dns.additional.data |
| original_query | dns.log | additional.fields.key/value |
| ts | ftp.log | metadata.event_timestamp |
| uid | ftp.log | network.session_id |
| id.orig_h | ftp.log | principal.ip |
| id.orig_p | ftp.log | principal.port |
| id.resp_h | ftp.log | target.ip |
| id.resp_p | ftp.log | target.port |
| user | ftp.log | principal.user.userid |
| command | ftp.log | network.ftp.command |
| arg | ftp.log | additional.fields.key/value |
| mime_type | ftp.log | src.file.mime_type |
| file_size | ftp.log | src.file.size |
| reply_code | ftp.log | additional.fields.key/value |
| reply_msg | ftp.log | additional.fields.key/value |
| data_channel.passive | ftp.log | additional.fields.key/value |
| data_channel.orig_h | ftp.log | additional.fields.key/value |
| data_channel.resp_h | ftp.log | additional.fields.key/value |
| data_channel.resp_p | ftp.log | additional.fields.key/value |
| cwd | ftp.log | src.file.full_path |
| cmdarg.ts | ftp.log | additional.fields.key/value |
| cmdarg.cmd | ftp.log | additional.fields.key/value |
| cmdarg.arg | ftp.log | additional.fields.key/value |
| cmdarg.seq | ftp.log | additional.fields.key/value |
| pending_commands | ftp.log | additional.fields.key/value |
| passive | ftp.log | additional.fields.key/value |
| capture_password | ftp.log | additional.fields.key/value |
| fuid | ftp.log | additional.fields.key/value |
| last_auth_requested | ftp.log | additional.fields.key/value |
| ts | http.log | metadata.event_timestamp |
| uid | http.log | network.session_id |
| id.orig_h | http.log | principal.ip |
| id.orig_p | http.log | principal.port |
| id.resp_h | http.log | target.ip |
| id.resp_p | http.log | target.port |
| trans_depth | http.log | additional.fields.key/value |
| method | http.log | network.http.method |
| host | http.log | target.hostname |
| uri | http.log | target.url is set to "%{host}%{uri}" |
| referrer | http.log | network.http.referral_url |
| version | http.log | additional.fields.key/value |
| user_agent | http.log | network.http.user_agent |
| origin | http.log | additional.fields.key/value |
| request_body_len | http.log | additional.fields.key/value |
| response_body_len | http.log | additional.fields.key/value |
| status_code | http.log | network.http.response_code |
| status_msg | http.log | additional.fields.key/value |
| info_code | http.log | additional.fields.key/value |
| info_msg | http.log | additional.fields.key/value |
| tags | http.log | additional.fields.key/value |
| username | http.log | principal.user.userid |
| capture_password | http.log | additional.fields.key/value |
| proxied | http.log | additional.fields.key/value |
| range_request | http.log | additional.fields.key/value |
| orig_fuids | http.log | additional.fields.key/value |
| orig_filenames | http.log | additional.fields.key/value |
| orig_mime_types | http.log | additional.fields.key/value |
| resp_fuids | http.log | additional.fields.key/value |
| resp_filenames | http.log | additional.fields.key/value |
| resp_mime_types | http.log | additional.fields.key/value |
| current_entity | http.log | additional.fields.key/value |
| orig_mime_depth | http.log | additional.fields.key/value |
| resp_mime_depth | http.log | additional.fields.key/value |
| client_header_names | http.log | additional.fields.key/value |
| server_header_names | http.log | additional.fields.key/value |
| omniture | http.log | additional.fields.key/value |
| flash_version | http.log | additional.fields.key/value |
| cookie_vars | http.log | additional.fields.key/value |
| uri_vars | http.log | additional.fields.key/value |
| ts | irc.log | metadata.event_timestamp |
| uid | irc.log | network.session_id |
| id.orig_h | irc.log | principal.ip |
| id.orig_p | irc.log | principal.port |
| id.resp_h | irc.log | target.ip |
| id.resp_p | irc.log | target.port |
| nick | irc.log | additional.fields.key/value |
| user | irc.log | principal.user.userid |
| command | irc.log | principal.process.command_line |
| value | irc.log | additional.fields.key/value |
| addl | irc.log | additional.fields.key/value |
| dcc_file_name | irc.log | additional.fields.key/value |
| dcc_file_size | irc.log | src.file.size |
| dcc_mime_type | irc.log | src.file.mime_type |
| fuid | irc.log | additional.fields.key/value |
| ts | kerberos.log | metadata.event_timestamp |
| uid | kerberos.log | network.session_id |
| id.orig_h | kerberos.log | principal.ip |
| id.orig_p | kerberos.log | principal.port |
| id.resp_h | kerberos.log | target.ip |
| id.resp_p | kerberos.log | target.port |
| request_type | kerberos.log | additional.fields.key/value |
| client | kerberos.log | additional.fields.key/value |
| service | kerberos.log | additional.fields.key/value |
| success | kerberos.log | additional.fields.key/value |
| error_code | kerberos.log | additional.fields.key/value |
| error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
| from | kerberos.log | additional.fields.key/value |
| till | kerberos.log | additional.fields.key/value |
| cipher | kerberos.log | network.tls.cipher |
| forwardable | kerberos.log | additional.fields.key/value |
| renewable | kerberos.log | additional.fields.key/value |
| logged | kerberos.log | additional.fields.key/value |
| client_cert.ts | kerberos.log | additional.fields.key/value |
| client_cert.fuid | kerberos.log | additional.fields.key/value |
| client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| client_cert.conn_uids | kerberos.log | additional.fields.key/value |
| client_cert.source | kerberos.log | additional.fields.key/value |
| client_cert.depth | kerberos.log | additional.fields.key/value |
| client_cert.analyzers | kerberos.log | additional.fields.key/value |
| client_cert.mime_type | kerberos.log | additional.fields.key/value |
| client_cert.filename | kerberos.log | additional.fields.key/value |
| client_cert.duration | kerberos.log | additional.fields.key/value |
| client_cert.local_orig | kerberos.log | additional.fields.key/value |
| client_cert.is_orig | kerberos.log | additional.fields.key/value |
| client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| client_cert.total_bytes | kerberos.log | additional.fields.key/value |
| client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| client_cert.timedout | kerberos.log | additional.fields.key/value |
| client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
| client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
| client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
| client_cert.x509.ts | kerberos.log | additional.fields.key/value |
| client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
| client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
| client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
| client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| client_cert.x509.handle | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| client_cert.x509.cert | kerberos.log | additional.fields.key/value |
| client_cert.extracted | kerberos.log | additional.fields.key/value |
| client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| client_cert.extracted_size | kerberos.log | additional.fields.key/value |
| client_cert.entropy | kerberos.log | additional.fields.key/value |
| client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
| client_cert_fuid | kerberos.log | additional.fields.key/value |
| server_cert.ts | kerberos.log | additional.fields.key/value |
| server_cert.fuid | kerberos.log | additional.fields.key/value |
| server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
| server_cert.conn_uids | kerberos.log | additional.fields.key/value |
| server_cert.source | kerberos.log | additional.fields.key/value |
| server_cert.depth | kerberos.log | additional.fields.key/value |
| server_cert.analyzers | kerberos.log | additional.fields.key/value |
| server_cert.mime_type | kerberos.log | additional.fields.key/value |
| server_cert.filename | kerberos.log | additional.fields.key/value |
| server_cert.duration | kerberos.log | additional.fields.key/value |
| server_cert.local_orig | kerberos.log | additional.fields.key/value |
| server_cert.is_orig | kerberos.log | additional.fields.key/value |
| server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
| server_cert.total_bytes | kerberos.log | additional.fields.key/value |
| server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
| server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
| server_cert.timedout | kerberos.log | additional.fields.key/value |
| server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
| server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
| server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
| server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
| server_cert.x509.ts | kerberos.log | additional.fields.key/value |
| server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
| server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
| server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
| server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
| server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
| server_cert.x509.handle | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
| server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
| server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
| server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
| server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
| server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
| server_cert.x509.cert | kerberos.log | additional.fields.key/value |
| server_cert.extracted | kerberos.log | additional.fields.key/value |
| server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
| server_cert.extracted_size | kerberos.log | additional.fields.key/value |
| server_cert.entropy | kerberos.log | additional.fields.key/value |
| server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
| server_cert_fuid | kerberos.log | additional.fields.key/value |
| auth_ticket | kerberos.log | additional.fields.key/value |
| new_ticket | kerberos.log | additional.fields.key/value |
| ts | modbus.log | metadata.event_timestamp |
| uid | modbus.log | network.session_id |
| id.orig_h | modbus.log | principal.ip |
| id.orig_p | modbus.log | principal.port |
| id.resp_h | modbus.log | target.ip |
| id.resp_p | modbus.log | target.port |
| func | modbus.log | additional.fields.key/value |
| exception | modbus.log | additional.fields.key/value |
| track_address | modbus.log | additional.fields.key/value |
| ts | modbus_register_change.log | metadata.event_timestamp |
| uid | modbus_register_change.log | network.session_id |
| id.orig_h | modbus_register_change.log | principal.ip |
| id.orig_p | modbus_register_change.log | principal.port |
| id.resp_h | modbus_register_change.log | target.ip |
| id.resp_p | modbus_register_change.log | target.port |
| register | modbus_register_change.log | additional.fields.key/value |
| old_val | modbus_register_change.log | additional.fields.key/value |
| new_val | modbus_register_change.log | additional.fields.key/value |
| delta | modbus_register_change.log | additional.fields.key/value |
| ts | mysql.log | metadata.event_timestamp |
| uid | mysql.log | network.session_id |
| id.orig_h | mysql.log | principal.ip |
| id.orig_p | mysql.log | principal.port |
| id.resp_h | mysql.log | target.ip |
| id.resp_p | mysql.log | target.port |
| cmd | mysql.log | metadata.description |
| arg | mysql.log | principal.process.command_line |
| success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
| rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
| response | mysql.log | additional.fields.key/value |
| ts | ntlm.log | metadata.event_timestamp |
| uid | ntlm.log | network.session_id |
| id.orig_h | ntlm.log | principal.ip |
| id.orig_p | ntlm.log | principal.port |
| id.resp_h | ntlm.log | target.ip |
| id.resp_p | ntlm.log | target.port |
| username | ntlm.log | principal.user.userid |
| hostname | ntlm.log | principal.hostname |
| domainname | ntlm.log | principal.administrative_domain |
| server_nb_computer_name | ntlm.log | additional.fields.key/value |
| server_dns_computer_name | ntlm.log | target.hostname |
| server_tree_name | ntlm.log | additional.fields.key/value |
| success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
| done | ntlm.log | additional.fields.key/value |
| ts | ntp.log | metadata.event_timestamp |
| uid | ntp.log | network.session_id |
| id.orig_h | ntp.log | principal.ip |
| id.orig_p | ntp.log | principal.port |
| id.resp_h | ntp.log | target.ip |
| id.resp_p | ntp.log | target.port |
| version | ntp.log | additional.fields.key/value |
| mode | ntp.log | additional.fields.key/value |
| stratum | ntp.log | additional.fields.key/value |
| poll | ntp.log | additional.fields.key/value |
| precision | ntp.log | additional.fields.key/value |
| root_delay | ntp.log | additional.fields.key/value |
| root_disp | ntp.log | additional.fields.key/value |
| ref_id | ntp.log | additional.fields.key/value |
| ref_time | ntp.log | additional.fields.key/value |
| org_time | ntp.log | additional.fields.key/value |
| rec_time | ntp.log | additional.fields.key/value |
| xmt_time | ntp.log | additional.fields.key/value |
| num_exts | ntp.log | additional.fields.key/value |
| ts | radius.log | metadata.event_timestamp |
| uid | radius.log | network.session_id |
| id.orig_h | radius.log | principal.ip |
| id.orig_p | radius.log | principal.port |
| id.resp_h | radius.log | target.ip |
| id.resp_p | radius.log | target.port |
| username | radius.log | principal.user.userid |
| mac | radius.log | principal.mac |
| framed_addr | radius.log | additional.fields.key/value |
| tunnel_client | radius.log | additional.fields.key/value |
| connect_info | radius.log | additional.fields.key/value |
| reply_msg | radius.log | additional.fields.key/value |
| result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
| ttl | radius.log | additional.fields.key/value |
| logged | radius.log | additional.fields.key/value |
| ts | rdp.log | metadata.event_timestamp |
| uid | rdp.log | network.session_id |
| id.orig_h | rdp.log | principal.ip |
| id.orig_p | rdp.log | principal.port |
| id.resp_h | rdp.log | target.ip |
| id.resp_p | rdp.log | target.port |
| cookie | rdp.log | principal.user.userid |
| result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
| client_channels | rdp.log | additional.fields.key/value |
| keyboard_layout | rdp.log | additional.fields.key/value |
| client_build | rdp.log | principal.asset.platform_software.platform_version |
| client_name | rdp.log | additional.fields.key/value |
| client_dig_product_id | rdp.log | principal.asset.asset_id |
| desktop_width | rdp.log | additional.fields.key/value |
| desktop_height | rdp.log | additional.fields.key/value |
| requested_color_depth | rdp.log | additional.fields.key/value |
| cert_type | rdp.log | additional.fields.key/value |
| cert_count | rdp.log | additional.fields.key/value |
| cert_permanent | rdp.log | additional.fields.key/value |
| encryption_level | rdp.log | additional.fields.key/value |
| encryption_method | rdp.log | additional.fields.key/value |
| analyzer_id | rdp.log | additional.fields.key/value |
| done | rdp.log | additional.fields.key/value |
| ssl | rdp.log | additional.fields.key/value |
| ts | rfb.log | metadata.event_timestamp |
| uid | rfb.log | network.session_id |
| id.orig_h | rfb.log | principal.ip |
| id.orig_p | rfb.log | principal.port |
| id.resp_h | rfb.log | target.ip |
| id.resp_p | rfb.log | target.port |
| client_major_version | rfb.log | additional.fields.key/value |
| client_minor_version | rfb.log | additional.fields.key/value |
| server_major_version | rfb.log | additional.fields.key/value |
| server_minor_version | rfb.log | additional.fields.key/value |
| authentication_method | rfb.log | additional.fields.key/value |
| auth | rfb.log | additional.fields.key/value |
| share_flag | rfb.log | additional.fields.key/value |
| desktop_name | rfb.log | target.asset.hostname |
| width | rfb.log | additional.fields.key/value |
| height | rfb.log | additional.fields.key/value |
| done | rfb.log | additional.fields.key/value |
| ts | sip.log | metadata.event_timestamp |
| uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
| id.orig_h | sip.log | principal.ip |
| id.orig_p | sip.log | principal.port |
| id.resp_h | sip.log | target.ip |
| id.resp_p | sip.log | target.port |
| trans_depth | sip.log | additional.fields.key/value |
| method | sip.log | metadata.description |
| uri | sip.log | about.url |
| date | sip.log | additional.fields.key/value |
| request_from | sip.log | principal.user.userid and principal.user.user_display_name |
| request_to | sip.log | target.user.userid and target.user.user_display_name |
| response_from | sip.log | additional.fields.key/value |
| response_to | sip.log | additional.fields.key/value |
| reply_to | sip.log | additional.fields.key/value |
| call_id | sip.log | network.session_id |
| seq | sip.log | additional.fields.key/value |
| subject | sip.log | additional.fields.key/value |
| request_path | sip.log | additional.fields.key/value |
| response_path | sip.log | additional.fields.key/value |
| user_agent | sip.log | additional.fields.key/value |
| status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
| status_msg | sip.log | security_result.description |
| warning | sip.log | additional.fields.key/value |
| request_body_len | sip.log | network.sent_bytes |
| response_body_len | sip.log | network.received_bytes |
| content_type | sip.log | additional.fields.key/value |
| ts | smb_cmd.log | metadata.event_timestamp |
| uid | smb_cmd.log | network.session_id |
| id.orig_h | smb_cmd.log | principal.ip |
| id.orig_p | smb_cmd.log | principal.port |
| id.resp_h | smb_cmd.log | target.ip |
| id.resp_p | smb_cmd.log | target.port |
| command | smb_cmd.log | principal.process.command_line |
| sub_command | smb_cmd.log | additional.fields.key/value |
| argument | smb_cmd.log | additional.fields.key/value |
| status | smb_cmd.log | additional.fields.key/value |
| rtt | smb_cmd.log | additional.fields.key/value |
| version | smb_cmd.log | metadata.product_version |
| username | smb_cmd.log | principal.user.userid |
| tree | smb_cmd.log | additional.fields.key/value |
| tree_service | smb_cmd.log | additional.fields.key/value |
| smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
| smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
| ts | smb_files.log | metadata.event_timestamp |
| uid | smb_files.log | network.session_id |
| id.orig_h | smb_files.log | principal.ip |
| id.orig_p | smb_files.log | principal.port |
| id.resp_h | smb_files.log | target.ip |
| id.resp_p | smb_files.log | target.port |
| fuid | smb_files.log | additional.fields.key/value |
| action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
| path | smb_files.log | target.file.full_path |
| name | smb_files.log | additional.fields.key/value |
| size | smb_files.log | target.file.size |
| prev_name | smb_files.log | additional.fields.key/value |
| times.modified | smb_files.log | additional.fields.key/value |
| times.modified_raw | smb_files.log | additional.fields.key/value |
| times.accessed | smb_files.log | additional.fields.key/value |
| times.accessed_raw | smb_files.log | additional.fields.key/value |
| times.created | smb_files.log | additional.fields.key/value |
| times.created_raw | smb_files.log | additional.fields.key/value |
| times.changed | smb_files.log | additional.fields.key/value |
| times.changed_raw | smb_files.log | additional.fields.key/value |
| fid | smb_files.log | additional.fields.key/value |
| uuid | smb_files.log | additional.fields.key/value |
| ts | smb_mapping.log | metadata.event_timestamp |
| uid | smb_mapping.log | network.session_id |
| id.orig_h | smb_mapping.log | principal.ip |
| id.orig_p | smb_mapping.log | principal.port |
| id.resp_h | smb_mapping.log | target.ip |
| id.resp_p | smb_mapping.log | target.port |
| path | smb_mapping.log | target.file.full_path |
| service | smb_mapping.log | target.application |
| native_file_system | smb_mapping.log | additional.fields.key/value |
| share_type | smb_mapping.log | target.resource.resource_type |
| ts | smtp.log | metadata.event_timestamp |
| uid | smtp.log | network.session_id |
| id.orig_h | smtp.log | principal.ip |
| id.orig_p | smtp.log | principal.port |
| id.resp_h | smtp.log | target.ip |
| id.resp_p | smtp.log | target.port |
| trans_depth | smtp.log | additional.fields.key/value |
| helo | smtp.log | additional.fields.key/value |
| mailfrom | smtp.log | additional.fields.key/value |
| rcptto | smtp.log | additional.fields.key/value |
| date | smtp.log | additional.fields.key/value |
| from | smtp.log | network.email.from |
| to | smtp.log | email.to |
| cc | smtp.log | network.email.cc |
| reply_to | smtp.log | email.reply_to |
| msg_id | smtp.log | email.mail_id |
| in_reply_to | smtp.log | additional.fields.key/value |
| subject | smtp.log | email.subject |
| x_originating_ip | smtp.log | additional.fields.key/value |
| first_received | smtp.log | additional.fields.key/value |
| second_received | smtp.log | additional.fields.key/value |
| last_reply | smtp.log | additional.fields.key/value |
| path | smtp.log | additional.fields.key/value |
| user_agent | smtp.log | additional.fields.key/value |
| tls | smtp.log | network.tls.established |
| process_received_from | smtp.log | additional.fields.key/value |
| has_client_activity | smtp.log | additional.fields.key/value |
| process_smtp_headers | smtp.log | additional.fields.key/value |
| entity.filename | smtp.log | additional.fields.key/value |
| entity.excerpt | smtp.log | additional.fields.key/value |
| fuids | smtp.log | additional.fields.key/value |
| is_webmail | smtp.log | additional.fields.key/value |
| ts | snmp.log | metadata.event_timestamp |
| uid | snmp.log | network.session_id |
| id.orig_h | snmp.log | principal.ip |
| id.orig_p | snmp.log | principal.port |
| id.resp_h | snmp.log | target.ip |
| id.resp_p | snmp.log | target.port |
| duration | snmp.log | network.session_duration |
| version | snmp.log | metadata.product_version |
| community | snmp.log | network.community_id |
| get_requests | snmp.log | additional.fields.key/value |
| get_bulk_requests | snmp.log | additional.fields.key/value |
| get_responses | snmp.log | additional.fields.key/value |
| set_requests | snmp.log | additional.fields.key/value |
| display_string | snmp.log | metadata.description |
| up_since | snmp.log | additional.fields.key/value |
| ts | socks.log | metadata.event_timestamp |
| uid | socks.log | network.session_id |
| id.orig_h | socks.log | principal.ip |
| id.orig_p | socks.log | principal.port |
| id.resp_h | socks.log | target.ip |
| id.resp_p | socks.log | target.port |
| version | socks.log | additional.fields.key/value |
| user | socks.log | principal.user.userid |
| status | socks.log | additional.fields.key/value |
| request.host | socks.log | principal.hostname |
| request.name | socks.log | additional.fields.key/value |
| request_p | socks.log | additional.fields.key/value |
| bound.host | socks.log | additional.fields.key/value |
| bound.name | socks.log | additional.fields.key/value |
| bound_p | socks.log | additional.fields.key/value |
| capture_password | socks.log | additional.fields.key/value |
| ts | ssh.log | metadata.event_timestamp |
| uid | ssh.log | network.session_id |
| id.orig_h | ssh.log | principal.ip |
| id.orig_p | ssh.log | principal.port |
| id.resp_h | ssh.log | target.ip |
| id.resp_p | ssh.log | target.port |
| version | ssh.log | metadata.product_version |
| auth_success | ssh.log | additional.fields.key/value |
| auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
| direction | ssh.log | network.direction |
| client | ssh.log | principal.platform_version |
| server | ssh.log | target.platform_version |
| cipher_alg | ssh.log | additional.fields.key/value |
| mac_alg | ssh.log | additional.fields.key/value |
| compression_alg | ssh.log | additional.fields.key/value |
| kex_alg | ssh.log | additional.fields.key/value |
| host_key_alg | ssh.log | additional.fields.key/value |
| host_key | ssh.log | additional.fields.key/value |
| logged | ssh.log | additional.fields.key/value |
| capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
| capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
| capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
| capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
| capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
| capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
| capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
| capabilities.is_server | ssh.log | additional.fields.key/value |
| analyzer_id | ssh.log | additional.fields.key/value |
| remote_location.country_code | ssh.log | additional.fields.key/value |
| remote_location.region | ssh.log | target.asset.location.country_or_region |
| remote_location.city | ssh.log | target.asset.location.city |
| remote_location.latitude | ssh.log | additional.fields.key/value |
| remote_location.longitude | ssh.log | additional.fields.key/value |
| ts | ssl.log | metadata.event_timestamp |
| uid | ssl.log | metadata.product_log_id |
| id.orig_h | ssl.log | principal.ip |
| id.orig_p | ssl.log | principal.port |
| id.resp_h | ssl.log | target.ip |
| id.resp_p | ssl.log | target.port |
| version_num | ssl.log | additional.fields.key/value |
| version | ssl.log | network.tls.version |
| cipher | ssl.log | network.tls.cipher |
| curve | ssl.log | network.tls.curve |
| server_name | ssl.log | network.tls.client.server_name |
| session_id | ssl.log | network.session_id |
| resumed | ssl.log | network.tls.resumed |
| client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
| client_key_exchange_seen | ssl.log | additional.fields.key/value |
| client_psk_seen | ssl.log | additional.fields.key/value |
| last_alert | ssl.log | additional.fields.key/value |
| next_protocol | ssl.log | network.tls.next_protocol |
| analyzer_id | ssl.log | additional.fields.key/value |
| established | ssl.log | network.tls.established |
| logged | ssl.log | additional.fields.key/value |
| ssl_history | ssl.log | additional.fields.key/value |
| cert_chain_fps | ssl.log | additional.fields.key/value |
| client_cert_chain_fps | ssl.log | additional.fields.key/value |
| subject | ssl.log | network.tls.server.certificate.subject |
| issuer | ssl.log | network.tls.server.certificate.issuer |
| client_subject | ssl.log | network.tls.client.certificate.subject |
| client_issuer | ssl.log | network.tls.client.certificate.issuer |
| sni_matches_cert | ssl.log | additional.fields.key/value |
| server_depth | ssl.log | additional.fields.key/value |
| client_depth | ssl.log | additional.fields.key/value |
| always_raise_x509_events | ssl.log | additional.fields.key/value |
| last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
| last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
| originator_heartbeats | ssl.log | additional.fields.key/value |
| responder_heartbeats | ssl.log | additional.fields.key/value |
| heartbleed_detected | ssl.log | additional.fields.key/value |
| enc_appdata_packages | ssl.log | additional.fields.key/value |
| enc_appdata_bytes | ssl.log | additional.fields.key/value |
| server_version | ssl.log | additional.fields.key/value |
| client_version | ssl.log | additional.fields.key/value |
| client_ciphers | ssl.log | network.tls.client.supported_ciphers |
| ssl_client_exts | ssl.log | additional.fields.key/value |
| ssl_server_exts | ssl.log | additional.fields.key/value |
| ticket_lifetime_hint | ssl.log | additional.fields.key/value |
| dh_param_size | ssl.log | additional.fields.key/value |
| point_formats | ssl.log | additional.fields.key/value |
| client_curves | ssl.log | additional.fields.key/value |
| orig_alpn | ssl.log | additional.fields.key/value |
| client_supported_versions | ssl.log | additional.fields.key/value |
| server_supported_version | ssl.log | additional.fields.key/value |
| psk_key_exchange_modes | ssl.log | additional.fields.key/value |
| client_key_share_groups | ssl.log | additional.fields.key/value |
| server_key_share_group | ssl.log | additional.fields.key/value |
| client_comp_methods | ssl.log | additional.fields.key/value |
| comp_method | ssl.log | additional.fields.key/value |
| sigalgs | ssl.log | additional.fields.key/value |
| hashalgs | ssl.log | additional.fields.key/value |
| validation_status | ssl.log | additional.fields.key/value |
| validation_code | ssl.log | additional.fields.key/value |
| valid_chain | ssl.log | additional.fields.key/value |
| ocsp_status | ssl.log | additional.fields.key/value |
| ocsp_response | ssl.log | additional.fields.key/value |
| valid_scts | ssl.log | additional.fields.key/value |
| invalid_scts | ssl.log | additional.fields.key/value |
| valid_ct_logs | ssl.log | additional.fields.key/value |
| valid_ct_operators | ssl.log | additional.fields.key/value |
| valid_ct_operators_list | ssl.log | additional.fields.key/value |
| ct_proofs | ssl.log | additional.fields.key/value |
| notary.first_seen | ssl.log | additional.fields.key/value |
| notary.last_seen | ssl.log | additional.fields.key/value |
| notary.times_seen | ssl.log | additional.fields.key/value |
| notary.valid | ssl.log | additional.fields.key/value |
| ts | syslog.log | metadata.event_timestamp |
| uid | syslog.log | network.session_id |
| id.orig_h | syslog.log | principal.ip |
| id.orig_p | syslog.log | principal.port |
| id.resp_h | syslog.log | target.ip |
| id.resp_p | syslog.log | target.port |
| proto | syslog.log | network.ip_protocol |
| facility | syslog.log | additional.fields.key/value |
| severity | syslog.log | security_result.severity_details |
| message | syslog.log | metadata.description |
| ts | tunnel.log | metadata.event_timestamp |
| uid | tunnel.log | network.session_id |
| id.orig_h | tunnel.log | principal.ip |
| id.orig_p | tunnel.log | principal.port |
| id.resp_h | tunnel.log | target.ip |
| id.resp_p | tunnel.log | target.port |
| tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
| action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
Archivos
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de archivos y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | files.log | metadata.event_timestamp |
| fuid | files.log | metadata.product_log_id |
| tx_hosts | files.log | principal.ip |
| rx_hosts | files.log | target.ip |
| conn_uids | files.log | additional.fields.key/value |
| source | files.log | network.application_protocol
target.file.full_path |
| depth | files.log | additional.fields.key/value |
| analyzers | files.log | additional.fields.key/value |
| mime_type | files.log | target.file.mime_type |
| filename | files.log | target.file.full_path |
| duration | files.log | additional.fields.key/value |
| local_orig | files.log | additional.fields.key/value |
| is_orig | files.log | additional.fields.key/value |
| seen_bytes | files.log | target.file.size |
| total_bytes | files.log | additional.fields.key/value |
| missing_bytes | files.log | additional.fields.key/value |
| overflow_bytes | files.log | additional.fields.key/value |
| timedout | files.log | additional.fields.key/value |
| parent_fuid | files.log | additional.fields.key/value |
| md5 | files.log | target.file.md5 |
| sha1 | files.log | target.file.sha1 |
| sha256 | files.log | target.file.sha256 |
| md5 | files.log | network.tls.client.certificate.md5 |
| sha1 | files.log | network.tls.client.certificate.sha1 |
| sha256 | files.log | network.tls.client.certificate.sha256 |
| md5 | files.log | network.tls.server.certificate.md5 |
| sha1 | files.log | network.tls.server.certificate.sha1 |
| sha256 | files.log | network.tls.server.certificate.sha256 |
| x509 | files.log | additional.fields.key/value
This field is a nested field. |
| extracted | files.log | additional.fields.key/value |
| extracted_cutoff | files.log | additional.fields.key/value |
| extracted_size | files.log | additional.fields.key/value |
| entropy | files.log | additional.fields.key/value |
| ts | ocsp.log | metadata.event_timestamp |
| id | ocsp.log | metadata.product_log_id |
| hashAlgorithm | ocsp.log | additional.fields.key/value |
| issuerNameHash | ocsp.log | additional.fields.key/value |
| issuerKeyHash | ocsp.log | additional.fields.key/value |
| serialNumber | ocsp.log | tls.server.certificate.serial |
| certStatus | ocsp.log | additional.fields.key/value |
| revoketime | ocsp.log | network.tls.server.certificate.not_after |
| revokereason | ocsp.log | security_result.summary |
| thisUpdate | ocsp.log | additional.fields.key/value |
| nextUpdate | ocsp.log | additional.fields.key/value |
| ts | pe.log | metadata.event_timestamp |
| id | pe.log | metadata.product_log_id |
| machine | pe.log | target.resource.resource_subtype |
| compile_ts | pe.log | additional.fields.key/value |
| os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
| subsystem | pe.log | target.application |
| is_exe | pe.log | additional.fields.key/value |
| is_64bit | pe.log | additional.fields.key/value |
| uses_aslr | pe.log | additional.fields.key/value |
| uses_dep | pe.log | additional.fields.key/value |
| uses_code_integrity | pe.log | additional.fields.key/value |
| uses_seh | pe.log | additional.fields.key/value |
| has_import_table | pe.log | additional.fields.key/value |
| has_export_table | pe.log | additional.fields.key/value |
| has_cert_table | pe.log | additional.fields.key/value |
| has_debug_data | pe.log | additional.fields.key/value |
| section_names | pe.log | additional.fields.key/value |
| ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
| fingerprint | x509.log | additional.fields.key/value |
| certificate.version | x509.log | network.tls.server.certificate.version |
| certificate.serial | x509.log | network.tls.server.certificate.serial |
| certificate.subject | x509.log | network.tls.server.certificate.subject |
| certificate.issuer | x509.log | network.tls.server.certificate.issuer |
| certificate.cn | x509.log | target.hostname |
| certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
| certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
| certificate.key_alg | x509.log | additional.fields.key/value |
| certificate.sig_alg | x509.log | additional.fields.key/value |
| certificate.key_type | x509.log | additional.fields.key/value |
| certificate.key_length | x509.log | additional.fields.key/value |
| certificate.exponent | x509.log | additional.fields.key/value |
| certificate.curve | x509.log | network.tls.curve |
| handle | x509.log | additional.fields.key/value |
| extensions.name | x509.log | additional.fields.key/value |
| extensions.short_name | x509.log | additional.fields.key/value |
| extensions.oid | x509.log | additional.fields.key/value |
| extensions.critical | x509.log | additional.fields.key/value |
| extensions.value | x509.log | additional.fields.key/value |
| san.dns | x509.log | additional.fields.key/value |
| san.uri | x509.log | additional.fields.key/value |
| san.email | x509.log | additional.fields.key/value |
| san.ip | x509.log | additional.fields.key/value |
| san.other_fields | x509.log | additional.fields.key/value |
| basic_constraints.ca | x509.log | additional.fields.key/value |
| basic_constraints.path_len | x509.log | additional.fields.key/value |
| extensions_cache | x509.log | additional.fields.key/value |
| host_cert | x509.log | additional.fields.key/value |
| client_cert | x509.log | additional.fields.key/value |
| deduplication_index.fingerprint | x509.log | additional.fields.key/value |
| deduplication_index.host_cert | x509.log | additional.fields.key/value |
| deduplication_index.client_cert | x509.log | additional.fields.key/value |
| always_raise_x509_events | x509.log | additional.fields.key/value |
| cert | x509.log | additional.fields.key/value |
Netcontrol
En la siguiente tabla, se enumeran los campos de registro del tipo de registro netcontrol y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | netcontrol.log | metadata.event_timestamp |
| rule_id | netcontrol.log | security_result.rule_id |
| category | netcontrol.log | security_result.category_details |
| cmd | netcontrol.log | additional.fields.key/value |
| state | netcontrol.log | additional.fields.key/value |
| action | netcontrol.log | security_result.action_details |
| target | netcontrol.log | additional.fields.key/value |
| entity_type | netcontrol.log | additional.fields.key/value |
| entity | netcontrol.log | security_result.summary |
| mod | netcontrol.log | additional.fields.key/value |
| msg | netcontrol.log | security_result.description |
| priority | netcontrol.log | security_result.priority_details |
| expire | netcontrol.log | additional.fields.key/value |
| location | netcontrol.log | additional.fields.key/value |
| plugin | netcontrol.log | additional.fields.key/value |
| ts | netcontrol_drop.log | metadata.event_timestamp |
| rule_id | netcontrol_drop.log | security_result.rule_id |
| orig_h | netcontrol_drop.log | principal.ip |
| orig_p | netcontrol_drop.log | principal.port |
| resp_h | netcontrol_drop.log | target.ip |
| resp_p | netcontrol_drop.log | target.port |
| expire | netcontrol_drop.log | additional.fields.key/value |
| location | netcontrol_drop.log | additional.fields.key/value |
| ts | netcontrol_shunt.log | metadata.event_timestamp |
| rule_id | netcontrol_shunt.log | security_result.rule_id |
| f.src_h | netcontrol_shunt.log | principal.ip |
| f.src_p | netcontrol_shunt.log | principal.port |
| f.dst_h | netcontrol_shunt.log | target.ip |
| f.dst_p | netcontrol_shunt.log | target.port |
| expire | netcontrol_shunt.log | additional.fields.key/value |
| location | netcontrol_shunt.log | additional.fields.key/value |
| ts | netcontrol_catch_release.log | metadata.event_timestamp |
| rule_id | netcontrol_catch_release.log | security_result.rule_id |
| ip | netcontrol_catch_release.log | target.ip |
| action | netcontrol_catch_release.log | security_result.action_details |
| block_interval | netcontrol_catch_release.log | additional.fields.key/value |
| watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
| blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
| watched_until | netcontrol_catch_release.log | additional.fields.key/value |
| num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
| location | netcontrol_catch_release.log | additional.fields.key/value |
| message | netcontrol_catch_release.log | security_result.description |
| ts | openflow.log | metadata.event_timestamp |
| dpid | openflow.log | additional.fields.key/value |
| match.in_port | openflow.log | additional.fields.key/value |
| match.dl_src | openflow.log | additional.fields.key/value |
| match.dl_dst | openflow.log | additional.fields.key/value |
| match.dl_vlan | openflow.log | additional.fields.key/value |
| match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
| match.dl_type | openflow.log | additional.fields.key/value |
| match.nw_tos | openflow.log | additional.fields.key/value |
| match.nw_proto | openflow.log | additional.fields.key/value |
| match.nw_src | openflow.log | additional.fields.key/value |
| match.nw_dst | openflow.log | additional.fields.key/value |
| match.tp_src | openflow.log | additional.fields.key/value |
| match.tp_dst | openflow.log | additional.fields.key/value |
| flow_mod.cookie | openflow.log | additional.fields.key/value |
| flow_mod.table_id | openflow.log | additional.fields.key/value |
| flow_mod.command | openflow.log | additional.fields.key/value |
| flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
| flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
| flow_mod.priority | openflow.log | additional.fields.key/value |
| flow_mod.out_port | openflow.log | additional.fields.key/value |
| flow_mod.flags | openflow.log | additional.fields.key/value |
| flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
| flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
| flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
Detección
En la siguiente tabla, se enumeran los campos de registro del tipo de registro de detección y sus campos de la UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | intel.log | metadata.event_timestamp |
| uid | intel.log | network.session_id |
| id.orig_h | intel.log | principal.ip |
| id.orig_p | intel.log | principal.port |
| id.resp_h | intel.log | target.ip |
| id.resp_p | intel.log | target.port |
| seen.indicator | intel.log | additional.fields.key/value |
| seen.indicator_type | intel.log | additional.fields.key/value |
| seen.host | intel.log | additional.fields.key/value |
| seen.where | intel.log | additional.fields.key/value |
| seen.node | intel.log | additional.fields.key/value |
| seen.conn.id.orig_h | intel.log | additional.fields.key/value |
| seen.conn.id.orig_p | intel.log | additional.fields.key/value |
| seen.conn.id.resp_h | intel.log | additional.fields.key/value |
| seen.conn.id.resp_p | intel.log | additional.fields.key/value |
| seen.conn.orig.size | intel.log | network.sent_bytes |
| seen.conn.orig.state | intel.log | additional.fields.key/value |
| seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
| seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.resp.size | intel.log | network.received_bytes |
| seen.conn.resp.state | intel.log | additional.fields.key/value |
| seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
| seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
| seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
| seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
| seen.conn.start_time | intel.log | additional.fields.key/value |
| seen.conn.duration | intel.log | network.session_duration |
| seen.conn.service | intel.log | additional.fields.key/value |
| seen.conn.history | intel.log | metadata.description |
| seen.conn.uid | intel.log | network.session_id |
| seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
| seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
| seen.conn.vlan | intel.log | additional.fields.key/value |
| seen.conn.inner_vlan | intel.log | additional.fields.key/value |
| seen.conn.dpd_state | intel.log | additional.fields.key/value |
| seen.conn.removal_hooks | intel.log | additional.fields.key/value |
| seen.conn.extract_orig | intel.log | additional.fields.key/value |
| seen.conn.extract_resp | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
| seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
| seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
| seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
| seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
| seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
| seen.conn.http_state.pending | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
| seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
| seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
| seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
| seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
| seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
| seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
| seen.conn.known_services_done | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
| seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
| seen.conn.speculative_service | intel.log | additional.fields.key/value |
| seen.uid | intel.log | additional.fields.key/value |
| seen.f.id | intel.log | additional.fields.key/value |
| seen.f.parent_id | intel.log | additional.fields.key/value |
| seen.f.source | intel.log | target.file.full_path |
| seen.f.is_orig | intel.log | additional.fields.key/value |
| seen.f.conns | intel.log | additional.fields.key/value |
| seen.f.last_active | intel.log | additional.fields.key/value |
| seen.f.seen_bytes | intel.log | additional.fields.key/value |
| seen.f.total_bytes | intel.log | additional.fields.key/value |
| seen.f.missing_bytes | intel.log | additional.fields.key/value |
| seen.f.overflow_bytes | intel.log | additional.fields.key/value |
| seen.f.timeout_interval | intel.log | additional.fields.key/value |
| seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
| seen.f.bof_buffer | intel.log | additional.fields.key/value |
| seen.f.u2_events | intel.log | additional.fields.key/value |
| seen.fuid | intel.log | additional.fields.key/value |
| matched | intel.log | additional.fields.key/value |
| sources | intel.log | additional.fields.key/value |
| fuid | intel.log | additional.fields.key/value |
| file_mime_type | intel.log | target.file.mime_type |
| file_desc | intel.log | additional.fields.key/value |
| cif.tags | intel.log | additional.fields.key/value |
| cif.confidence | intel.log | additional.fields.key/value |
| cif.source | intel.log | additional.fields.key/value |
| cif.description | intel.log | additional.fields.key/value |
| cif.firstseen | intel.log | additional.fields.key/value |
| cif.lastseen | intel.log | additional.fields.key/value |
| ts | notice.log | metadata.event_timestamp |
| uid | notice.log | network.session_id |
| id.orig_h | notice.log | principal.ip |
| id.orig_p | notice.log | principal.port |
| id.resp_h | notice.log | target.ip |
| id.resp_p | notice.log | target.port |
| conn.id.orig_h | notice.log | additional.fields.key/value |
| conn.id.orig_p | notice.log | additional.fields.key/value |
| conn.id.resp_h | notice.log | additional.fields.key/value |
| conn.id.resp_p | notice.log | additional.fields.key/value |
| conn.orig.size | notice.log | network.sent_bytes |
| conn.orig.state | notice.log | additional.fields.key/value |
| conn.orig.num_pkts | notice.log | additional.fields.key/value |
| conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.orig.flow_label | notice.log | additional.fields.key/value |
| conn.orig.l2_addr | notice.log | additional.fields.key/value |
| conn.resp.size | notice.log | network.received_bytes |
| conn.resp.state | notice.log | additional.fields.key/value |
| conn.resp.num_pkts | notice.log | additional.fields.key/value |
| conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
| conn.resp.flow_label | notice.log | additional.fields.key/value |
| conn.resp.l2_addr | notice.log | additional.fields.key/value |
| conn.start_time | notice.log | additional.fields.key/value |
| conn.duration | notice.log | network.session_duration |
| conn.service | notice.log | additional.fields.key/value |
| conn.history | notice.log | metadata.description |
| conn.uid | notice.log | network.session_id |
| conn.tunnel.queued | notice.log | additional.fields.key/value |
| conn.tunnel.dispatched | notice.log | additional.fields.key/value |
| conn.vlan | notice.log | additional.fields.key/value |
| conn.inner_vlan | notice.log | additional.fields.key/value |
| conn.dpd_state.violations | notice.log | additional.fields.key/value |
| conn.removal_hooks | notice.log | additional.fields.key/value |
| conn.extract_orig | notice.log | additional.fields.key/value |
| conn.extract_resp | notice.log | additional.fields.key/value |
| conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
| conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
| conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
| conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
| conn.thresholds.duration | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
| conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
| conn.dce_rpc_backing | notice.log | additional.fields.key/value |
| conn.dns_state.pending_query | notice.log | additional.fields.key/value |
| conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
| conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
| conn.ftp_data_reuse | notice.log | additional.fields.key/value |
| conn.http_state.pending | notice.log | additional.fields.key/value |
| conn.http_state.current_request | notice.log | additional.fields.key/value |
| conn.http_state.current_response | notice.log | additional.fields.key/value |
| conn.http_state.trans_depth | notice.log | additional.fields.key/value |
| conn.sip_state.pending | notice.log | additional.fields.key/value |
| conn.sip_state.current_request | notice.log | additional.fields.key/value |
| conn.sip_state.current_response | notice.log | additional.fields.key/value |
| conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
| conn.smb_state.fid_map | notice.log | additional.fields.key/value |
| conn.smb_state.tid_map | notice.log | additional.fields.key/value |
| conn.smb_state.uid_map | notice.log | additional.fields.key/value |
| conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
| conn.smb_state.recent_files | notice.log | additional.fields.key/value |
| conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
| conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
| conn.known_services_done | notice.log | additional.fields.key/value |
| mqtt.ts | notice.log | additional.fields.key/value |
| mqtt.uid | notice.log | additional.fields.key/value |
| mqtt.id | notice.log | additional.fields.key/value |
| mqtt.proto_name | notice.log | additional.fields.key/value |
| mqtt.proto_version | notice.log | additional.fields.key/value |
| mqtt.client_id | notice.log | additional.fields.key/value |
| mqtt.connect_status | notice.log | additional.fields.key/value |
| mqtt.will_topic | notice.log | additional.fields.key/value |
| mqtt.will_payload | notice.log | additional.fields.key/value |
| conn.mqtt_state.publish | notice.log | additional.fields.key/value |
| conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
| conn.speculative_service | notice.log | additional.fields.key/value |
| iconn.orig_h | notice.log | additional.fields.key/value |
| iconn.resp_h | notice.log | additional.fields.key/value |
| iconn.itype | notice.log | additional.fields.key/value |
| iconn.icode | notice.log | additional.fields.key/value |
| iconn.len | notice.log | additional.fields.key/value |
| iconn.hlim | notice.log | additional.fields.key/value |
| iconn.v6 | notice.log | additional.fields.key/value |
| f.id | notice.log | additional.fields.key/value |
| f.parent_id | notice.log | additional.fields.key/value |
| f.source | notice.log | target.file.full_path |
| f.is_orig | notice.log | additional.fields.key/value |
| f.conns | notice.log | additional.fields.key/value |
| f.last_active | notice.log | additional.fields.key/value |
| f.seen_bytes | notice.log | additional.fields.key/value |
| f.total_bytes | notice.log | additional.fields.key/value |
| f.missing_bytes | notice.log | additional.fields.key/value |
| f.overflow_bytes | notice.log | additional.fields.key/value |
| f.timeout_interval | notice.log | additional.fields.key/value |
| f.bof_buffer_size | notice.log | additional.fields.key/value |
| f.bof_buffer | notice.log | additional.fields.key/value |
| f.u2_events | notice.log | additional.fields.key/value |
| fuid | notice.log | additional.fields.key/value |
| file_mime_type | notice.log | target.file.mime_type |
| file_desc | notice.log | additional.fields.key/value |
| proto | notice.log | network.ip_protocol |
| note | notice.log | security_result.description |
| msg | notice.log | security_result.summary |
| sub | notice.log | additional.fields.key/value |
| src | notice.log | principal.ip |
| dst | notice.log | target.ip |
| p | notice.log | target.port |
| n | notice.log | additional.fields.key/value |
| peer_name | notice.log | additional.fields.key/value |
| peer_descr | notice.log | additional.fields.key/value |
| actions | notice.log | security_result.action_details |
| email_dest | notice.log | network.email.to (repeated) |
| email_body_sections | notice.log | network.email.subject (repeated) |
| email_delay_tokens | notice.log | additional.fields.key/value |
| identifier | notice.log | additional.fields.key/value |
| suppress_for | notice.log | additional.fields.key/value |
| remote_location.country_code | notice.log | additional.fields.key/value |
| remote_location.region | notice.log | principal.asset.location.country_or_region |
| remote_location.city | notice.log | principal.asset.location.city |
| remote_location.latitude | notice.log | additional.fields.key/value |
| remote_location.longitude | notice.log | additional.fields.key/value |
| dropped | notice.log | security_result.action_details |
| ts | signatures.log | metadata.event_timestamp |
| uid | signatures.log | network.session_id |
| src_addr | signatures.log | principal.ip |
| src_port | signatures.log | principal.port |
| dst_addr | signatures.log | target.ip |
| dst_port | signatures.log | target.port |
| note | signatures.log | security_result.summary |
| sig_id | signatures.log | additional.fields.key/value |
| event_msg | signatures.log | metadata.description |
| sub_msg | signatures.log | additional.fields.key/value |
| sig_count | signatures.log | additional.fields.key/value |
| host_count | signatures.log | additional.fields.key/value |
| ts | traceroute.log | metadata.event_timestamp |
| src | traceroute.log | principal.ip |
| dst | traceroute.log | target.ip |
| proto | traceroute.log | network.ip_protocol |
Observaciones de red
En la siguiente tabla, se muestran los campos de registro del tipo de registro de observaciones de red y sus campos de UDM correspondientes.
| Campo de registro original | Tipo de registro | Campo de UDM |
|---|---|---|
| ts | known_certs.log | metadata.event_timestamp |
| host | known_certs.log | principal.ip |
| port_num | known_certs.log | principal.port |
| subject | known_certs.log | network.tls.client.certificate.subject |
| issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
| serial | known_certs.log | network.tls.client.certificate.serial |
| ts | known_hosts.log | metadata.event_timestamp |
| host | known_hosts.log | principal.ip |
| ts | known_modbus.log | metadata.event_timestamp |
| host | known_modbus.log | principal.ip |
| device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
| ts | known_services.log | metadata.event_timestamp |
| host | known_services.log | principal.ip |
| port_num | known_services.log | principal.port |
| port_proto | known_services.log | network.ip_protocol |
| service | known_services.log | target.application |
| ts | software.log | metadata.event_timestamp |
| host | software.log | principal.ip |
| host_p | software.log | principal.port |
| software_type | software.log | principal.resource.resource_subtype |
| name | software.log | principal.resource.name |
| version.major | software.log | additional.fields.key/value |
| version.minor | software.log | additional.fields.key/value |
| version.minor2 | software.log | additional.fields.key/value |
| version.minor3 | software.log | additional.fields.key/value |
| version.addl | software.log | additional.fields.key/value |
| unparsed_version | software.log | additional.fields.key/value |
| force_log | software.log | additional.fields.key/value |
| url | software.log | metadata.url_back_to_product |
Referencia de asignación de campos: ID del evento a tipo de evento de la AUA
Para comprender cómo el analizador asigna nombres de registro a tipos de eventos de la UDM, consulta las siguientes secciones:
Protocolos de red
En la siguiente tabla, se enumeran los nombres de registro del tipo de registro de protocolos de red y sus correspondientes tipos de eventos de la AUA.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
| dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
| dhcp.log | DHCP leases | NETWORK_DHCP |
| dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
| dns.log | DNS activity | NETWORK_DNS |
| ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
| http.log | HTTP requests and replies | NETWORK_HTTP |
| irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
| kerberos.log | Kerberos | NETWORK_CONNECTION |
| modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
| modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
| mysql.log | MySQL | NETWORK_UNCATEGORIZED |
| ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
| ntp.log | Network Time Protocol | NETWORK_CONNECTION |
| radius.log | RADIUS authentication attempts | USER_LOGIN |
| rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
| rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
| sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
| smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
| smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
| smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
| smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
| snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
| socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
| ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
| ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
| syslog.log | Syslog messages | NETWORK_CONNECTION |
| tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
Archivos
En la siguiente tabla, se enumeran los nombres de registro del tipo de registro de archivos y sus correspondientes tipos de eventos de la AUA.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| files.log | File analysis results | NETWORK_UNCATEGORIZED |
| ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
| pe.log | Portable Executable (PE) | GENERIC_EVENT |
| x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
En la siguiente tabla, se enumeran los nombres de los registros del tipo de registro netcontrol y sus correspondientes tipos de eventos de la UDM.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| netcontrol.log | NetControl actions | GENERIC_EVENT |
| netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
| netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
| netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
| openflow.log | OpenFlow debug log | GENERIC_EVENT |
Detección
En la siguiente tabla, se enumeran los nombres de registro del tipo de registro de detección y sus tipos de eventos de la AUA correspondientes.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| intel.log | Intelligence data matches | GENERIC_EVENT |
| notice.log | Zeek notices | NETWORK_CONNECTION |
| notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
| signatures.log | Signature matches | GENERIC_EVENT |
| traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
Observaciones de red
En la siguiente tabla, se enumeran los nombres de registro del tipo de registro de observaciones de red y sus correspondientes tipos de eventos de la AUA.
| Nombre del registro | Descripción | Tipo de evento de la AUA |
|---|---|---|
| known_certs.log | SSL certificates | GENERIC_EVENT |
| known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
| known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
| known_services.log | Services running on hosts | GENERIC_EVENT |
| software.log | Software used on the network | GENERIC_EVENT |